Estamos ejecutando OpenSSH_6.2p2+sftpfilecontrol-v1.3-hpn13v12 en un servidor Unix (HP-UX, B.11.31, arquitectura ia64).
Falla un cliente que intenta iniciar sesión en nuestro servidor usando claves sftp y ssh (intentando iniciar sesión como username2).
Nuestra configuración en el directorio de inicio de nombre de usuario2:
drwx------ 2 username2 groupname2 8192 Jan 22 15:24 .ssh
.ssh:
-rw-r--r-- 1 username2 groupname2 512 Jan 22 12:58 authorized_keys
-rw-r--r-- 1 username2 groupname2 442 Dec 10 19:29 known_hosts
-rw-r--r-- 1 username2 groupname2 739 Dec 10 19:21 id_rsa.pub
-rw------- 1 username2 groupname2 3243 Dec 10 18:59 id_rsa
Nuestro sshd_configaspecto es el siguiente (aquí los comentarios se eliminan para mayor claridad de mi pregunta):
Protocol 2,1
AddressFamily inet
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
KerberosAuthentication no
UsePAM no
X11Forwarding yes
Subsystem sftp /opt/ssh/libexec/sftp-server
Match Group groupname1
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory directorypath # Home of username1
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Match Group groupname2
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory directorypath # Home of username2
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Esto es lo que tenemos en nuestro (lado del servidor) /var/adm/syslog/syslog.log:
Jan 21 15:18:41 host sshd[14582]: Connection from ip-address port portnumber
Jan 21 15:18:41 host sshd[14582]: SSH: Server;Ltype: Version;Remote: ip-address-portnumber;Protocol: 2.0;Client: J2SSH_Maverick_1.4.44__SEEBURGER_AG
Jan 21 15:18:41 host sshd[14582]: SSH: Server;Ltype: Kex;Remote: ip-address-portnumber;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 21 15:18:44 host sshd[14582]: SSH: Server;Ltype: Authname;Remote: ip-address-portnumber;Name: username2 [preauth]
Jan 21 15:18:44 host sshd[14582]: Failed publickey for username2 from ip-address port portnumber ssh2
Jan 21 15:18:44 host sshd[14582]: Received disconnect from ip-address: 11: The user disconnected the application [preauth]
Podemos observar que se está accediendo o leyendo el archivo autorizado_keys, pero el cliente aún no puede iniciar sesión.
El mensaje "Clave pública fallida" es un poco confuso porque hemos probado con un par de claves públicas de clientes (en el authorized_keysarchivo).
Luego cambiamos/chmod:ed authorized_keysa:
-rw------- 1 username2 groupname2 512 Jan 22 12:58 authorized_keys
Y agregó esto a sshd_config:
RSAAuthentication yes
Pero el cliente todavía no puede iniciar sesión. El cliente es externo y se conecta con nosotros a través de proxy/dmz.
Salida de "sftp -vvv host" (en nuestra red local):
OpenSSH_6.2p2+sftpfilecontrol-v1.3-hpn13v12, OpenSSL 1.0.1j 15 Oct 2014
HP-UX Secure Shell-A.06.20.030, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: RNG is ready, skipping seeding
debug2: ssh_connect: needpriv 0
debug1: Connecting to host [ip-address] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "home_directory/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home_directory/.ssh/id_rsa type 1
debug1: identity file /home_directory/.ssh/id_rsa-cert type -1
debug1: identity file /home_directory/.ssh/id_dsa type -1
debug1: identity file /home_directory/.ssh/id_dsa-cert type -1
debug1: identity file /home_directory/.ssh/id_ecdsa type -1
debug1: identity file /home_directory/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2+sftpfilecontrol-v1.3-hpn13v12
debug1: Remote protocol version 1.99, remote software version OpenSSH_6.2p2+sftpfilecontrol-v1.3-hpn13v12
debug1: match: OpenSSH_6.2p2+sftpfilecontrol-v1.3-hpn13v12 pat OpenSSH*
debug2: fd 4 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found [email protected]
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: found [email protected]
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA d9:55:55:e7:58:da:aa:1f:c8:71:51:c2:c3:b4:08:3d
The authenticity of host 'host (ip-address)' can't be established.
ECDSA key fingerprint is d9:55:55:e7:58:da:aa:1f:c8:71:51:c2:c3:b4:08:3d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'host,ip-address' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: home_directory/.ssh/id_rsa (60000000000644b0),
debug2: key: home_directory/.ssh/id_dsa (0),
debug2: key: home_directory/.ssh/id_ecdsa (0),
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: home_directory/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp 44:9a:6b:22:3e:7f:92:5b:fd:66:0a:5b:fe:61:55:dd
debug3: sign_and_send_pubkey: RSA 44:9a:6b:22:3e:7f:92:5b:fd:66:0a:5b:fe:61:55:dd
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to host ([ip-address]:22).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 1, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 5/6 cc -1)
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Connection to host closed by remote host.
Transferred: sent 3908, received 2544 bytes, in 0.0 seconds
Bytes per second: sent 2126260.2, received 1384136.6
debug1: Exit status -1
Connection closed