Ssh
成功登錄後立即關閉 ssh 連接
我正在執行 Fedora 18,只是設置了一個靜態 IP 地址。使用動態 IP 地址,我能夠成功使用 ssh,但是現在我收到了消息:
Last login: Thu Jul 11 12:56:39 2013 from quest.it.northwestern.edu Connection to mahavira closed.表示登錄成功,然後立即關閉連接。
的輸出
ssh -vvv namu@mahavira是:[nkp@quser03 ~]$ ssh -vvv namu@mahavira OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to mahavira [xxx.xxx.xx.xx] port 22. debug1: Connection established. debug1: identity file /home/nkp/.ssh/identity type -1 debug3: Not a RSA1 key file /home/nkp/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/nkp/.ssh/id_rsa type 1 debug1: identity file /home/nkp/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 debug1: match: OpenSSH_6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 125/256 debug2: bits set: 516/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: check_host_in_hostfile: filename /home/nkp/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /home/nkp/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'mahavira' is known and matches the RSA host key. debug1: Found key in /home/nkp/.ssh/known_hosts:1 debug2: bits set: 509/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/nkp/.ssh/identity ((nil)) debug2: key: /home/nkp/.ssh/id_rsa (0x2abc51559610) debug2: key: /home/nkp/.ssh/id_dsa ((nil)) debug3: Wrote 64 bytes for a total of 1109 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address xxx.xxx.xx.xx. debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information debug2: we sent a gssapi-with-mic packet, wait for reply debug3: Wrote 96 bytes for a total of 1205 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/nkp/.ssh/identity debug3: no such identity: /home/nkp/.ssh/identity debug1: Offering public key: /home/nkp/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1573 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/nkp/.ssh/id_dsa debug3: no such identity: /home/nkp/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password namu@mahavira's password: debug3: packet_send2: adding 48 (len 62 padlen 18 extra_pad 64) debug2: we sent a password packet, wait for reply debug3: Wrote 144 bytes for a total of 1717 debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug3: Wrote 128 bytes for a total of 1845 debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env MODULE_VERSION_STACK debug3: Ignored env MANPATH debug3: Ignored env HOSTNAME debug3: Ignored env TERM debug3: Ignored env SHELL debug3: Ignored env HISTSIZE debug3: Ignored env SSH_CLIENT debug3: Ignored env QTDIR debug3: Ignored env QTINC debug3: Ignored env SSH_TTY debug3: Ignored env USER debug3: Ignored env LD_LIBRARY_PATH debug3: Ignored env LS_COLORS debug3: Ignored env MODULE_VERSION debug3: Ignored env MAIL debug3: Ignored env PATH debug3: Ignored env PWD debug3: Ignored env _LMFILES_ debug1: Sending env XMODIFIERS = @im=ibus debug2: channel 0: request env confirm 0 debug3: Ignored env KDE_IS_PRELINKED debug1: Sending env LANG = en_US.utf8 debug2: channel 0: request env confirm 0 debug3: Ignored env MODULEPATH debug3: Ignored env MOABHOMEDIR debug3: Ignored env LOADEDMODULES debug3: Ignored env KDEDIRS debug3: Ignored env SSH_ASKPASS debug3: Ignored env HISTCONTROL debug3: Ignored env KRB5CCNAME debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env PBS_DEFAULT debug3: Ignored env LOGNAME debug3: Ignored env QTLIB debug3: Ignored env CVS_RSH debug3: Ignored env SSH_CONNECTION debug3: Ignored env GXX_ROOT debug3: Ignored env MODULESHOME debug3: Ignored env PKG_CONFIG_PATH debug3: Ignored env LESSOPEN