Permissões de diretório inicial impedindo a autenticação da chave ssh no Ubuntu Server 14.10

Question

Permissões de diretório inicial impedindo a autenticação da chave ssh no Ubuntu Server 14.10

#1 resposta do surfrock66 (2 votos)

0

Eu tenho o servidor ubuntu 14.10 com um servidor SSH nele, e tenho autenticação de senha funcionando bem do meu laptop System76 darter rodando Debian Sid. Eu quero mudar para a autenticação rsa-chave.

No sistema local, eu gerava a chave, colocava a chave pública no servidor, editava / etc / ssh / sshd_config para permitir a autenticação de chave e reinicializava o serviço. Quando tentei ssh no servidor, fui solicitado a fornecer uma senha. Parei o serviço e reiniciei o sshd no modo de depuração:

sudo /usr/sbin/sshd -d

Eu então tentei fazer o login e recebi as mensagens a seguir (eu editei um monte de coisas com # de um excesso de paranoia, mas não acho que seja relevante):

debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port ##### on 192.168.1.###.
Server listening on 192.168.1.### port #####.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.### port 34258 on 192.168.1.### port #####
debug1: Client protocol version 2.0; client software version OpenSSH_6.7p1 Debian-3
debug1: match: OpenSSH_6.7p1 Debian-3 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: permanently_set_uid: 107/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes128-ctr [email protected] none [preauth]
debug1: kex: server->client aes128-ctr [email protected] none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user surfrock66 service ssh-connection method non [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "surfrock66"
debug1: PAM: setting PAM_RHOST to "sr66-darter.######.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user surfrock66 service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/surfrock66/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /home/surfrock66
debug1: restore_uid: 0/0
Failed publickey for surfrock66 from 192.168.1.### port 34258 ssh2: RSA ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Connection closed by 192.168.1.### [preauth]
debug1: do_cleanup [preauth]
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 14705

Especificamente, vejo a linha Authentication refused: bad ownership or modes for directory /home/surfrock66

Eu fiz várias pesquisas e descobri problemas em torno de permissões no diretório .ssh e nos arquivos, mas nunca ouvi falar de um problema relacionado a problemas com as permissões do diretório inicial. Eu suspeito que tem a ver com o usuário que o sshd começa sob não ter direitos para o meu diretório home. Aqui estão as permissões relevantes:

surfrock66@sr66-blade:~$ ls -as1l /home/
total 12
4 drwxr-xr-x  3 root       root       4096 Sep  8  2013 .
4 drwxr-xr-x 22 root       root       4096 Dec 11 07:47 ..
4 drwxrwxrwx 54 surfrock66 surfrock66 4096 Dec 28 12:30 surfrock66

surfrock66@sr66-blade:~$ ls -as1l /home/surfrock66/ | grep .ssh
4 drwx------    2 surfrock66 surfrock66  4096 Dec 28 12:04 .ssh

surfrock66@sr66-blade:~$ ls -as1l /home/surfrock66/.ssh/
total 28
4 drwx------  2 surfrock66 surfrock66 4096 Dec 28 12:04 .
4 drwxrwxrwx 54 surfrock66 surfrock66 4096 Dec 28 12:30 ..
4 -rw-r--r--  1 surfrock66 surfrock66  404 Dec 28 12:04 authorized_keys
4 -rw-------  1 surfrock66 surfrock66 1679 Nov 12  2012 id_rsa
4 -rw-r--r--  1 surfrock66 surfrock66  403 Nov 12  2012 id_rsa.pub
4 -rw-------  1 surfrock66 surfrock66 3964 Nov 10 19:51 known_hosts
4 -rw-------  1 surfrock66 surfrock66 3078 Dec 10  2013 known_hosts.old

Se for útil, aqui está a saída de /var/log/auth.log durante a execução e falha do login do servidor:

Dec 28 14:32:30 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/sbin/sshd -d
Dec 28 14:32:30 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type RSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #0 type 1 RSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type DSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #1 type 2 DSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type ECDSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #2 type 3 ECDSA
Dec 28 14:32:35 sr66-blade sudo: pam_unix(sudo:session): session closed for user root
Dec 28 14:32:44 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/bin/tail -n /var/log/auth.log
Dec 28 14:32:44 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)
Dec 28 14:32:44 sr66-blade sudo: pam_unix(sudo:session): session closed for user root
Dec 28 14:32:48 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/bin/tail -n 100 /var/log/auth.log
Dec 28 14:32:48 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)

Aqui está o / etc / ssh / sshd_config

surfrock66@sr66-blade:~$ cat /etc/ssh/sshd_config 
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port #####
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.1.###
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no 
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Para completar, aqui está o / etc / ssh / ssh_config

surfrock66@sr66-blade:~$ cat /etc/ssh/ssh_config 

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
    ForwardAgent yes
    ForwardX11 yes
    ForwardX11Trusted yes
#   RhostsRSAAuthentication no
    RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

Qualquer ajuda / pensamentos são apreciados!

por surfrock66 28.12.2014 / 23:43

1 resposta

Como definir o $ PATH no Ubuntu Eu tenho dois arquivos Preseed, um é "corrompido" e outro é bom

score 2 · Answer 1

Encontrei a resposta aqui: link

Acontece que / home / surfrock66 não pode ser 777 (o que não deveria ter acontecido de qualquer maneira). Agora é 750 e funciona perfeitamente.