Windows-Server-2008
針對 AWS Simple Directory Service 對 SSHD 進行身份驗證
我正在嘗試使用 sshd 設置 Centos 7 機器網路,以針對 AWS Simple Directory Service 目錄對公鑰進行身份驗證。
目前,我有一堆 Centos 主機、一個 Windows Server 2008 實例和一個使用 Amazon Web Service (AWS) 簡單目錄服務的目錄。windows box 用於管理目錄,Centos box 使用目錄來驗證 SSH 會話。所有機器都已加入該目錄。
我已經驗證我能夠使用簡單的密碼驗證以本地和域使用者的身份通過 SSH 連接到 Centos 盒子。同樣,我能夠使用本地和域帳戶、簡單的密碼身份驗證將 RDP 導入 Windows 框。
但是,可以說,AWS 在我的目錄中設置的架構不包括任何具有
sshPublicKey開箱即用欄位的類。因此,我使用 Windows 框中的 Active Directory 架構管理單元將以下屬性添加到我的架構中:
Common Name: sshPublicKey OOID: 1.3.6.1.4.1.24552.1.1.1.13 Syntax: IA5-String Multi-valued: true然後我創建了以下類:
Common Name: LDAP Public Key OOID: 1.3.6.1.4.1.24552.500.1.1.2.0 Parent Class: top Class Type: Auxiliary Optional Attributes: sshPublicKey然後,我使用 ADSI 管理單元將使用者公鑰的內容添加到
sshPublicKey他們在目錄中的條目欄位中。在我的一個 Centos 機器上,我通過
PasswordAuthentication no在 sshd 的配置文件中進行設置來禁用密碼驗證。然後,我嘗試使用具有
sshPublicKey屬性集的目錄使用者 ssh 進入該 Centos 框:$ ssh -l user@directory.server -i ~/.ssh/path.to.key.pub centos.box -vvv; OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/localuser/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 53: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to centos.box [ip addy] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "~/.ssh/path.to.key.pub" as a RSA1 public key debug1: identity file ~/.ssh/path.to.key.pub type 1 debug1: identity file ~/.ssh/path.to.key.pub type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH* debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLineNumber debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5-etm@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug2: mac_setup: found hmac-md5-etm@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 116/256 debug2: bits set: 535/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA blah debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLine debug3: load_hostkeys: loaded 1 keys debug1: Host 'centos.box' is known and matches the RSA host key. debug1: Found key in /Users/localuser/.ssh/known_hosts:27 debug2: bits set: 509/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/localuser/.ssh/path.to.key.pub (0x7fb3cb600000), explicit debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/localuser/.ssh/path.to.key.pub debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). $在 Centos 盒子上,我們得到:
$ sudo journalctl -felu sshd .... Some Date centos.box sshd[a number]: Connection closed by 1.2.3.4 [preauth]私鑰的權限是
600;對公鑰的權限是644我不確定如何檢查目錄服務主機上的伺服器日誌。
任何想法我做錯了什麼?
要確保與公鑰身份驗證
sshd對話,請在主機上執行以下操作:sssd``sshd
- 將以下行添加到文件的
[sssd]部分/etc/sssd/sssd.conf:services = ssh, [ all the other services already listed there as well ]這告訴
sssd它應該與sshd.
- 如果那裡還沒有
[ssh]部分,請添加文件的空白[ssh]部分/etc/sssd/sssd.conf:[ssh]這是所有與之
sssd交談的服務的必需配置部分。
- 將以下行添加到文件
[domain/directory.server]部分/etc/sssd/sssd.conf,其中directory.server是目錄服務主機的完全限定域名:ldap_user_ssh_public_key = sshPublicKey這告訴
sssd使用哪個屬性來查找sshd使用者的公共 SSH 密鑰。(使用的預設屬性sssd是ipaSshPubKey,可以在ipaSshUser和ipaSshHost類的架構中找到。)
- 將以下行添加到您的
/etc/sshd/sshd_config文件中:AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody這告訴以使用者
sshd身份執行文件。 為嘗試向主機進行身份驗證的使用者獲取授權密鑰。/usr/bin/sss_ssh_authorizedkeys``nobody``/usr/bin/sss_ssh_authorizedkeys``sshd
- 將以下行添加到您的
/etc/sshd/ssh_config文件中:GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h這告訴
sssd將客戶端的名稱和公鑰添加到客戶端/var/lib/sss/pubconf/known_hosts並連接到客戶端,使用執行檔通過標準 I/O 管道傳輸所有通信/usr/bin/sss_ssh_knownhostsproxy。
- 重啟兩個服務:
$ sudo systemctl reload sshd; $ sudo systemctl restart sshd; $ sudo systemctl restart sssd;