Contêiner SSH rkt baseado em CentOS7: a configuração da sessão do PAM falha

Question

Contêiner SSH rkt baseado em CentOS7: a configuração da sessão do PAM falha

1

Não consigo fazer login em um host SSH em execução em um contêiner rkt baseado no CentOS7 porque a configuração da sessão do PAM nunca é concluída - mesmo com o registro definido como DEBUG3, não há mensagem de erro - os logs terminam com sshd[10]: debug3: PAM: opening session nos leads do cliente codificar%. O daemon SSH continua a ser executado.

Write failed: Broken pipe :

#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel DEBUG3

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox     # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

/etc/ssh/sshd_config :

#%PAM-1.0
auth       required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session optional pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

O log do lado do servidor: pastebin . Termina com:

Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: Accepted publickey for root from 172.16.28.1 port 45040 ssh2: RSA dc:7b:dc:02:bd:87:0b:7a:ad:a0:71:78:e4:18:86:5
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: monitor_child_preauth: root has been authenticated by privileged process
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Waiting for new keys
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 26
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_from_blob: 0x7eff5524bd40(138)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: mac_setup: setup [email protected]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Waiting for second key
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_from_blob: 0x7eff5524bd40(138)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: mac_setup: setup [email protected]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Getting compression state
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Getting Network I/O buffers
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 122
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 123
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_do_pam_account entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 102 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_do_pam_account returning 1 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Sending new keys: 0x7eff55233ce0 0x7eff552382d0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_to_blob: converting 0x7eff55233ce0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_to_blob: converting 0x7eff552382d0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: New keys have been sent [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Sending compression state [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 26 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Finished sending state [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 122 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 123 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: monitor_read_log: child log fd closed
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_share_sync: Share sync
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_share_sync: Share sync end
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: ssh_sandbox_parent_finish: finished
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: restore_uid: 0/0
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: SELinux support disabled
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: PAM: establishing credentials
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: PAM: opening session

O log do lado do cliente: pastebin

Se eu desabilitar o PAM (que não é suportado no RHEL e no CentOS, mas apenas para testar), a sessão é estabelecida e terminada imediatamente pelo cliente (publicarei o pastebin em um comentário). Eu também tentei ...

comente a sandbox UsePrivilegeSeparation
desabilitou o SELinux no container (acontece que aparentemente ele nem está instalado dentro)

sem efeito perceptível. Alguém sabe o que poderia fazer com que o PAM se comporte tão mal que nem sequer há uma mensagem de erro? Eu vi em muitos outros tópicos que o PAM faz problemas em combinação com o chroot, mas ainda existem mensagens de erro explícitas, aqui parece uma morte súbita ... (o sshd ainda funciona)

P.S: alguém com reputação suficiente poderia criar uma tag rkt por favor? Thx

ssh pam centos-7

por DonTseTse 15.08.2017 / 18:07

0 respostas

Tags ssh pam centos-7

Total de horas trabalhadas no Excel 2013 Espaço livre inconsistente relatado