debug3: Ignored env INFOPATH debug3: Ignored env G_BROKEN_FILENAMES debug3: Ignored env module debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug3: Wrote 512 bytes for a total of 2357 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug1: channel 0: forcing write Last login: Thu Jul 11 13:04:23 2013 from quest.it.northwestern.edu debug3: channel 0: will not send data after close debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e 6 c -1 debug3: Wrote 32 bytes for a total of 2389 debug3: Wrote 64 bytes for a total of 2453 Connection to mahavira closed. Transferred: sent 2224, received 2272 bytes, in 0.1 seconds Bytes per second: sent 22447.6, received 22932.1 debug1: Exit status 254我以物理方式登錄,但、 或文件
mahavira中沒有條目。目錄權限為:/etc/hosts.allow``/etc/hosts.deny``/etc/ssh/sshd_config``~/.ssh-rw-r--r--. 1 namu namu 0 Jul 11 12:14 known_hosts目錄內容的權限為
ssh:drwxr-xr-x. 2 root root 4096 Jul 11 12:05 . drwxr-xr-x. 137 root root 12288 Jul 11 12:41 .. -rw-------. 1 root root 245058 Jun 20 03:53 moduli -rw-r--r--. 1 root root 2104 Jun 20 03:53 ssh_config -rw-------. 1 root root 4375 Jun 20 03:53 sshd_config -rw-r-----. 1 root ssh_keys 668 Apr 30 16:32 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Apr 30 16:32 ssh_host_dsa_key.pub -rw-r-----. 1 root ssh_keys 965 Apr 30 16:32 ssh_host_key -rw-r--r--. 1 root root 630 Apr 30 16:32 ssh_host_key.pub -rw-r-----. 1 root ssh_keys 1679 Apr 30 16:32 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Apr 30 16:32 ssh_host_rsa_key.pub的內容
etc/ssh/sshd_config是:# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody #AuthorizedPrincipalsFile none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. #UsePAM no UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Uncomment this if you want to use .local domain #Host *.local # CheckHostIP no # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server最新內容來自
/var/log/secure:Jul 11 13:05:25 mahavira sshd[22505]: Accepted password for namu from 165.124.130.7 port 50810 ssh2 Jul 11 13:05:25 mahavira sshd[22505]: pam_unix(sshd:session): session opened for user namu by (uid=0) Jul 11 13:05:25 mahavira sshd[22505]: error: PAM: pam_open_session(): Permission denied Jul 11 13:05:25 mahavira sshd[22509]: Received disconnect from 165.124.130.7: 11: disconnected by user Jul 11 13:33:15 mahavira su: pam_unix(su:session): session opened for user root by namu(uid=1000)有人指出存在 PAM 問題。的內容
/etc/pam.d/sshd是:#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin的內容
/etc/pam.d/password-auth是:#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so的內容
/etc/pam.d/postlogin是:#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp silent session optional pam_lastlog.so silent noupdate showfailed
問題是我設置靜態 IP 地址的方式。我使用了
NetworkGUI,它創建了一個文件/etc/sysconfig/network-scripts/ifcfg-Wired_connection_2。ifconfig 的輸出僅顯示 和 下的lo條目p6p1。通常,該文件應該以 的名稱創建ifcfg-p6p1,但奇怪的是,重命名它並重新啟動我的電腦解決了這個問題。靜態 IP 始終可以手動設置,為將來選擇採用此路徑的使用者提供參考,ifcfg作業系統創建的文件條目如下所示:TYPE=Ethernet BOOTPROTO=none IPADDR0=xxx.xxx.xx.xx PREFIX0=24 GATEWAY0=xxx.xxx.xx.x DNS1=xxx.xxx.xx.x DNS2=xxx.xxx.xx.x DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=p6p1 UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx ONBOOT=yes HWADDR=xx:xx:xx:xx:xx:xx IPV6_PEERDNS=yes IPV6_PEERROUTES=yes請注意,大多數x條目可以從
ifconfig在終端中執行命令的輸出中獲得。此外,設置靜態 IP 不需要這些變數中的大多數,但 GUI 就是這樣做的。
/etc/passwd當使用者沒有正確SHELL設置時,這似乎是一個常見問題。檢查/etc/passwd。# cat /etc/passwd pi:x:1000:1000:,,,:/home/pi:/bin/bash sshd:x:107:65534::/run/sshd:/usr/sbin/nologin ...如果最後一部分顯示bash或sh以外的內容,那麼您就有問題了。