服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 根据AWS简单目录服务validationSSHD
Intereting Posts
在sftp上允许root用户login,同时禁止通过sshlogin? MS SQL远程连接显示所有数据库 EC2上的鱿鱼不起作用 Windows Server 2008经常在出站TCP端口445上发送外部IP Lighttpd中的粘滞会话 如何阻止我的https网站,当它被一个特定的国家阻止? VirtualBox,物理磁盘和快照 重新启动后,Windows身份validation不起作用 pGina MySQLvalidation哈希时失败 MIME键入nginx的dynamicurl (* nix)可扩展networking服务的云/集群解决scheme 由于备件更换较大的硬盘,优化RAID5中未使用的空间 重新安装操作系统时软件突袭是否中断? mdadm汽车种族突袭 www.rencontres-selection.com上的服务器花了很长时间回应

根据AWS简单目录服务validationSSHD

我正在尝试使用sshd设置一个Centos 7机器的networking,它根据AWS Simple Directory Service目录validation公钥。

目前,我有一大堆的Centos主机,Windows Server 2008的实例,以及使用Amazon Web Service(AWS)简单目录服务的目录。 窗口框用于pipe理目录,Centos框使用该目录来validationSSH会话。 所有的机器已经join到目录中。

我已经证实,我能够使用简单的密码authentication作为本地和域用户的SSH进入Centos框。 同样,我能够使用本地和域帐户,简单的密码authenticationRDP到Windows框。

但是,在我的目录中由AWS设置的模式并没有包含任何带有sshPublicKey字段的类,可以这么说。

因此,我使用Windows框上的Active Directory架构pipe理单元将以下属性添加到我的模式中: 

 Common Name: sshPublicKey OOID: 1.3.6.1.4.1.24552.1.1.1.13 Syntax: IA5-String Multi-valued: true

然后我创build了以下类: 

 Common Name: LDAP Public Key OOID: 1.3.6.1.4.1.24552.500.1.1.2.0 Parent Class: top Class Type: Auxiliary Optional Attributes: sshPublicKey

然后,我使用ADSIpipe理单元将用户公钥的内容添加到目录中条目的sshPublicKey字段中。

在我的一个Centos框中,我通过在sshd的configuration文件中设置PasswordAuthentication no来禁用密码authentication。

然后,我尝试使用sshPublicKey属性设置的目录用户ssh进入Centos框: 

 $ ssh -l [email protected] -i ~/.ssh/path.to.key.pub centos.box -vvv; OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/localuser/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 53: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to centos.box [ip addy] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "~/.ssh/path.to.key.pub" as a RSA1 public key debug1: identity file ~/.ssh/path.to.key.pub type 1 debug1: identity file ~/.ssh/path.to.key.pub type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH* debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLineNumber debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found [email protected] debug1: kex: server->client aes128-ctr [email protected] none debug2: mac_setup: found [email protected] debug1: kex: client->server aes128-ctr [email protected] none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 116/256 debug2: bits set: 535/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA blah debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLine debug3: load_hostkeys: loaded 1 keys debug1: Host 'centos.box' is known and matches the RSA host key. debug1: Found key in /Users/localuser/.ssh/known_hosts:27 debug2: bits set: 509/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/localuser/.ssh/path.to.key.pub (0x7fb3cb600000), explicit debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/localuser/.ssh/path.to.key.pub debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). $

在Centos框中,我们得到: 

 $ sudo journalctl -felu sshd .... Some Date centos.box sshd[a number]: Connection closed by 1.2.3.4 [preauth]

私钥的权限是600 ; 公钥上的权限是644

我不知道如何检查目录服务主机上的服务器日志。

任何想法我做错了什么?

要确保sshdsssd进行公共身份validation,请在sshd主机上执行以下操作:

  1. [sssd]添加到/etc/sssd/sssd.conf文件的[sssd]部分: 

     services = ssh, [ all the other services already listed there as well ]

这告诉sssd它应该与sshd交谈。

  1. 如果还没有[ssh]部分,请在/etc/sssd/sssd.conf文件中添加一个空白[ssh]部分: 

     [ssh]

这是sssd所需的所有服务的必需configuration部分。

  1. /etc/sssd/sssd.conf添加到/etc/sssd/sssd.conf文件的[domain/directory.server]部分,其中directory.server是目录服务主机的完全限定域名: 

     ldap_user_ssh_public_key = sshPublicKey

这告诉sssd哪个属性用于查找sshd用户的公共SSH密钥。 ( sssd使用的默认属性是ipaSshPubKey ,它可以在ipaSshUseripaSshHost类的模式中find )。

  1. /etc/sshd/sshd_config添加到/etc/sshd/sshd_config文件中: 

     AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody

这告诉sshdnobody用户的身份执行/usr/bin/sss_ssh_authorizedkeys文件。 /usr/bin/sss_ssh_authorizedkeys为试图validation到sshd主机的用户获取授权密钥。

  1. /etc/sshd/ssh_config添加到/etc/sshd/ssh_config文件中: 

     GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

这告诉sssd将客户端名称和公钥添加到/var/lib/sss/pubconf/known_hosts并连接到客户端,使用可执行文件/usr/bin/sss_ssh_knownhostsproxy通过标准I / Opipe理所有通信。

  1. 重新启动这两个服务: 

     $ sudo systemctl reload sshd; $ sudo systemctl restart sshd; $ sudo systemctl restart sssd;