LXC 容器上的 FreeIPA 客戶端 sshd 訪問被拒絕
在 Proxmox 4.4 上,我安裝了帶有 FreeIPA 伺服器的 Centos 7 VM:
ipa-server-install --idstart 10000 --setup-dns
我可以使用 IPA 使用者並登錄到 Proxmox 上的其他虛擬機,但是當我嘗試對 Centos 7 LXC 容器進行相同操作時,我遇到了錯誤:
May 6 13:15:50 aaaaaa sshd[424]: Authorized to user, krb5 principal user@HOMELAB.LOCAL (ssh_gssapi_krb5_cmdok) May 6 13:15:50 aaaaaa sshd[424]: pam_sss(sshd:account): Access denied for user user: 4 (System error) May 6 13:15:50 aaaaaa sshd[424]: fatal: Access denied for user user by PAM account configuration [preauth]
但:
[root@aaaaaa ~]# su - user Creating home directory for user. [user@aaaaaa ~]$
現在
/etc/passwd
這台伺服器上有這樣的使用者,所以它來自 IPA。[user@aaaaaa ~]$ id uid=10001(user) gid=10000(admins) groups=10000(admins) [user@aaaaaa ~]$ getent passwd user user:*:10001:10000:Name Surename:/home/user:/bin/bash
此外,在我將它註冊到 FreeIPA 伺服器後,我無法以 root 使用者身份登錄到該容器。
[root@aaaaaa ~]# kinit admin Password for admin@HOMELAB.LOCAL: [root@aaaaaa ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_rirBgUU Default principal: admin@HOMELAB.LOCAL Valid starting Expires Service principal 05/06/2017 14:56:21 05/07/2017 14:56:19 krbtgt/HOMELAB.LOCAL@HOMELAB.LOCAL
所以,kerberos 工作,但我唯一的問題是 ssh。我在 Proxmox 上進行了更改,
/etc/subgid
並且/etc/subuid
(按照此處的建議)以獲取更多 ID,但這是絕望的舉動。我的 IPA id 範圍不是很高,從 10000 開始,我可以這樣做su - user
,但事實並非如此。我想我檢查了所有內容,包括刪除 sssd db,但它並沒有改變任何東西。
這是我的
sssd.conf
:[domain/homelab.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = homelab.local id_provider = ipa auth_provider = ipa access_provider = permit ipa_hostname = aaaaaa.homelab.local chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa.homelab.local dyndns_iface = eth0 ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh domains = homelab.local [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp]
我的
system-auth
:#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
還有我的
sshd_config
文件:HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes UsePrivilegeSeparation sandbox # Default for new installations. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server
下面是 ssh 的輸出,我可以在其中連接到 LXC 容器:
ssh -vvv user@aaaaaa OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 60: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 aaaaaa debug1: permanently_drop_suid: 10001 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6 debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8 debug3: load_hostkeys: loaded 4 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss, debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16 debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 4f:71:72:5c:46:e5:58:3b:cf:17:75:c9:52:35:38:e9 debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6 debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8 debug3: load_hostkeys: loaded 4 keys debug1: Host 'aaaaaa' is known and matches the ECDSA host key. debug1: Found key in /var/lib/sss/pubconf/known_hosts:2 debug1: ssh_ecdsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/user/.ssh/id_rsa ((nil)), debug2: key: /home/user/.ssh/id_dsa ((nil)), debug2: key: /home/user/.ssh/id_ecdsa ((nil)), debug2: key: /home/user/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply Connection closed by UNKNOWN
當然在伺服器
user
上不是我使用的真實登錄名。還有什麼建議我可以檢查嗎?幾天以來我一直在為此苦苦掙扎,但找不到任何解決方法的線索。我希望這裡有人可以幫助我。
更新:
我寫錯了,我無法以 root 使用者身份登錄。我可以。但仍然無法以 IPA 的其他使用者身份通過 ssh 登錄。此外,當我
su - user
無法sudo
從該使用者執行操作時,但在其他虛擬機上,該 IPA 使用者可以通過sudo
.UPDATE2: 我在執行時在容器上發現了它
kinit user
,然後klist
我得到了:Ticket cache: KEYRING:persistent:0:0
但同樣在 VM 上看起來像:
Ticket cache: KEYRING:persistent:10001:krb_ccache_K1JScvu
我想我部分解決了這個問題。在@abbra 評論之後,我開始檢查
/var/log/sssd/
文件夾中的所有日誌,當我檢查時selinux_child.log
我發現:(Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [unpack_buffer] (0x2000): username: user (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0400): performing selinux operations (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [get_seuser] (0x0020): Cannot create SELinux handle (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [set_seuser] (0x0020): Cannot init SELinux management (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): Cannot set SELinux login context. (Mon May 8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): selinux_child failed!
首先我完全禁用了 Selinux,但這並不能解決我的問題。在那之後,我
/etc/sssd/sssd.conf
在domain
部分中放了:selinux_provider=none
。重新啟動容器後,我可以通過 ssh 以 IPA 使用者身份登錄,也可以使用 sudo。我不知道如何使用 SeLinux 並通過 ssh 登錄到容器,但現在我認為這對我來說還可以。更新:
我也禁用了鑰匙圈
krb5.conf
。
su - user
通常會避免實際的身份驗證,因為/etc/pam.d/su
包含auth sufficient pam_rootok.so
作為第一行的第一行,它會短路任何對 root 的身份驗證。所以 SSSD 根本不參與。不要在容器內使用密鑰環 ccache 儲存,因為密鑰環沒有命名空間。
default_ccache_name = KEYRING:persistent:%{uid}
從/etc/krb5.conf
容器中取出。libkrb5FILE:...
在/tmp
.最後,當 SSSD 報告“系統錯誤”時,您應該使用故障排除指南將域部分的調試級別提高到 9 並分析容器中的日誌。有關詳細資訊,請參閱https://web.archive.org/web/20170102152322/https://fedorahosted.org/sssd/wiki/Troubleshooting。SSSD 項目最近遷移到
pagure.io
Fedora Hosted 基礎架構退役後尚未重新生成其文件,因此是一個指向 Wayback 機器的連結。