我正在使用configuration了SSH密钥的FreeIPA服务器添加到用户。 我试图让服务器使用来自IPA服务器的ssh密钥进行身份validation,所以我不必pipe理许多authorized_keys文件。
我可以确认这些密钥是sss_ssh_authorizedkeys <user>使用sss_ssh_authorizedkeys <user>添加和检索的,在查询时会为每个用户返回相应的密钥。 但是,当sshd运行该命令时, sss_ssh_authorizedkeys失败,错误代码为13。
我的testing系统是我的CentOS IPA服务器。
我将下面的代码片段添加到了我的sshd_config来启用这个configuration:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
我也尝试了AuthorizedKeysCommandUser作为根,以确保它不是一个权限问题。
我GOOGLE了我的错误,从IRC归档返回一个单一的结果,最终的结果(从我能告诉)是解决scheme通过电子邮件发送给提问者。 我认为这可能是SELinux的一个问题(在Web服务器场景中困扰着我),但是search“ ssh ”,“ sshd ”或“ authorizedkeys ”并没有产生任何我看不到的东西。 我在阅读身份validation日志方面也不是很擅长,所以我不排除把SELinux作为罪魁祸首。
以下是IPA框中由sshd -ddd生成的日志片段:
Connection from 10.77.1.198 port 56579 on 10.77.1.20 port 22 debug1: Client protocol version 2.0; client software version OpenSSH_7.5 debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: SELinux support enabled [preauth] debug1: permanently_set_uid: 74/74 [preauth] debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client->server [email protected] <implicit> none [preauth] debug1: kex: server->client [email protected] <implicit> none [preauth] debug1: kex: [email protected] need=64 dh_need=64 [preauth] debug1: kex: [email protected] need=64 dh_need=64 [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user ryan service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "ryan" debug1: PAM: setting PAM_RHOST to "10.77.1.198" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user ryan service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 0/0 (e=0/0) Found matching RSA key: 2a:be:8a:c9:4f:62:7a:66:99:70:c1:ca:02:17:ee:94 AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys exited on signal 13 debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1954400001/1954400001 (e=0/0) debug1: trying public key file /home/ryan/.ssh/authorized_keys debug1: Could not open authorized keys '/home/ryan/.ssh/authorized_keys': No such file or directory debug1: restore_uid: 0/0 Failed publickey for ryan from 10.77.1.198 port 56579 ssh2: RSA 2a:be:8a:c9:4f:62:7a:66:99:70:c1:ca:02:17:ee:94 debug1: userauth-request for user ryan service ssh-connection method keyboard-interactive [preauth] debug1: attempt 2 failures 1 [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=ryan devs= [preauth] debug1: kbdint_alloc: devices 'pam' [preauth] debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Postponed keyboard-interactive for ryan from 10.77.1.198 port 56579 ssh2 [preauth]
sss_ssh_authorizedkeys二进制只是一个愚蠢的包装,甚至没有logging太多,只是谈到sssd的sss_ssh过程。 所以最好的方法是将debug_level放入sssd.conf的[ssh]部分,并查看sssd日志。