Ubuntu

即使在本地主機上也無法建立 SSH 連接

  • April 19, 2016

在我的 Ubuntu 15.10 上獲得與本地主機的簡單 SSH 連接時遇到問題。伺服器是在幾個月前建立的,能夠使用密鑰為 SSH 創建訪問權限,但無法為新使用者複製該遠端訪問權限。我可以從我的原始使用者使用 PuTTY 訪問,但即使該使用者也無法通過 localhost 訪問。

對於故障排除,我嘗試通過 localhost 和裸密碼簡單地訪問,希望最大限度地減少可能出錯的變數 - 如果有更好的測試,請告訴我。

我有 fail2ban 和防火牆,但由於我可以使用原始帳戶遠端訪問伺服器,我不會立即懷疑這些是問題所在。儘管如此,防火牆規則仍會在下面輸出。

以下是我遵循的步驟和更多數據:

創建新使用者並設置密碼

   sudo useradd teachers -m -s /bin/bash;
   sudo passwd teachers;

配置 SSH (/etc/ssh/sshd_config) 用於測試的基本訪問

   AllowUsers teachers
   PasswordAuthentication yes
   LogLevel VERBOSE

此時還沒有 SSH 密鑰,因為我只是想獲得密碼訪問權限。

這是我在命令行嘗試的輸出:

   ~$ ssh -v localhost
   OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015
   debug1: Reading configuration data /etc/ssh/ssh_config
   debug1: /etc/ssh/ssh_config line 19: Applying options for *
   debug1: Connecting to localhost [127.0.0.1] port 22.
   debug1: Connection established.
   debug1: SELinux support disabled
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_rsa type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_rsa-cert type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_dsa type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_dsa-cert type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_ecdsa type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_ecdsa-cert type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_ed25519 type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /home/teachers/.ssh/id_ed25519-cert type -1
   debug1: Enabling compatibility mode for protocol 2.0
   debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
   debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
   debug1: match: OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 pat OpenSSH* compat 0x04000000
   debug1: Authenticating to localhost:22 as 'teachers'
   debug1: SSH2_MSG_KEXINIT sent
   debug1: SSH2_MSG_KEXINIT received
   debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
   debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
   debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
   debug1: Server host key: ecdsa-sha2-nistp256 SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w
   The authenticity of host 'localhost (127.0.0.1)' can't be established.
   ECDSA key fingerprint is SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
   debug1: SSH2_MSG_NEWKEYS sent
   debug1: expecting SSH2_MSG_NEWKEYS
   debug1: SSH2_MSG_NEWKEYS received
   debug1: SSH2_MSG_SERVICE_REQUEST sent
   debug1: SSH2_MSG_SERVICE_ACCEPT received

   ################################################################################
   # This is a restricted system....                                              #
   ################################################################################

   debug1: Authentications that can continue: publickey,password
   debug1: Next authentication method: publickey
   debug1: Trying private key: /home/teachers/.ssh/id_rsa
   debug1: Trying private key: /home/teachers/.ssh/id_dsa
   debug1: Trying private key: /home/teachers/.ssh/id_ecdsa
   debug1: Trying private key: /home/teachers/.ssh/id_ed25519
   debug1: Next authentication method: password
   teachers@localhost's password:
   debug1: Authentications that can continue: publickey,password
   Permission denied, please try again.
   teachers@localhost's password:
   debug1: Authentications that can continue: publickey,password
   Permission denied, please try again.
   teachers@localhost's password:
   debug1: Authentications that can continue: publickey,password
   debug1: No more authentication methods to try.
   Permission denied (publickey,password).

這是我嘗試訪問的 auth.log:

   Apr 19 05:41:52 lists sshd[27165]: Set /proc/self/oom_score_adj to 0
   Apr 19 05:41:52 lists sshd[27165]: Connection from 127.0.0.1 port 45192 on 127.0.0.1 port 22
   Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) illegal module type: umask
   Apr 19 05:42:03 lists sshd[27165]: PAM pam_parse: expecting return value; [...002]
   Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) no module name supplied
   Apr 19 05:42:13 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
   Apr 19 05:42:20 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
   Apr 19 05:42:27 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
   Apr 19 05:42:27 lists sshd[27165]: Connection closed by 127.0.0.1 [preauth]

這是我的 iptables 的輸出:

   $ sudo iptables -L
   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination
   DROP       tcp  --  222.0.0.0/8          anywhere             tcp dpt:ssh
   fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
   fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission
   fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
   fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
   DROP       tcp  --  222.186.34.202       anywhere             tcp dpt:ssh
   fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
   fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission
   fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
   fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
   ACCEPT     all  --  anywhere             anywhere
   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
   LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2812
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
   DROP       all  --  anywhere             anywhere

   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination

   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination

   Chain fail2ban-dovecot (2 references)
   target     prot opt source               destination
   RETURN     all  --  anywhere             anywhere
   RETURN     all  --  anywhere             anywhere

   Chain fail2ban-postfix (2 references)
   target     prot opt source               destination
   RETURN     all  --  anywhere             anywhere
   RETURN     all  --  anywhere             anywhere

   Chain fail2ban-sasl (2 references)
   target     prot opt source               destination
   RETURN     all  --  anywhere             anywhere
   RETURN     all  --  anywhere             anywhere

   Chain fail2ban-ssh (2 references)
   target     prot opt source               destination
   RETURN     all  --  anywhere             anywhere
   RETURN     all  --  anywhere             anywhere

我相信這表明埠 22 應該可用:

  $ nc -z -v -w 5 localhost 22
  Connection to localhost 22 port [tcp/ssh] succeeded!

