我正在嘗試為一小部分主機設定基於主機的身份驗證。我想我已經把所有的事情都安排好了:
- 將公鑰複製到
/etc/ssh/ssh_known_hosts檔案中 - 將所有主機放入
/etc/shosts.equiv - 啟用
HostbasedAuthentication於/etc/ssh/sshd_config和/etc/ssh/ssh_config - Setuid 二進位檔案並在客戶端的檔案中
/usr/lib64/ssh/ssh-keysign設定。EnableSSHKeysign yes/etc/ssh/ssh_config
然而,它仍然不起作用。在調試模式下運行伺服器我得到以下輸出:
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 10.3.128.10.
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: parse_server_config: config reprocess config len 137
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for kamil
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 45
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "kamil"
debug1: PAM: setting PAM_RHOST to "foo.bar.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user kamil service ssh-connection method hostbased
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-dss slen 55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x58c400
debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10
debug2: stripping trailing dot from chost foo.bar.com.
debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
debug1: userauth-request for user kamil service ssh-connection method hostbased
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-rsa slen 143
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x58c400
debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10
debug2: stripping trailing dot from chost foo.bar.com.
debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
debug1: userauth-request for user kamil service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
問題的癥結似乎在於這一行:
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
有想法嗎?
答案1
您EnableSSHKeysign在客戶端啟用了嗎?這是我需要讓基於主機的身份驗證工作的另一部分。
答案2
好吧,我的重大失敗。我已經創建了/etc/shosts.equiv而不是/etc/ssh/shosts.equiv(請參閱我的問題的第2點)。它在我的其他一些系統上工作的原因是它們還有/etc/hosts.equiv同事以前的一些工作的殘留文件。
當正確的文件位於正確的位置時,事情會變得更好。我在伺服器上進行了一些使用strace來找出它從哪些文件中讀取了什麼內容,最終為我提供了答案。
答案3
您在 Debian 上使用的是舊主機金鑰嗎? openssh-blacklist 軟體包可能會阻止使用受以下影響的金鑰臭名昭著的 SSL 漏洞。
如果是這種情況,請重新產生主機金鑰。