所以,我有一个相当奇怪的问题。 我有一个服务器,当我尝试SSH进入,立即closures连接,如果我在第一次尝试input正确的密码。 但是,如果我在第一次尝试时有目的地input了错误的密码,然后在第二次或第三次提示时input了正确的密码,它会成功将我login到计算机中。 同样,当我尝试使用公钥authentication时,我立即closures了连接。 但是,如果我为密钥文件input了错误的密码,并且一旦它恢复为密码validation后又input了错误的密码,则只要在第二个或第三个提示中提供了正确的密码,我就可以成功login。
该机器正在运行红帽企业Linux服务器版本6.2(圣地亚哥),并使用LDAP和PAM进行身份validation。 任何想法在哪里开始debugging这一个? 让我知道我需要提供什么configuration文件,我会很乐意这样做。
这里有一些debugging信息。 下面的代码块代表这三种情况:1)第一次尝试更正私钥密码,2)跳过私钥,第一次尝试修改正常密码,3)跳过私钥,故意input错误的密码,然后进入好的一个…这是唯一的情况,实际上让我连接。
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to [removed for privacy]. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/trevor/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/trevor/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/trevor/.ssh/id_rsa-cert type -1 debug1: identity file /home/trevor/.ssh/id_dsa type -1 debug1: identity file /home/trevor/.ssh/id_dsa-cert type -1 debug1: identity file /home/trevor/.ssh/id_ecdsa type -1 debug1: identity file /home/trevor/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 120/256 debug2: bits set: 531/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA cb:1c:78:3f:f7:7d:8a:10:27:86:a3:12:0c:27:f4:19 debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:80 debug3: load_hostkeys: loaded 1 keys debug1: Host '[removed]' is known and matches the RSA host key. debug1: Found key in /home/trevor/.ssh/known_hosts:90 debug2: bits set: 541/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/trevor/.ssh/id_rsa (0x7f3a228127d0) debug2: key: /home/trevor/.ssh/id_dsa ((nil)) debug2: key: /home/trevor/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/trevor/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17 debug3: sign_and_send_pubkey: RSA 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17 debug1: key_parse_private_pem: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/home/trevor/.ssh/id_rsa': debug1: read PEM private key done: type RSA Connection closed by [removed_ip] 现在我跳过私钥,并在第一次尝试时使用正确的用户密码:
Enter passphrase for key '/home/trevor/.ssh/id_rsa': debug2: no passphrase given, try next key debug1: Trying private key: /home/trevor/.ssh/id_dsa debug3: no such identity: /home/trevor/.ssh/id_dsa debug1: Trying private key: /home/trevor/.ssh/id_ecdsa debug3: no such identity: /home/trevor/.ssh/id_ecdsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password [user]@[server]'s password: debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##]) debug2: we sent a password packet, wait for reply Connection closed by [removed_ip]
最后我跳过私钥,input一个不正确的密码,然后在第二次input正确的密码后,这个方法终于让我在s
debug1: Next authentication method: password [user]@[server]'s password: debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##]) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. [user]@[server]'s password: debug3: packet_send2: adding [##] (len [##] padlen [##] extra_pad [#]) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). Authenticated to [server] ([[server_ip]]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting [email protected] debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 1 debug1: Requesting authentication agent forwarding. debug2: channel 0: request [email protected] confirm 0 debug2: client_session2_setup: id 0 debug2: fd 3 setting TCP_NODELAY debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env LANGUAGE debug3: Ignored env KDE_MULTIHEAD debug3: Ignored env KDE_SESSION_VERSION debug3: Ignored env KONSOLE_DBUS_SERVICE debug3: Ignored env LOGNAME debug3: Ignored env WINDOWPATH debug3: Ignored env GTK_MODULES debug3: Ignored env GTK2_RC_FILES debug3: Ignored env KDE_FULL_SESSION debug3: Ignored env SHLVL debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env PATH debug3: Ignored env USER debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env DEFAULTS_PATH debug3: Ignored env GTK_RC_FILES debug3: Ignored env WINDOWID debug3: Ignored env XCURSOR_SIZE debug3: Ignored env XDG_CONFIG_DIRS debug3: Ignored env XDM_MANAGED debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env DM_CONTROL debug3: Ignored env _ debug3: Ignored env DISPLAY debug3: Ignored env PWD debug3: Ignored env XCURSOR_THEME debug3: Ignored