服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OpenSSH服务器身份validation被拒绝
Intereting Posts
python uwsgi不加载更改 tcpdump – 防止解释/解码协议 组策略:如何评论每个设置? 在EC2上 – 一个实例如何使用ip-XXX-XXX-XXX-XXX格式telnet另一个实例 如何从NetBoot服务器中禁用或卸载NetRestore? 在CentOS 6.6中删除一个巨大目录的内容 如何从本身内部获取anaconda-ks.cfg脚本的位置? 在RHEL 5.x上运行的交易引擎 亚马逊EC2滥用 IISpipe理器 – 无法连接使用某些用户帐户 IIS7二进制stream错误 是否有可能在网关(下一跳)路由器看到路由表? 多个共享数据库服务器的Web服务器 调整服务器上的时间设置:更改OS中的时间或时区,或configuration石墨设置? 我如何知道我是否有Windows 2012 R2(与“R1”原版本相比)?

OpenSSH服务器身份validation被拒绝

我在PXA270平台(armv5tel)上运行Linux版本2.6.27-vpac2我有一个版本的OpenSSH 3.8.1 p1(Debian-8.sarge.4)试图运行它。 我已经运行-ddd格式的sshd进行debugging,下面是我尝试连接时的结果: 

root@thisslave:~/.ssh$ /usr/sbin/sshd -ddd -f /etc/ssh/sshd_config debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.8.1p1 Debian-8.sarge.4 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. socket: Address family not supported by protocol debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.101 port 40520 debug1: Client protocol version 2.0; client software version OpenSSH_5.8p1 Debian-7ubuntu1 debug1: match: OpenSSH_5.8p1 Debian-7ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 134/256 debug2: bits set: 518/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 538/1024 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for root debug2: input_userauth_request: try method none Failed none for root from 192.168.1.101 port 40520 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys debug3: secure_filename: checking '/root/.ssh' debug3: secure_filename: checking '/root' Authentication refused: bad ownership or modes for directory /root debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys debug3: secure_filename: checking '/root/.ssh' debug3: secure_filename: checking '/root' Authentication refused: bad ownership or modes for directory /root debug1: restore_uid: 0/0 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for root from 192.168.1.101 port 40520 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices <empty> debug1: auth2_challenge_start: trying authentication method 'pam' debug3: PAM: sshpam_init_ctx entering Failed keyboard-interactive for root from 192.168.1.101 port 40520 ssh2 Connection closed by 192.168.1.101 debug1: do_cleanup

有几件事要注意:

1)我正在使用目前正在使用的其他两个服务器(相同的平台和Linux内核版本)

2)我已经为.ssh目录(700),authorized_keys(644)设置了相应的权限。 对于服务器,我认为这些是需要的,如果我错了,请纠正我。

3)如果我closuresStrictMode设置(即设置为“否”)。 我能够连接。 但我相信这是我不应该做的,因为运行的另外两个sshd服务器没有设置为“否”。

我真的很难过,一直在努力工作了一个星期左右的许可。 希望有人按我的方式提出一些想法。

如何在debugging日志中显示两次的消息:

身份validation被拒绝:目录/ root的所有权或模式不正确

修复/root的权限,看看哪里需要你。

问题打印在您的日志中: 

  Authentication refused: bad ownership or modes for directory /root

检查根用户主目录/root

活动服务器的工作权限示例: 

 error@www ~ $ ls -ld /root drwx------. 6 root root 4096 Oct 16 19:12 /root

我只是有相同的情况: bad ownership on /xxx (最上面的文件夹) bad ownership on /xxx正确。

在我的情况下,所有其他通常的ssh要求都得到满足:

  • 没有' w '去任何地方(团体或其他人)
  • 700为.ssh
  • 600 for .ssh/authorized_keys

然而, sshd -d会话一直显示 

 Authentication refused: bad ownership or modes for directory /xxx

我发现唯一的缺点是/xxx/yyy是由root拥有的,而/xxx是由“ aUser ”拥有的。

我做了一个chown root:root /xxx

错误消失了。

在这个博客文章中find更全面的答案: http : //www.daveperrett.com/articles/2010/09/14/ssh-authentication-refused/

TL的DR版本是(权限相当具体): 

 chmod go-w /home/your-user chmod 700 /home/your-user/.ssh chmod 600 /home/your-user/.ssh/authorized_keys*

此外,如果你的用户的主目录是一个符号链接,你也可以跟着它,然后chmod go-w / chmod 755。