SSH sem senha não funciona com o usuário postgres

3

Eu tentei adicionar manualmente a chave do pub a authorized_keys e authorized_keys2. Eu também verifiquei duas vezes as permissões em .ssh (700) e authorized_keys (644). Eu posso fazer o login sem senha na mesma máquina usando outro usuário (usuário do servidor).

Aqui está a saída do ssh -vvv:

ssh postgres@java7 -vvv
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to java7 [192.168.120.28] port 22.
debug1: Connection established.
debug1: identity file /home/informix/.ssh/identity type -1
debug3: Not a RSA1 key file /home/informix/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/informix/.ssh/id_rsa type 1
debug1: identity file /home/informix/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 118/256
debug2: bits set: 497/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 86
debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 82
debug1: Host 'java7' is known and matches the RSA host key.
debug1: Found key in /home/informix/.ssh/known_hosts:86
debug2: bits set: 513/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/informix/.ssh/id_rsa (0x555560bb41c0)
debug2: key: /home/informix/.ssh/identity ((nil))
debug2: key: /home/informix/.ssh/id_rsa (0x555560bae620)
debug2: key: /home/informix/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.120.28.
debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/informix/.ssh/identity
debug3: no such identity: /home/informix/.ssh/identity
debug1: Offering public key: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/informix/.ssh/id_dsa
debug3: no such identity: /home/informix/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
postgres@java7's password: 

Editar:

This is an excerpt of what the ssh server on a different port says:
debug1: PAM: initializing for "postgres"
debug1: PAM: setting PAM_RHOST to "192.168.120.97"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user postgres service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4
Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee
debug1: restore_uid: 0/0
Postponed publickey for postgres from 192.168.120.97 port 45341 ssh2
debug1: userauth-request for user postgres service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4
Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for postgres from 192.168.120.97 port 45341 ssh2
debug1: monitor_child_preauth: postgres has been authenticated by privileged process
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: SELinux support enabled
debug1: PAM: establishing credentials
PAM: pam_open_session(): Authentication failure
User child is on pid 10198
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 26/26
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
debug1: session_pty_req: session 0 alloc /dev/pts/5
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 10199
debug1: session_exit_message: session 0 channel 0 pid 10199
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/pts/5
debug1: session_pty_cleanup: session 0 release /dev/pts/5
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 192.168.120.97
debug1: do_cleanup
Transferred: sent 2296, received 2416 bytes
Closing connection to 192.168.120.97 port 45341
debug1: PAM: cleanup
debug1: PAM: deleting credentials

/var/log/secure.log ao executar outro servidor ssh :

Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): conversation failed
Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N]
Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): Unable to get valid context for postgres
Apr  4 16:52:31 java7 sshd[10774]: pam_unix(sshd:session): session opened for user postgres by (uid=0)
    
por Doppelganger 04.04.2011 / 20:42

5 respostas

2

Acho que a melhor coisa a fazer nessas circunstâncias é executar o daemon SSH no modo de depuração. Se você tiver acesso como root na máquina, pode executar:

# /usr/sbin/sshd -d -p 2222

e depois você pode usar:

# ssh -p 2222 postgres@java7

e veja qual motivo o servidor dá para rejeitar a chave.

    
por 04.04.2011 / 21:01
1

O 'postgres' é o usuário gerado pela instalação do servidor PostreSQL? Em caso afirmativo, a maioria dos usuários gerados automaticamente não pode estar "conectada". eles existem apenas para os propósitos dos daemon (s) que precisam de permissões de arquivos.

    
por 04.04.2011 / 21:40
1

Você pode ativar os registros de depuração no seu servidor ssh existente. No arquivo / etc / ssh / sshd_config mudar %código% se o motivo do login mal-sucedido for LogLevel DEBUG3 e direitos de acesso a authorized_keys parecem ok, então este comando ajudará

Could not open authorized keys '/var/lib/pgsql/.ssh/authorized_keys': Permission denied

explicação

    
por 15.11.2016 / 16:06
0

Outra solução para o recurso SELinux do Red Hat Enterprise Linux 6.5 que impede o sshd de ler o $ HOME / .ssh é usar o restorecon, veja meu respondedor aqui link .

    
por 05.06.2014 / 16:27
-1

verifique se o seu selinux está definido corretamente.

eu mudei o selinux para permissive e ele funciona ou você tem que adicionar o .ssh aos papéis do selinux.

    
por 26.07.2017 / 11:47