Ssh

拒絕一位使用者的 SSH 訪問

  • April 12, 2022

我在嘗試通過 SSH 連接到伺服器時遇到一個錯誤,對於一個使用者。此使用者的主目錄位於 /opt 中,其中包含一個 .ssh 目錄(權限:700)和一個包含公鑰的 authorized_keys 文件。它與主目錄位於 /home 中的其他使用者一起使用,使用我可以作為另一個使用者連接的相同 rsa 密鑰。在 /var/log/secure 我得到:

Apr  8 14:48:22 myserver sshd[338949]: pam_sss(sshd:account): Access denied for user myuser: 6 (Permission denied)
Apr  8 14:48:22 myserver sshd[338949]: fatal: Access denied for user myuser by PAM account configuration [preauth]

使用 ssh -vvv 最後幾行是:

debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: sign_and_send_pubkey: RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: send packet: type 50
Authentication failed.

如果我使用相同的密鑰作為另一個使用者連接到該伺服器,那麼我看到的唯一區別是主目錄在 /opt 而不是 /home 中。該使用者的登錄名中有一個下劃線。你遇到過這種情況嗎?

$$ EDIT $$附加資訊 : SELinux 被禁用

[root@myserver ~]# getenforce
Disabled
[myuser@myserver ~]$ ls -la /opt/myuser/
drwx------ 2 myuser myuser    80 Apr  8 14:46 .ssh
[myuser@myserver ~]# ls -l /opt/myuser/.ssh/authorized_keys
-rw------- 1 myuser myuser  1131 Apr  8 14:46 /opt/myuser/.ssh/authorized_keys
[root@myserver ~]# namei -l /opt/myuser/.ssh/authorized_keys
f: /opt/myuser/.ssh/authorized_keys
dr-xr-xr-x root         root         /
drwxr-xr-x root         root         opt
drwx------ myuser       myuser       myuser
drwx------ myuser       myuser       .ssh
-rw------- myuser       myuser       authorized_keys
[root@myserver ~]# grep -v ^# /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

PermitRootLogin no

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem       sftp    /usr/libexec/openssh/sftp-server
[root@myserver ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

還通過 sssd 啟用了 LDAP 身份驗證。

鑑於啟用了 LDAP 身份驗證並且該特定使用者的訪問被拒絕,這意味著該使用者尚未在 LDAP 中被授予對該伺服器的訪問權限

您可以檢查/etc/sssd/sssd.confallowed_usersallowed_groups *,*然後將使用者名添加為“allowed_users”的條目或“allowed_groups”中提到的 LDAP 組

引用自:https://serverfault.com/questions/1098148