무슨 일이 일어나고 있는지 알 수 없습니다. 이론적으로는 컴퓨터에서 사용자 "user"에 대한 키 쌍을 생성했습니다.홈데스크톱, 공개 키를 다음으로 보냈습니다.myserver.example.com아래에 놓으면 myserver:~user/.ssh/authorized_keys비밀번호 없이 로그인할 수 있습니다. 문제 없습니다.
문제는 이상하게도 컴퓨터의 다른 모든 사용자가홈데스크톱user@myserver비밀번호 없이 로 로그인할 수도 있습니다 ! 어쩌면 키에 전역적으로 액세스할 수 있다고 생각하겠지만 homedesktop:/etc/ssh그렇지 않습니다(디렉토리를 삭제하고 다시 시도했지만 여전히 작동합니다). 실제로 "myserver"뿐만 아니라 "user"라는 공개 키를 가진 모든 서버는 "homedesktop"에 있는 모든 사용자의 비밀번호 없는 로그인을 허용합니다. 아래 SSH 로그를 보면 키가 메모리에 있는 것처럼 보입니까? 무슨 일이 일어나고 있는지, 다른 사용자가 이 키를 사용하는 것을 방지하는 방법을 이해할 수 없습니다! 또한 homedesktop:~user/.ssh다른 사용자가 읽을 수 없는 일반 권한이 있습니다.
이 예에서 "otheruser"는 user@myserver로 로그인을 시도하고 집에 액세스할 수 있습니다.사용자@homedesktop키, 어느 것이 허용되나요?
otheruser@homedesktop:~$ rm -rf .ssh
otheruser@homedesktop:~$ ssh -vvv -p 15555 [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.example.com [123.234.123.234] port 15555.
debug1: Connection established.
debug1: SELinux support disabled
debug1: identity file /home/otheruser/.ssh/id_rsa type -1
debug1: identity file /home/otheruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_dsa type -1
debug1: identity file /home/otheruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519 type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [myserver.example.com]:15555
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f
debug3: put_host_port: [123.234.123.234]:15555
debug3: put_host_port: [myserver.example.com]:15555
debug1: checking without port identifier
The authenticity of host '[myserver.example.com]:15555 ([123.234.123.234]:15555)' can't be established.
ECDSA key fingerprint is 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[myserver.example.com]:15555,[123.234.123.234]:15555' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: user@myserver (0x7fba1acf8000),
debug2: key: user@homedesktop (0x7fbaa1bbcf30),
debug2: key: /home/otheruser/.ssh/id_rsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_dsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ecdsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: user@myserver
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_VTNR
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env KDE_MULTIHEAD
debug1: Sending env LC_ADDRESS = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MONETARY = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_GREETER_DATA_DIR
debug3: Ignored env CLUTTER_IM_MODULE
debug3: Ignored env SELINUX_INIT
debug3: Ignored env SESSION
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env KONSOLE_PROFILE_NAME
debug3: Ignored env GS_LIB
debug3: Ignored env GTK_RC_FILES
debug1: Sending env LC_NUMERIC = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env WINDOWID
debug3: Ignored env GNOME_KEYRING_CONTROL
debug3: Ignored env UPSTART_SESSION
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env USER
debug1: Sending env LC_TELEPHONE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env QT_IM_MODULE
debug1: Sending env LC_IDENTIFICATION = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug3: Ignored env JOB
debug3: Ignored env XMODIFIERS
debug3: Ignored env KONSOLE_DBUS_WINDOW
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env GNOME_KEYRING_PID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env GDM_LANG
debug3: Ignored env MANDATORY_PATH
debug1: Sending env LC_MEASUREMENT = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env IM_CONFIG_PHASE
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env GDMSESSION
debug3: Ignored env SESSIONTYPE
debug3: Ignored env HOME
debug3: Ignored env XDG_SEAT
debug3: Ignored env SHLVL
debug3: Ignored env COLORFGBG
debug3: Ignored env LANGUAGE
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env UPSTART_INSTANCE
debug3: Ignored env PYTHONPATH
debug3: Ignored env LOGNAME
debug3: Ignored env UPSTART_EVENTS
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env QT4_IM_MODULE
debug3: Ignored env LESSOPEN
debug3: Ignored env TEXTDOMAIN
debug3: Ignored env UPSTART_JOB
debug3: Ignored env INSTANCE
debug3: Ignored env DISPLAY
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PROFILEHOME
debug3: Ignored env QT_PLUGIN_PATH
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env PAM_KWALLET_LOGIN
debug1: Sending env LC_TIME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LESSCLOSE
debug3: Ignored env TEXTDOMAINDIR
debug1: Sending env LC_NAME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XAUTHORITY
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to MYSERVER!!
Last login: Tue Nov 1 21:05:47 2016 from 111.222.111.222
user@myserver:~$
답변1
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
키가 세션에 저장되어 있다고 말합니다 ssh-agent. ssh연결 없이 실행하면 ssh-agent다음 액세스가 허용되지 않습니다.
SSH_AUTH_SOCK="" ssh -vvv -p 15555 [email protected]
또한 에이전트를 죽이면 작업이 수행됩니다. eval $(ssh-agent -k)(를 사용하지 않는 경우 gnome-keyring) 그렇지 않으면 DE에서 다시 로그인하면 키가 "플러시"됩니다.