編輯:包括 sshd 配置:

   $ cat /etc/ssh/sshd_config
   # What ports, IPs and protocols we listen for
   Port 22
   # Use these options to restrict which interfaces/protocols sshd will bind to
   #ListenAddress ::
   #ListenAddress 0.0.0.0
   Protocol 2
   # HostKeys for protocol version 2
   HostKey /etc/ssh/ssh_host_rsa_key
   HostKey /etc/ssh/ssh_host_dsa_key
   HostKey /etc/ssh/ssh_host_ecdsa_key
   HostKey /etc/ssh/ssh_host_ed25519_key
   #Privilege Separation is turned on for security
   UsePrivilegeSeparation yes

   # Lifetime and size of ephemeral version 1 server key
   KeyRegenerationInterval 3600
   ServerKeyBits 1024

   # Logging
   SyslogFacility AUTH
   LogLevel VERBOSE

   # Authentication:
   LoginGraceTime 120
   PermitRootLogin no
   StrictModes yes

   RSAAuthentication yes
   PubkeyAuthentication yes
   #AuthorizedKeysFile     %h/.ssh/authorized_keys

   # Don't read the user's ~/.rhosts and ~/.shosts files
   IgnoreRhosts yes
   # For this to work you will also need host keys in /etc/ssh_known_hosts
   RhostsRSAAuthentication no
   # similar for protocol version 2
   HostbasedAuthentication no
   # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
   #IgnoreUserKnownHosts yes

   # To enable empty passwords, change to yes (NOT RECOMMENDED)
   PermitEmptyPasswords no

   # Change to yes to enable challenge-response passwords (beware issues with
   # some PAM modules and threads)
   ChallengeResponseAuthentication no

   # Change to no to disable tunnelled clear text passwords
   PasswordAuthentication yes

   # Kerberos options
   #KerberosAuthentication no
   #KerberosGetAFSToken no
   #KerberosOrLocalPasswd yes
   #KerberosTicketCleanup yes

   # GSSAPI options
   #GSSAPIAuthentication no
   #GSSAPICleanupCredentials yes

   X11Forwarding yes
   X11DisplayOffset 10
   PrintMotd no
   PrintLastLog yes
   TCPKeepAlive yes
   #UseLogin no

   #MaxStartups 10:30:60
   Banner /etc/issue.net

   # Allow client to pass locale environment variables
   AcceptEnv LANG LC_*

   Subsystem sftp /usr/lib/openssh/sftp-server

   # Set this to 'yes' to enable PAM authentication, account processing,
   # and session processing. If this is enabled, PAM authentication will
   # be allowed through the ChallengeResponseAuthentication and
   # PasswordAuthentication.  Depending on your PAM configuration,
   # PAM authentication via ChallengeResponseAuthentication may bypass
   # the setting of "PermitRootLogin yes
   # If you just want the PAM account and session checks to run without
   # PAM authentication, then enable this but set PasswordAuthentication
   # and ChallengeResponseAuthentication to 'no'.
   UsePAM yes

   AllowUsers listman teachers

只有 /etc/pam.d/ 中的文件是 /etc/pam.d/sshd:

   $ cat /etc/pam.d/sshd
   # PAM configuration for the Secure Shell service

   umask 002

   # Standard Un*x authentication.
   @include common-auth

   # Disallow non-root logins when /etc/nologin exists.
   account    required     pam_nologin.so

   # Uncomment and edit /etc/security/access.conf if you need to set complex
   # access limits that are hard to express in sshd_config.
   # account  required     pam_access.so

   # Standard Un*x authorization.
   @include common-account

   # SELinux needs to be the first session rule.  This ensures that any
   # lingering context has been cleared.  Without this it is possible that a
   # module could execute code in the wrong domain.
   session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

   # Set the loginuid process attribute.
   session    required     pam_loginuid.so

   # Create a new session keyring.
   session    optional     pam_keyinit.so force revoke

   # Standard Un*x session setup and teardown.
   @include common-session

   # Print the message of the day upon successful login.
   # This includes a dynamically generated part from /run/motd.dynamic
   # and a static (admin-editable) part from /etc/motd.
   session    optional     pam_motd.so  motd=/run/motd.dynamic
   session    optional     pam_motd.so noupdate

   # Print the status of the user's mailbox upon successful login.
   session    optional     pam_mail.so standard noenv # [1]

   # Set up user limits from /etc/security/limits.conf.
   session    required     pam_limits.so

   # Read environment variables from /etc/environment and
   # /etc/security/pam_env.conf.
   session    required     pam_env.so # [1]
   # In Debian 4.0 (etch), locale-related environment variables were moved to
   # /etc/default/locale, so read that as well.
   session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

   # SELinux needs to intervene at login time to ensure that the process starts
   # in the proper default security context.  Only sessions which are intended
   # to run in the user's context should be run after this.
   session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

   # Standard Un*x password updating.
   @include common-password

我在這裡想念什麼?

遮罩 002

它本身不是有效的 PAM 配置。去掉它。

要為 ssh 會話設置 umask,請參閱此 Serverfault 執行緒:

如何為所有類型的連接設置 ssh 的 umask

引用自:https://serverfault.com/questions/771441