我正在嘗試使用 sshd 設定 Centos 7 電腦網絡,以根據 AWS Simple Directory Service 目錄對公鑰進行身份驗證。
目前,我有一堆 Centos 主機、一個 Windows Server 2008 執行個體、使用 Amazon Web Service (AWS) Simple Directory Service 的目錄。 windows box 用於管理該目錄,Centos box 使用該目錄來驗證 SSH 會話。所有機器都已加入該目錄。
我已經驗證我能夠使用簡單的密碼身份驗證以本地用戶和網域用戶的身份透過 SSH 連接到 Centos 機器。同樣,我能夠使用本機帳戶和網域帳戶以及簡單的密碼身份驗證透過 RDP 進入 Windows 盒子。
sshPublicKey
然而,可以這麼說,AWS 在我的目錄中設定的模式不包含任何具有開箱即用欄位的類別。
因此,我使用 Windows 機器上的 Active Directory 架構管理單元將下列屬性新增至我的架構:
Common Name: sshPublicKey
OOID: 1.3.6.1.4.1.24552.1.1.1.13
Syntax: IA5-String
Multi-valued: true
然後我創建了以下類別:
Common Name: LDAP Public Key
OOID: 1.3.6.1.4.1.24552.500.1.1.2.0
Parent Class: top
Class Type: Auxiliary
Optional Attributes: sshPublicKey
然後,我使用 ADSI 管理單元將使用者公鑰的內容新增至sshPublicKey
目錄中的條目欄位。
在我的一台 Centos 機器上,我透過PasswordAuthentication no
在 sshd 的設定檔中設定停用了密碼身份驗證。
然後,我嘗試使用具有屬性集的目錄用戶 ssh 進入該 Centos 盒子sshPublicKey
:
$ ssh -l [email protected] -i ~/.ssh/path.to.key.pub centos.box -vvv;
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/localuser/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to centos.box [ip addy] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "~/.ssh/path.to.key.pub" as a RSA1 public key
debug1: identity file ~/.ssh/path.to.key.pub type 1
debug1: identity file ~/.ssh/path.to.key.pub type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLineNumber
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: found [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 116/256
debug2: bits set: 535/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA blah
debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLine
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'centos.box' is known and matches the RSA host key.
debug1: Found key in /Users/localuser/.ssh/known_hosts:27
debug2: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/localuser/.ssh/path.to.key.pub (0x7fb3cb600000), explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/localuser/.ssh/path.to.key.pub
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
$
在 Centos 盒子上,我們得到:
$ sudo journalctl -felu sshd
....
Some Date centos.box sshd[a number]: Connection closed by 1.2.3.4 [preauth]
私鑰的權限是600
;公鑰的權限是644
我不確定如何檢查目錄服務主機上的伺服器日誌。
有什麼想法我做錯了嗎?
答案1
若要確保進行公鑰驗證sshd
對話,請在主機上執行下列操作:sssd
sshd
將以下行新增至文件
[sssd]
的部分/etc/sssd/sssd.conf
:services = ssh, [ all the other services already listed there as well ]
這告訴sssd
它應該與 交談sshd
。
如果那裡還沒有某個部分,請新增文件的
[ssh]
空白部分:[ssh]
/etc/sssd/sssd.conf
[ssh]
這是所有與之通訊的服務必需的配置部分sssd
。
將以下行新增至檔案
[domain/directory.server]
的部分/etc/sssd/sssd.conf
,其中directory.server
是目錄服務主機的完全限定網域名稱:ldap_user_ssh_public_key = sshPublicKey
這告訴sssd
我們使用哪個屬性來尋找sshd
使用者的公共 SSH 金鑰。 (使用的預設屬性sssd
是ipaSshPubKey
,可以在ipaSshUser
和ipaSshHost
類別的架構中找到。)
將以下行新增至您的
/etc/sshd/sshd_config
文件:AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
這告訴以 usersshd
身分執行該檔案。 為嘗試驗證主機的使用者取得授權金鑰。/usr/bin/sss_ssh_authorizedkeys
nobody
/usr/bin/sss_ssh_authorizedkeys
sshd
將以下行新增至您的
/etc/sshd/ssh_config
文件:GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
這告訴sssd
添加客戶端的名稱和公鑰並/var/lib/sss/pubconf/known_hosts
連接到客戶端,使用可執行檔透過標準 I/O 管道所有通訊/usr/bin/sss_ssh_knownhostsproxy
。
重新啟動這兩個服務:
$ sudo systemctl reload sshd; $ sudo systemctl restart sshd; $ sudo systemctl restart sssd;