sudo via cron'ed ssh funciona no RHEL6 mas não no RHE7 (/ dev / tty: não existe tal dispositivo ou endereço)

3

Eu desisto:

Eu tenho um script de cronjob que tenho executado há anos (fora de uma máquina RHEL 6.7) para remoto em outras máquinas RHEL via ssh. Funciona sem falhas contra o RHEL5 e 6, mas falha com o RHEL7. Na sua forma mais simples, o script se divide assim:

ssh -tttvi /home/robot/.ssh/passwdlesskey  robot@${ThatIP} sudo -l

Em todas as máquinas remotas (RHEL6 e 7), o respectivo arquivo sudoers contém

Defaults    requiretty

Como esperado, o script executa bem da linha de comando contra o RHEL7. Novamente, do cron funciona contra o RHEL 5 & 6 mas falha contra 7:

debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.

Uma coisa peculiar a notar é a diferença nas saídas SSH ao executar a linha de comando vs cron em um servidor RHEL7

              C  R  O  N                                                                 C O M M A N D L I N E
------------------------------------------------------------------------+------------------------------------------------------------------------
debug1: skipped DNS lookup for numerical hostname                       | debug1: skipped DNS lookup for numerical hostname
WARNING: ECDSA key found for host 10.96.16.108                          | debug1: Host '10.96.16.108' is known and matches the ECDSA host key.
in /home/robot/.ssh/known_hosts:416                                     | debug1: Found key in /home/robot/.ssh/known_hosts:416
ECDSA key fingerprint ee:67:90:d3:c3:b8:db:c7:d3:6a:68:6a:78:fd:25:da.  | debug1: SSH2_MSG_NEWKEYS sent
+--[ECDSA  256]---+                                                     | debug1: expecting SSH2_MSG_NEWKEYS
|                 |                                                     | debug1: SSH2_MSG_NEWKEYS received
|                 |                                                     | debug1: Roaming not allowed by server
|                 |                                                     | debug1: SSH2_MSG_SERVICE_REQUEST sent
|                 |                                                     | debug1: SSH2_MSG_SERVICE_ACCEPT received
|        S=       |                                                     | debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password                                          
|       .= +      |                                                     | debug1: Next authentication method: publickey
|       ..= +...  |                                                     | debug1: Offering DSA public key: /home/robot/.ssh/passwdlesskey
|      ..+.*o=o.  |                                                     | debug1: Server accepts key: pkalg ssh-dss blen 433
|       o+*o+Eo   |                                                     | debug1: Authentication succeeded (publickey).
+-----------------+                                                     | Authenticated to 10.96.16.108 ([10.96.16.108]:22).
                                                                        | debug1: channel 0: new [client-session]
debug1: read_passphrase: can't open /dev/tty: No such device or address | debug1: Entering interactive session.
Host key verification failed.                                           | debug1: Sending command: sudo -l
------------------------------------------------------------------------+------------------------------------------------------------------------

Uma teoria que eu tinha: semelhante à maneira como o scp / sftp não gosta de interação saída do shell , percebi que o randomart exibido pelo servidor RHEL7 está interferindo no meu script. Mas mesmo a substituição de ssh -v por -q não ajuda.

O LogLevel do sshd é DEBUG2

Mar  9 10:51:01 rhel7test sshd[26198]: debug1: Forked child 26209.
Mar  9 10:51:01 rhel7test sshd[26209]: Set /proc/self/oom_score_adj to 0
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: inetd sockets after dupping: 3, 3
Mar  9 10:51:01 rhel7test sshd[26209]: Connection from 10.96.16.148 port 55171 on 10.96.16.108 port 22
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Enabling compatibility mode for protocol 2.0
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: fd 3 setting O_NONBLOCK
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: Network child is on pid 26210
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SELinux support enabled [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: permanently_set_uid: 74/74 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT received [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 0 used once, disabling now
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 504/1024 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 532/1024 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 6 used once, disabling now
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_derive_keys [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: set_newkeys: mode 1 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: Connection closed by 10.96.16.148 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: monitor_read_log: child log fd closed
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Killing privsep child 26210

Lendo postagens semelhantes, eu já

  • verificou as permissões em / dev / tty
  • certificou-se de que as chaves sem senha estão corretas
  • garantiu que não houvesse entradas conflitantes no arquivo known_hosts
  • variáveis de ambiente verificadas para algo estranho
  • kicked up debugging para o nível 3 na execução do lado (-vvv) sem novas informações para recolher a saída.

