Ssh
拒絕一位使用者的 SSH 訪問
我在嘗試通過 SSH 連接到伺服器時遇到一個錯誤,對於一個使用者。此使用者的主目錄位於 /opt 中,其中包含一個 .ssh 目錄(權限:700)和一個包含公鑰的 authorized_keys 文件。它與主目錄位於 /home 中的其他使用者一起使用,使用我可以作為另一個使用者連接的相同 rsa 密鑰。在 /var/log/secure 我得到:
Apr 8 14:48:22 myserver sshd[338949]: pam_sss(sshd:account): Access denied for user myuser: 6 (Permission denied) Apr 8 14:48:22 myserver sshd[338949]: fatal: Access denied for user myuser by PAM account configuration [preauth]
使用 ssh -vvv 最後幾行是:
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535 debug2: input_userauth_pk_ok: fp SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX debug3: sign_and_send_pubkey: RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX debug3: send packet: type 50 Authentication failed.
如果我使用相同的密鑰作為另一個使用者連接到該伺服器,那麼我看到的唯一區別是主目錄在 /opt 而不是 /home 中。該使用者的登錄名中有一個下劃線。你遇到過這種情況嗎?
$$ EDIT $$附加資訊 : SELinux 被禁用
[root@myserver ~]# getenforce Disabled
[myuser@myserver ~]$ ls -la /opt/myuser/ drwx------ 2 myuser myuser 80 Apr 8 14:46 .ssh
[myuser@myserver ~]# ls -l /opt/myuser/.ssh/authorized_keys -rw------- 1 myuser myuser 1131 Apr 8 14:46 /opt/myuser/.ssh/authorized_keys
[root@myserver ~]# namei -l /opt/myuser/.ssh/authorized_keys f: /opt/myuser/.ssh/authorized_keys dr-xr-xr-x root root / drwxr-xr-x root root opt drwx------ myuser myuser myuser drwx------ myuser myuser .ssh -rw------- myuser myuser authorized_keys
[root@myserver ~]# grep -v ^# /etc/ssh/sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV PermitRootLogin no AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server
[root@myserver ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
還通過 sssd 啟用了 LDAP 身份驗證。
鑑於啟用了 LDAP 身份驗證並且該特定使用者的訪問被拒絕,這意味著該使用者尚未在 LDAP 中被授予對該伺服器的訪問權限
您可以檢查
/etc/sssd/sssd.conf
allowed_users和allowed_groups *,*然後將使用者名添加為“allowed_users”的條目或“allowed_groups”中提到的 LDAP 組