想象一下,我正在设置一个蜜jar,将SSHD设置为接受任何连接的最快方法是什么? 是的,这是真的不安全,所以请不要复制:-)
可能是有用的(把pam_permit放在auth栈上)…我只是没有太多的经验与PAM,目前正在阅读虽然文档。
https://unix.stackexchange.com/questions/124187/accept-any-private-key-for-authentication
对于实际问题的一些背景,我有一台防火墙后面的客户端计算机,它试图通过首先连接出站(所以我可以连接回去)来build立一个反向的SSH隧道…当它不断尝试连接,就好像它使用的密钥不再有效(这是奇怪的),或者别的什么是失败的。
服务器日志显示客户端closures连接,其他客户端可以连接好…
debug1: Forked child 29472. Set /proc/self/oom_score_adj to 0 debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from CLIENT_IP port 46186 debug1: Client protocol version 2.0; client software version OpenSSH_6.0p1 Debian-4+deb7u2 debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 debug1: permanently_set_uid: 105/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client->server aes128-ctr hmac-md5 none [preauth] debug1: kex: server->client aes128-ctr hmac-md5 none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user tunnel service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "tunnel" debug1: PAM: setting PAM_RHOST to "server" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user tunnel service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: temporarily_use_uid: 1001/1001 (e=0/0) debug1: trying public key file /home/tunnel/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1001/1001 (e=0/0) debug1: trying public key file /home/tunnel/.ssh/authorized_keys2 debug1: Could not open authorized keys '/home/tunnel/.ssh/authorized_keys2': No such file or directory debug1: restore_uid: 0/0 Failed publickey for tunnel from CLIENT_IP port 46186 ssh2 Connection closed by CLIENT_IP [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 29473
这工作…但是,因为这基本上删除所有forms的身份validation,不要做这个…
/etc/pam.d/sshd auth required pam_permit.so
凡是以auth (即模块)开头的其他行都被注释掉了,你还应该检查任何@include行,因为它们可能包含设置更多auth模块的文件,例如
#@include common-auth
然后,我必须确保SSHDconfiguration没有设置任何这些:
/etc/ssh/sshd_config # PasswordAuthentication no # ChallengeResponseAuthentication no # GSSAPIAuthentication no # UsePAM no
为了好的措施,帐户设置了密码(否则视为禁用)。