Ubuntu
即使在本地主機上也無法建立 SSH 連接
在我的 Ubuntu 15.10 上獲得與本地主機的簡單 SSH 連接時遇到問題。伺服器是在幾個月前建立的,能夠使用密鑰為 SSH 創建訪問權限,但無法為新使用者複製該遠端訪問權限。我可以從我的原始使用者使用 PuTTY 訪問,但即使該使用者也無法通過 localhost 訪問。
對於故障排除,我嘗試通過 localhost 和裸密碼簡單地訪問,希望最大限度地減少可能出錯的變數 - 如果有更好的測試,請告訴我。
我有 fail2ban 和防火牆,但由於我可以使用原始帳戶遠端訪問伺服器,我不會立即懷疑這些是問題所在。儘管如此,防火牆規則仍會在下面輸出。
以下是我遵循的步驟和更多數據:
創建新使用者並設置密碼
sudo useradd teachers -m -s /bin/bash; sudo passwd teachers;
配置 SSH (/etc/ssh/sshd_config) 用於測試的基本訪問
AllowUsers teachers PasswordAuthentication yes LogLevel VERBOSE
此時還沒有 SSH 密鑰,因為我只是想獲得密碼訪問權限。
這是我在命令行嘗試的輸出:
~$ ssh -v localhost OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: SELinux support disabled debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/teachers/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 debug1: match: OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to localhost:22 as 'teachers' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received ################################################################################ # This is a restricted system.... # ################################################################################ debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/teachers/.ssh/id_rsa debug1: Trying private key: /home/teachers/.ssh/id_dsa debug1: Trying private key: /home/teachers/.ssh/id_ecdsa debug1: Trying private key: /home/teachers/.ssh/id_ed25519 debug1: Next authentication method: password teachers@localhost's password: debug1: Authentications that can continue: publickey,password Permission denied, please try again. teachers@localhost's password: debug1: Authentications that can continue: publickey,password Permission denied, please try again. teachers@localhost's password: debug1: Authentications that can continue: publickey,password debug1: No more authentication methods to try. Permission denied (publickey,password).
這是我嘗試訪問的 auth.log:
Apr 19 05:41:52 lists sshd[27165]: Set /proc/self/oom_score_adj to 0 Apr 19 05:41:52 lists sshd[27165]: Connection from 127.0.0.1 port 45192 on 127.0.0.1 port 22 Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) illegal module type: umask Apr 19 05:42:03 lists sshd[27165]: PAM pam_parse: expecting return value; [...002] Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) no module name supplied Apr 19 05:42:13 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2 Apr 19 05:42:20 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2 Apr 19 05:42:27 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2 Apr 19 05:42:27 lists sshd[27165]: Connection closed by 127.0.0.1 [preauth]
這是我的 iptables 的輸出:
$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 222.0.0.0/8 anywhere tcp dpt:ssh fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh DROP tcp -- 222.186.34.202 anywhere tcp dpt:ssh fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:2812 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:submission DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-postfix (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-sasl (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-ssh (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere
我相信這表明埠 22 應該可用:
$ nc -z -v -w 5 localhost 22 Connection to localhost 22 port [tcp/ssh] succeeded!
編輯:包括 sshd 配置:
$ cat /etc/ssh/sshd_config # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel VERBOSE # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes AllowUsers listman teachers
只有 /etc/pam.d/ 中的文件是 /etc/pam.d/sshd:
$ cat /etc/pam.d/sshd # PAM configuration for the Secure Shell service umask 002 # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password
我在這裡想念什麼?
線
遮罩 002
它本身不是有效的 PAM 配置。去掉它。
要為 ssh 會話設置 umask,請參閱此 Serverfault 執行緒: