所以,我有一个相当奇怪的问题.我有一台服务器,当我尝试SSH进入时,如果我在第一次尝试时输入正确的密码,立即关闭连接.但是,如果我在第一次尝试时故意输入错误的密码,然后在第二次或第三次提示时输入正确的密码,它会成功将我登录到计算机中.同样,当我尝试使用公钥认证时,我得到一个立即关闭的连接.但是,如果我为密钥文件输入了错误的密码,然后在恢复密码验证后再输入错误的密码,只要我在第二个或第三个提示符下提供正确的密码,我就能成功登录.
该机器正在运行红帽企业Linux服务器版本6.2(圣地亚哥),并使用LDAP和PAM进行身份验证.关于从哪里开始调试这个的想法?让我知道我需要提供哪些配置文件,我很乐意这样做.
这是一些调试信息.以下代码块按顺序代表这三种情况:1)首次尝试更正私钥密码,2)跳过私钥,首次尝试更正常密码,3)跳过私钥,故意输入错误密码,然后进入好的……这是实际让我连接的唯一场景.
OpenSSH_5.9p1 Debian-5ubuntu1,OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to [removed for privacy]. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/trevor/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/trevor/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/trevor/.ssh/id_rsa-cert type -1 debug1: identity file /home/trevor/.ssh/id_dsa type -1 debug1: identity file /home/trevor/.ssh/id_dsa-cert type -1 debug1: identity file /home/trevor/.ssh/id_ecdsa type -1 debug1: identity file /home/trevor/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0,remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 120/256 debug2: bits set: 531/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA cb:1c:78:3f:f7:7d:8a:10:27:86:a3:12:0c:27:f4:19 debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:80 debug3: load_hostkeys: loaded 1 keys debug1: Host '[removed]' is known and matches the RSA host key. debug1: Found key in /home/trevor/.ssh/known_hosts:90 debug2: bits set: 541/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/trevor/.ssh/id_rsa (0x7f3a228127d0) debug2: key: /home/trevor/.ssh/id_dsa ((nil)) debug2: key: /home/trevor/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over,passed a different list publickey,password debug3: preferred gssapi-keyex,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet,disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug2: we did not send a packet,disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/trevor/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet,wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17 debug3: sign_and_send_pubkey: RSA 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17 debug1: key_parse_private_pem: PEM_read_PrivateKey Failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/home/trevor/.ssh/id_rsa': debug1: read PEM private key done: type RSA Connection closed by [removed_ip]
现在我跳过私钥,并在第一次尝试时使用正确的用户密码:
Enter passphrase for key '/home/trevor/.ssh/id_rsa': debug2: no passphrase given,try next key debug1: Trying private key: /home/trevor/.ssh/id_dsa debug3: no such identity: /home/trevor/.ssh/id_dsa debug1: Trying private key: /home/trevor/.ssh/id_ecdsa debug3: no such identity: /home/trevor/.ssh/id_ecdsa debug2: we did not send a packet,disable method debug3: authmethod_lookup password debug3: remaining preferred:,password debug3: authmethod_is_enabled password debug1: Next authentication method: password [user]@[server]'s password: debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##]) debug2: we sent a password packet,wait for reply Connection closed by [removed_ip]
最后我跳过私钥,输入错误的密码,然后在第二次尝试时输入正确的密码,这种方法最终让我进去
小号
debug1: Next authentication method: password [user]@[server]'s password: debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##]) debug2: we sent a password packet,wait for reply debug1: Authentications that can continue: publickey,password Permission denied,please try again. [user]@[server]'s password: debug3: packet_send2: adding [##] (len [##] padlen [##] extra_pad [#]) debug2: we sent a password packet,wait for reply debug1: Authentication succeeded (password). Authenticated to [server] ([[server_ip]]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 1 debug1: Requesting authentication agent forwarding. debug2: channel 0: request auth-agent-req@openssh.com confirm 0 debug2: client_session2_setup: id 0 debug2: fd 3 setting TCP_NODELAY debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env LANGUAGE debug3: Ignored