env GS_LIB debug3: Ignored env COLORFGBG debug3: Ignored env KDE_SESSION_UID debug3: Ignored env SSH_AGENT_PID debug3: Ignored env XDG_SESSION_COOKIE debug3: Ignored env OLDPWD debug3: Ignored env TERM debug3: Ignored env PROFILEHOME debug3: Ignored env SESSION_MANAGER debug3: Ignored env UBUNTU_MENUPROXY debug3: Ignored env QT_PLUGIN_PATH debug3: Ignored env SSH_AUTH_SOCK debug3: Ignored env KONSOLE_DBUS_SESSION debug3: Ignored env DESKTOP_SESSION debug3: Ignored env MANDATORY_PATH debug3: Ignored env SHELL_SESSION_ID debug3: Ignored env HOME debug3: Ignored env SHELL debug3: Ignored env GREP_OPTIONS debug3: Ignored env GREP_COLOR debug3: Ignored env PAGER debug1: Sending env LC_CTYPE = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env LSCOLORS debug3: Ignored env rvm_prefix debug3: Ignored env rvm_path debug3: Ignored env __array_start debug3: Ignored env rvm_bin_path debug3: Ignored env escape_flag debug3: Ignored env _first debug3: Ignored env _second debug3: Ignored env rvm_version debug3: Ignored env RUBY_VERSION debug3: Ignored env GEM_HOME debug3: Ignored env GEM_PATH debug3: Ignored env MY_RUBY_HOME debug3: Ignored env IRBRC debug3: Ignored env rvm_alias_expanded debug3: Ignored env rvm_docs_type debug3: Ignored env rvm_gemstone_package_file debug3: Ignored env rvm_gemstone_url debug3: Ignored env rvm_niceness debug3: Ignored env rvm_nightly_flag debug3: Ignored env rvm_proxy debug3: Ignored env rvm_quiet_flag debug3: Ignored env rvm_ruby_file debug3: Ignored env rvm_ruby_make debug3: Ignored env rvm_ruby_make_install debug3: Ignored env rvm_ruby_mode debug3: Ignored env rvm_script_name debug3: Ignored env rvm_sdk debug3: Ignored env rvm_silent_flag debug3: Ignored env rvm_wrapper_name debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: X11 forwarding request accepted on channel 0 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: [DateTime removed] from [location removed]
从debugging代码中可以看出,我的名字是Trevor。 谢谢您的帮助! 让我知道我需要包含哪些pamconfiguration文件。
在评论中的每个请求,这里是一些更多的日志/debugging信息。
/ var / log / secure(我的用户名是twhitney):
Oct 9 12:01:26 [server] sshd[25087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[removed] user=twhitney Oct 9 12:01:26 [server] sshd[25087]: pam_krb5[25087]: authentication fails for 'twhitney' (twhitney@[domain]): Authentication failure (Decrypt integrity check failed) Oct 9 12:01:26 [server] sshd[25087]: pam_ldap: ldap_starttls_s: Operations error Oct 9 12:01:28 [server] sshd[25087]: Failed password for twhitney from [server_ip] port 47541 ssh2 Oct 9 12:01:32 [server] sshd[25087]: Accepted password for twhitney from [server_ip] port 47541 ssh2 Oct 9 12:01:32 [server] sshd[25087]: pam_unix(sshd:session): session opened for user twhitney by (uid=0)
这里的关键线索可能是“pam_ldap:ldap_starttls_s:操作错误”,我将不得不做一些研究。
接下来,是pamconfiguration。 我将从/etc/pam.d/system-auth开始:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authok password required pam_deny.so session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027 session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
现在/etc/pam.d/password-auth:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so
再次感谢您解决我的难题!
没有声望来添加评论,但为了debuggingPAMauthentication问题,你需要在服务器端做到这一点。
要这样做ssh进入服务器并运行:
sshd -d -D -p 4000
这将启用debugging启用( -d )端口4000( -p 4000 )上的ssh守护进程,而无需从控制台( -D )分离。
然后再尝试,但连接到端口4000,在服务器端,你会看到很多的输出,有问题的根源,而不是在客户端的真相。
如果您需要更详细的信息,可以添加多个-d ,最多三个。
如果你不能从输出中找出它粘贴在这里给我们看。
所以我find了一个解决scheme,我不知道这是否是最好的,但它让我在第一次尝试SSH。 诀窍是摆脱/etc/pam.d/sshd的所有password-auth包含,并用system-auth includereplace它们。 所以,我最后的/etc/pam.d/sshd文件如下所示:
#%PAM-1.0 auth required pam_sepermit.so auth include system-auth #auth include password-auth #account required pam_nologin.so account required pam_access.so account include system-auth password include system-auth #account include password-auth #password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke #session include password-auth session include system-auth
你可能会说,我对PAM有点新鲜。 system-auth和password-auth文件包含在上面,在我原来的问题中。 有人可以向我解释为什么上述改变固定的东西? 我做了同样的修复,在/etc/pam.d/crond中用include system-auth代替了所有include password-auth语句,因为它不允许任何人(包括root)使用cron / crontab。 这些configuration有什么区别? 这些更改是否以任何方式危及我的安全?
再次感谢所有的帮助和build议。