Finalmente, porque tenho certeza que será perguntado, o sshd_config do RHEL6 & 7

         R H E L 7                                                                 R H E L 6
--------------------------------------------------------------------------------+---------------------------------------------------------------------
HostKey                         /etc/ssh/ssh_host_rsa_key                       | 
HostKey                         /etc/ssh/ssh_host_ecdsa_key                     |
HostKey                         /etc/ssh/ssh_host_ed25519_key                   |
SyslogFacility                  AUTHPRIV                                        | AUTHPRIV
LogLevel                        DEBUG2                                          | 
PermitRootLogin                 no                                              | no
StrictModes                     yes                                             |
MaxAuthTries                    3                                               |
MaxSessions                     10                                              |
PubkeyAuthentication            yes                                             |
AuthorizedKeysFile              .ssh/authorized_keys                            |
IgnoreRhosts                    yes                                             |
PermitEmptyPasswords            no                                              |
PasswordAuthentication          yes                                             | yes
ChallengeResponseAuthentication no                                              | no
GSSAPIAuthentication            yes                                             | yes
GSSAPICleanupCredentials        no                                              | yes
UsePAM                          yes                                             | yes
X11Forwarding                   yes                                             | yes
PrintMotd                       no                                              |
PrintLastLog                    no                                              |
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES   | LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT               | LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE                                     | LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS                                                            | XMODIFIERS
Subsystem               sftp  /usr/libexec/openssh/sftp-server                  | sftp  /usr/libexec/openssh/sftp-server

Então, eu não sei qual é a causa do problema.

    
por Ogal Finklestein 09.03.2016 / 18:42

3 respostas

1

Como o usuário VDR comentou, preciso adicionar

-o StrictHostKeyChecking=no

como uma opção adicional ao chamar o ssh através do cron.

    
por 09.03.2016 / 20:22
1

Não é sudo pedindo TTY, mas o cliente ssh , que precisa de você para fazer a única coisa de segurança sobre o ssh, que você precisa fazer antes de estabelecer uma conexão segura. É a verificação do hostkey, que requer entrada manual do usuário, se não for configurado antecipadamente. Não está relacionado com a versão do sistema, mas com a configuração.

Você precisa armazenar a chave do host de servidores (parte pública) no known_hosts do cliente. Existem várias possibilidades de como fazer isso:

  • Como o usuário ( robot ) que está executando o cron ( sudo -i -u robot ), tente se conectar ao servidor remoto:

    ssh -i /home/robot/.ssh/passwdlesskey  robot@${ThatIP}
    

    e gravação manual "sim" no prompt

  • Use a ferramenta ssh-keyscan , que faz exatamente a mesma coisa, mas não precisa ser interativa (certifique-se de executá-la como usuário diferente, que o usuário de destino terá acesso correto a esse arquivo):

    ssh-keyscan {ThatIP} >> /home/robot/.ssh/known_hosts
    
por 09.03.2016 / 20:13
0

O mesmo cenário - atualizei o sistema de destino do CentOS 6 para o CentOS 7 e, de repente, meu trabalho cron receberia Host key validation failed erros, mas se eu o executasse da linha de comando, tudo bem. Eu estava totalmente inconsciente da ferramenta ssh-keyscan , então agradeço a @Jakuje por escrever sobre isso. No meu caso, rodar a ferramenta ssh-keyscan não gera absolutamente nada, então eu adicionei -v , e obtive:

>ssh-keyscan -v hostname.example.com
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: hostname.example.com doesn't support ssh1

Eish. Parece que o SSH na máquina de origem não suporta o SSH2. Então, olhei para a versão do ssh no sistema de origem:

>sudo yum list installed | grep ssh
openssh.x86_64                           4.3p2-82.el5                  installed
openssh-askpass.x86_64                   4.3p2-82.el5                  installed
openssh-clients.x86_64                   4.3p2-82.el5                  installed
openssh-server.x86_64                    4.3p2-82.el5                  installed

Legal. Apenas alguns anos atrás. Este post link ajudou-me a aprofundar a ideia de que o CentOS 7 desativa as chaves DSA. Solução? Gere e ative a chave DSA no CentOS 7. Mas, as chaves DSA são mais fracas do que o RSA, o que tornaria desnecessário meu novo servidor.

Solução ideal no meu caso: atualize o openssh na máquina de origem.

    
por 26.04.2016 / 19:40

Tags