env KDE_MULTIHEAD debug3: Ignored env KDE_SESSION_VERSION debug3: Ignored env KONSOLE_DBUS_SERVICE debug3: Ignored env LOGNAME debug3: Ignored env WINDOWPATH debug3: Ignored env GTK_MODULES debug3: Ignored env GTK2_RC_FILES debug3: Ignored env KDE_FULL_SESSION debug3: Ignored env SHLVL debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env PATH debug3: Ignored env USER debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env DEFAULTS_PATH debug3: Ignored env GTK_RC_FILES debug3: Ignored env WINDOWID debug3: Ignored env XCURSOR_SIZE debug3: Ignored env XDG_CONFIG_DIRS debug3: Ignored env XDM_MANAGED debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env DM_CONTROL debug3: Ignored env _ debug3: Ignored env DISPLAY debug3: Ignored env PWD debug3: Ignored env XCURSOR_THEME debug3: Ignored env GS_LIB debug3: Ignored env COLORFGBG debug3: Ignored env KDE_SESSION_UID debug3: Ignored env SSH_AGENT_PID debug3: Ignored env XDG_SESSION_COOKIE debug3: Ignored env OLDPWD debug3: Ignored env TERM debug3: Ignored env PROFILEHOME debug3: Ignored env SESSION_MANAGER debug3: Ignored env UBUNTU_MENUPROXY debug3: Ignored env QT_PLUGIN_PATH debug3: Ignored env SSH_AUTH_SOCK debug3: Ignored env KONSOLE_DBUS_SESSION debug3: Ignored env DESKTOP_SESSION debug3: Ignored env MANDATORY_PATH debug3: Ignored env SHELL_SESSION_ID debug3: Ignored env HOME debug3: Ignored env SHELL debug3: Ignored env GREP_OPTIONS debug3: Ignored env GREP_COLOR debug3: Ignored env PAGER debug1: Sending env LC_CTYPE = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env LSCOLORS debug3: Ignored env rvm_prefix debug3: Ignored env rvm_path debug3: Ignored env __array_start debug3: Ignored env rvm_bin_path debug3: Ignored env escape_flag debug3: Ignored env _first debug3: Ignored env _second debug3: Ignored env rvm_version debug3: Ignored env RUBY_VERSION debug3: Ignored env GEM_HOME debug3: Ignored env GEM_PATH debug3: Ignored env MY_RUBY_HOME debug3: Ignored env IRBRC debug3: Ignored env rvm_alias_expanded debug3: Ignored env rvm_docs_type debug3: Ignored env rvm_gemstone_package_file debug3: Ignored env rvm_gemstone_url debug3: Ignored env rvm_niceness debug3: Ignored env rvm_nightly_flag debug3: Ignored env rvm_proxy debug3: Ignored env rvm_quiet_flag debug3: Ignored env rvm_ruby_file debug3: Ignored env rvm_ruby_make debug3: Ignored env rvm_ruby_make_install debug3: Ignored env rvm_ruby_mode debug3: Ignored env rvm_script_name debug3: Ignored env rvm_sdk debug3: Ignored env rvm_silent_flag debug3: Ignored env rvm_wrapper_name debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: X11 forwarding request accepted on channel 0 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: [DateTime removed] from [location removed]
从调试代码可以看出,我的名字是Trevor.谢谢您的帮助!让我知道我需要包含哪些pam配置文件.
根据评论中的每个请求,这里有一些日志/调试信息.
/ var / log / secure(我的用户名是twhitney):
Oct 9 12:01:26 [server] sshd[25087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[removed] user=twhitney Oct 9 12:01:26 [server] sshd[25087]: pam_krb5[25087]: authentication fails for 'twhitney' (twhitney@[domain]): Authentication failure (Decrypt integrity check Failed) Oct 9 12:01:26 [server] sshd[25087]: pam_ldap: ldap_starttls_s: Operations error Oct 9 12:01:28 [server] sshd[25087]: Failed password for twhitney from [server_ip] port 47541 ssh2 Oct 9 12:01:32 [server] sshd[25087]: Accepted password for twhitney from [server_ip] port 47541 ssh2 Oct 9 12:01:32 [server] sshd[25087]: pam_unix(sshd:session): session opened for user twhitney by (uid=0)
这里的关键线索可能是“pam_ldap:ldap_starttls_s:操作错误”,我将不得不对此进行一些研究.
接下来是pam配置.我将从/etc/pam.d/system-auth开始:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authok password required pam_deny.so session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027 session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
现在/etc/pam.d/password-auth:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so
再次感谢你能解决我的难题!