在我的Ubuntu 15.10上连接到本地主机的简单SSH连接时遇到问题。 服务器是在几个月前build立起来的,并且能够通过密钥创buildSSH访问权限,但不能为新用户复制该远程访问权限。 我可以从我的原始用户访问PuTTY,但即使该用户不能通过本地访问。
为了进行双重调查,我试图通过本地主机和纯密码进行访问,希望尽量减less可能出错的variables – 如果有更好的testing,请告诉我。
我有fail2ban和防火墙,但由于我可以用原来的帐户远程访问服务器,我不会立即怀疑这是问题。 不过,下面输出防火墙规则。
以下是我遵循的步骤和更多的数据:
创build新用户并设置密码
sudo useradd teachers -m -s /bin/bash; sudo passwd teachers; configurationSSH(/ etc / ssh / sshd_config)进行testing的基本访问
AllowUsers teachers PasswordAuthentication yes LogLevel VERBOSE
目前还没有SSH密钥,因为我只是想获取密码。
以下是我在命令行尝试的输出:
~$ ssh -v localhost OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: SELinux support disabled debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 debug1: match: OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to localhost:22 as 'teachers' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client [email protected] <implicit> none debug1: kex: client->server [email protected] <implicit> none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received ################################################################################ # This is a restricted system.... # ################################################################################ debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/teachers/.ssh/id_rsa debug1: Trying private key: /home/teachers/.ssh/id_dsa debug1: Trying private key: /home/teachers/.ssh/id_ecdsa debug1: Trying private key: /home/teachers/.ssh/id_ed25519 debug1: Next authentication method: password teachers@localhost's password: debug1: Authentications that can continue: publickey,password Permission denied, please try again. teachers@localhost's password: debug1: Authentications that can continue: publickey,password Permission denied, please try again. teachers@localhost's password: debug1: Authentications that can continue: publickey,password debug1: No more authentication methods to try. Permission denied (publickey,password).
以下是我尝试访问的auth.log:
Apr 19 05:41:52 lists sshd[27165]: Set /proc/self/oom_score_adj to 0 Apr 19 05:41:52 lists sshd[27165]: Connection from 127.0.0.1 port 45192 on 127.0.0.1 port 22 Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) illegal module type: umask Apr 19 05:42:03 lists sshd[27165]: PAM pam_parse: expecting return value; [...002] Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) no module name supplied Apr 19 05:42:13 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2 Apr 19 05:42:20 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2 Apr 19 05:42:27 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2 Apr 19 05:42:27 lists sshd[27165]: Connection closed by 127.0.0.1 [preauth]
这是我的iptables的输出:
$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 222.0.0.0/8 anywhere tcp dpt:ssh fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh DROP tcp -- 222.186.34.202 anywhere tcp dpt:ssh fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:2812 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:submission DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-postfix (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-sasl (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-ssh (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere
我相信这表明端口22应该是可用的:
$ nc -z -v -w 5 localhost 22 Connection to localhost 22 port [tcp/ssh] succeeded!
编辑:包括sshdconfiguration:
$ cat /etc/ssh/sshd_config # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel VERBOSE # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes AllowUsers listman teachers
只有/etc/pam.d/中的文件是/ etc / pam.d / sshd:
$ cat /etc/pam.d/sshd # PAM configuration for the Secure Shell service umask 002 # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password
我在这里错过了什么?
该线
umask 002
并不是一个有效的PAMconfiguration。 去掉它。
要设置ssh会话的umask,请参阅此Serverfault线程:
如何为所有types的连接设置ssh的umask