服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OpenSSH基于主机的authentication – mm_answer_keyallowed:键0x58c400不允许
Intereting Posts
带有服务器指令的nginx映射。 转发http – > https TightVNC服务器似乎忽略没有用户本地login到服务器的设置 当您更改用户的sAMAccountName时,如何让SharePoint恢复同步? find没有基数的MySQL索引 在每分钟请求限制时,nginx的令牌桶多久能够补充? iptables错误:未知选项–dport Redhat 7实例没有注册 BE 2010 R2的NetApp NDMP备份正常工作,恢复失败 build议一个短信网关 什么是禁用旧的Lanpipe理器散列的副作用? 跳数:正确计数跳数:路由器数量与路由器数量+1 有没有HTTPS感知的DNS系统或服务? Postfixconfiguration为使用TLSv1.2 惠普智能arrays; 如何从数组中安全地移除SMART预测失败的物理驱动器,以便它可以被replace? 在Centos 6.3上安装GD

OpenSSH基于主机的authentication – mm_answer_keyallowed:键0x58c400不允许

我正在尝试为一小部分主机设置基于主机的身份validation。 我想我已经把所有的鸭子都连起来了

  • 将公钥复制到/etc/ssh/ssh_known_hosts文件中
  • 把所有主机放到/etc/shosts.equiv
  • /etc/ssh/sshd_config/etc/ssh/ssh_config启用HostbasedAuthentication
  • 设置/usr/lib64/ssh/ssh-keysign二进制文件,并在客户端的/etc/ssh/ssh_config文件中设置/usr/lib64/ssh/ssh-keysign EnableSSHKeysign yes

但是,它仍然不起作用。 在debugging模式下运行服务器我得到以下输出: 

 debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: Trying to reverse map address 10.3.128.10. debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug2: parse_server_config: config reprocess config len 137 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for kamil debug3: mm_start_pam entering debug3: mm_request_send entering: type 45 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: monitor_read: checking request 45 debug1: PAM: initializing for "kamil" debug1: PAM: setting PAM_RHOST to "foo.bar.com" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user kamil service ssh-connection method hostbased debug1: attempt 1 failures 1 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-dss slen 55 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x58c400 debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10 debug2: stripping trailing dot from chost foo.bar.com. debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10 debug1: temporarily_use_uid: 1031/1028 (e=0/0) debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1031/1028 (e=0/0) debug1: restore_uid: 0/0 Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2 debug3: mm_answer_keyallowed: key 0x58c400 is disallowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_hostbased: authenticated 0 debug1: userauth-request for user kamil service ssh-connection method hostbased debug1: attempt 2 failures 2 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-rsa slen 143 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x58c400 debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10 debug2: stripping trailing dot from chost foo.bar.com. debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10 debug1: temporarily_use_uid: 1031/1028 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1031/1028 (e=0/0) debug1: restore_uid: 0/0 Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2 debug3: mm_answer_keyallowed: key 0x58c400 is disallowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug2: userauth_hostbased: authenticated 0 debug1: userauth-request for user kamil service ssh-connection method keyboard-interactive debug1: attempt 3 failures 3 debug2: input_userauth_request: try method keyboard-interactive

问题的症结似乎是这样的: 

 debug3: mm_answer_keyallowed: key 0x58c400 is disallowed

想法?

您是否在客户端启用了EnableSSHKeysign ? 这是我需要基于主机authentication工作的另一部分。

好的,我的主要失败。 我创build了/etc/shosts.equiv而不是/etc/ssh/shosts.equiv (请参阅我的问题的第2点)。 在我的其他一些系统上工作的原因是,他们也有一个同事以前的工作剩余/etc/hosts.equiv文件。

当正确的文件位于正确的位置时,事情会变得更好。 在服务器上用了一些strace来找出它是从什么文件中读出来的,最后在答案中提示我。

你在一个旧的主机密钥debian? openssh-blacklist软件包可能会阻止使用受臭名昭着的SSL漏洞影响的密钥。

如果是这种情况,请重新生成主机密钥。