Я не могу понять, что происходит. Теоретически я создал пару ключей для пользователя "user" на машинедомашнийрабочий стол, и отправил открытый ключмойсервер.пример.comи помещаю его под myserver:~user/.ssh/authorized_keys, я могу войти без пароля, без проблем.
Проблема в том, что, как ни странно, все остальные пользователи на машинедомашнийрабочий столтакже можно войти как user@myserver, без пароля! Можно подумать, что ключ доступен глобально только на homedesktop:/etc/ssh, но это не так (я удалил каталог и попробовал снова, все еще работает). На самом деле, это не только "myserver", все серверы, которые имеют открытый ключ "user", принимают вход без пароля от всех пользователей на "homedesktop". Из журнала SSH ниже следует, что ключ может быть в памяти? Я не понимаю, что происходит и как запретить другим пользователям использовать этот ключ! Кроме того, homedesktop:~user/.sshимеет обычные разрешения, не доступные для чтения другим пользователям.
В этом примере «otheruser» пытается войти как user@myserver, домой он/она получает доступ кпользователь@homedesktopключ, который принят?
otheruser@homedesktop:~$ rm -rf .ssh
otheruser@homedesktop:~$ ssh -vvv -p 15555 [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.example.com [123.234.123.234] port 15555.
debug1: Connection established.
debug1: SELinux support disabled
debug1: identity file /home/otheruser/.ssh/id_rsa type -1
debug1: identity file /home/otheruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_dsa type -1
debug1: identity file /home/otheruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519 type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [myserver.example.com]:15555
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f
debug3: put_host_port: [123.234.123.234]:15555
debug3: put_host_port: [myserver.example.com]:15555
debug1: checking without port identifier
The authenticity of host '[myserver.example.com]:15555 ([123.234.123.234]:15555)' can't be established.
ECDSA key fingerprint is 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[myserver.example.com]:15555,[123.234.123.234]:15555' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: user@myserver (0x7fba1acf8000),
debug2: key: user@homedesktop (0x7fbaa1bbcf30),
debug2: key: /home/otheruser/.ssh/id_rsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_dsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ecdsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: user@myserver
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_VTNR
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env KDE_MULTIHEAD
debug1: Sending env LC_ADDRESS = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MONETARY = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_GREETER_DATA_DIR
debug3: Ignored env CLUTTER_IM_MODULE
debug3: Ignored env SELINUX_INIT
debug3: Ignored env SESSION
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env KONSOLE_PROFILE_NAME
debug3: Ignored env GS_LIB
debug3: Ignored env GTK_RC_FILES
debug1: Sending env LC_NUMERIC = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env WINDOWID
debug3: Ignored env GNOME_KEYRING_CONTROL
debug3: Ignored env UPSTART_SESSION
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env USER
debug1: Sending env LC_TELEPHONE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env QT_IM_MODULE
debug1: Sending env LC_IDENTIFICATION = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug3: Ignored env JOB
debug3: Ignored env XMODIFIERS
debug3: Ignored env KONSOLE_DBUS_WINDOW
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env GNOME_KEYRING_PID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env GDM_LANG
debug3: Ignored env MANDATORY_PATH
debug1: Sending env LC_MEASUREMENT = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env IM_CONFIG_PHASE
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env GDMSESSION
debug3: Ignored env SESSIONTYPE
debug3: Ignored env HOME
debug3: Ignored env XDG_SEAT
debug3: Ignored env SHLVL
debug3: Ignored env COLORFGBG
debug3: Ignored env LANGUAGE
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env UPSTART_INSTANCE
debug3: Ignored env PYTHONPATH
debug3: Ignored env LOGNAME
debug3: Ignored env UPSTART_EVENTS
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env QT4_IM_MODULE
debug3: Ignored env LESSOPEN
debug3: Ignored env TEXTDOMAIN
debug3: Ignored env UPSTART_JOB
debug3: Ignored env INSTANCE
debug3: Ignored env DISPLAY
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PROFILEHOME
debug3: Ignored env QT_PLUGIN_PATH
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env PAM_KWALLET_LOGIN
debug1: Sending env LC_TIME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LESSCLOSE
debug3: Ignored env TEXTDOMAINDIR
debug1: Sending env LC_NAME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XAUTHORITY
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to MYSERVER!!
Last login: Tue Nov 1 21:05:47 2016 from 111.222.111.222
user@myserver:~$
решение1
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
Говорит, что ключ хранится в вашей сессии в вашем ssh-agent. Запуск sshбез подключения к вашему ssh-agentне позволит вам получить доступ:
SSH_AUTH_SOCK="" ssh -vvv -p 15555 [email protected]
Также убийство агента сделает работу: eval $(ssh-agent -k)(если вы не используете gnome-keyring). В противном случае повторный вход из вашего DE "очистит" ключ.