Linux

不允許使用者通過 SSH 登錄(Bash、OpenSSH、CentOS 6.5)

  • November 25, 2018

我正在通過 SSH 遠端執行 CentOS 6.5 機器。我使用 RSA 密鑰並禁用了密碼驗證。我遇到的問題是,每當我添加一個新使用者並希望他/她通過 SSH 登錄時,他們都會被拒絕訪問。

起初,這似乎是一個簡單的問題。這些是我已經嘗試過的:

  • 檢查 pub 鍵是否有明顯錯誤
  • 確保對 authorized_keys 和 ~/.ssh 的正確權限
  • 確保它們在 ssh_config 的 AllowUsers 列表中
  • 檢查防火牆權限
  • 確保他們的私鑰正在被使用
  • 重啟SSHD

這是我設置的內容sshd_config

PermitRootLogin no
AllowUsers keving moman muser

這就是我的日誌告訴我的:

Login attempted when not in AllowUsers list:
   muser : 3 Time(s)
   root : 127 Time(s)

為什麼 SSH 不允許登錄,而 AllowUsers 列表顯然列出了 muser?還有其他地方可以設置嗎?

更新:在將我的 pub 密鑰添加到帶有詳細標誌的使用者的 authorized_keys 文件後,我嘗試在我的機器上登錄該帳戶-v。這些是結果(出於安全原因,使用假 IP 和伺服器主機密鑰):

$ ssh -v mattm@111.111.111.111
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /c/Users/[user]/.ssh/config
debug1: Connecting to 111.111.111.111 [111.111.111.111] port 22.
debug1: Connection established.
debug1: identity file /c/Users/[user]/.ssh/id_rsa type 1
debug1: identity file /c/Users/[user]/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/[user]/.ssh/id_dsa type -1
debug1: identity file /c/Users/[user]/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/[user]/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/[user]/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/[user]/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/[user]/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA [censored]
debug1: Host '111.111.111.111' is known and matches the RSA host key.
debug1: Found key in /c/Users/[user]/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /c/Users/[user]/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /c/Users/[user]/.ssh/id_dsa
debug1: Trying private key: /c/Users/[user]/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/[user]/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

正如@toppledwagon 在對我的問題的評論中所建議的那樣,我檢查並確定在包括主目錄/var/log/security的樹上有一個錯誤權限條目。~/.ssh/authorized_keys

進行這些編輯後,我能夠使用 RSA 密鑰通過 ssh 登錄到使用者的帳戶:

$ chmod g-w /home/your_user
$ chmod 700 /home/your_user/.ssh
$ chmod 600 /home/your_user/.ssh/authorized_keys

參考:http ://www.daveperrett.com/articles/2010/09/14/ssh-authentication-refused/

調整這些權限後,我可以登錄了。有趣的是,我已經將.sshdir 和authorized_keysfile 分別設置為700600。由於某種原因,未正確設置主目錄。

感謝所有在評論中提供幫助的人。

引用自:https://serverfault.com/questions/638468