Não é possível estabelecer conexão SSH, mesmo em localhost

1

Tendo problemas para obter uma conexão SSH simples até mesmo localhost no meu Ubuntu 15.10. O servidor foi configurado há muitos meses e conseguiu criar acesso para SSH com chaves, mas não pode duplicar esse acesso remoto para um novo usuário. Eu posso acessar com PuTTY do meu usuário original, mas mesmo esse usuário não pode acessar via localhost.

Para a solução de problemas, tentei acessar simplesmente via host local e senha simples, esperançosamente minimizando as variáveis que podem estar erradas - se houver um teste melhor, avise-me.

Tenho fail2ban e firewall, mas como consigo acessar o servidor remotamente com a conta original, não suspeito imediatamente que esse seja o problema. Ainda assim, as regras de firewall são exibidas abaixo.

Aqui estão os passos que segui e mais alguns dados:

crie um novo usuário & definir senha

    sudo useradd teachers -m -s /bin/bash;
    sudo passwd teachers;

config SSH (/ etc / ssh / sshd_config) para acesso básico para testes

    AllowUsers teachers
    PasswordAuthentication yes
    LogLevel VERBOSE

Ainda não há chaves SSH neste momento, pois estou tentando obter acesso por senha.

Aqui está a saída da minha tentativa na linha de comando:

    ~$ ssh -v localhost
    OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to localhost [127.0.0.1] port 22.
    debug1: Connection established.
    debug1: SELinux support disabled
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_rsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_rsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_dsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_ecdsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_ecdsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_ed25519 type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/teachers/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
    debug1: match: OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to localhost:22 as 'teachers'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client [email protected] <implicit> none
    debug1: kex: client->server [email protected] <implicit> none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w
    The authenticity of host 'localhost (127.0.0.1)' can't be established.
    ECDSA key fingerprint is SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received

    ################################################################################
    # This is a restricted system....                                              #
    ################################################################################

    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/teachers/.ssh/id_rsa
    debug1: Trying private key: /home/teachers/.ssh/id_dsa
    debug1: Trying private key: /home/teachers/.ssh/id_ecdsa
    debug1: Trying private key: /home/teachers/.ssh/id_ed25519
    debug1: Next authentication method: password
    teachers@localhost's password:
    debug1: Authentications that can continue: publickey,password
    Permission denied, please try again.
    teachers@localhost's password:
    debug1: Authentications that can continue: publickey,password
    Permission denied, please try again.
    teachers@localhost's password:
    debug1: Authentications that can continue: publickey,password
    debug1: No more authentication methods to try.
    Permission denied (publickey,password).

Aqui está o auth.log da minha tentativa de acesso:

    Apr 19 05:41:52 lists sshd[27165]: Set /proc/self/oom_score_adj to 0
    Apr 19 05:41:52 lists sshd[27165]: Connection from 127.0.0.1 port 45192 on 127.0.0.1 port 22
    Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) illegal module type: umask
    Apr 19 05:42:03 lists sshd[27165]: PAM pam_parse: expecting return value; [...002]
    Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) no module name supplied
    Apr 19 05:42:13 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
    Apr 19 05:42:20 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
    Apr 19 05:42:27 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
    Apr 19 05:42:27 lists sshd[27165]: Connection closed by 127.0.0.1 [preauth]

Aqui está a saída do meu iptables:

    $ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       tcp  --  222.0.0.0/8          anywhere             tcp dpt:ssh
    fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
    fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission
    fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    DROP       tcp  --  222.186.34.202       anywhere             tcp dpt:ssh
    fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
    fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission
    fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2812
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
    DROP       all  --  anywhere             anywhere

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    Chain fail2ban-dovecot (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere

    Chain fail2ban-postfix (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere

    Chain fail2ban-sasl (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere

    Chain fail2ban-ssh (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere

E acredito que isso demonstra que a porta 22 deve estar disponível:

   $ nc -z -v -w 5 localhost 22
   Connection to localhost 22 port [tcp/ssh] succeeded!

EDIT: incluindo a configuração do sshd:

    $ cat /etc/ssh/sshd_config
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes

    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 1024

    # Logging
    SyslogFacility AUTH
    LogLevel VERBOSE

    # Authentication:
    LoginGraceTime 120
    PermitRootLogin no
    StrictModes yes

    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys

    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes

    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no

    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no

    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes

    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no

    #MaxStartups 10:30:60
    Banner /etc/issue.net

    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*

    Subsystem sftp /usr/lib/openssh/sftp-server

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin yes
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes

    AllowUsers listman teachers

Apenas o arquivo em /etc/pam.d/ é / etc / pam.d / sshd:

    $ cat /etc/pam.d/sshd
    # PAM configuration for the Secure Shell service

    umask 002

    # Standard Un*x authentication.
    @include common-auth

    # Disallow non-root logins when /etc/nologin exists.
    account    required     pam_nologin.so

    # Uncomment and edit /etc/security/access.conf if you need to set complex
    # access limits that are hard to express in sshd_config.
    # account  required     pam_access.so

    # Standard Un*x authorization.
    @include common-account

    # SELinux needs to be the first session rule.  This ensures that any
    # lingering context has been cleared.  Without this it is possible that a
    # module could execute code in the wrong domain.
    session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

    # Set the loginuid process attribute.
    session    required     pam_loginuid.so

    # Create a new session keyring.
    session    optional     pam_keyinit.so force revoke

    # Standard Un*x session setup and teardown.
    @include common-session

    # Print the message of the day upon successful login.
    # This includes a dynamically generated part from /run/motd.dynamic
    # and a static (admin-editable) part from /etc/motd.
    session    optional     pam_motd.so  motd=/run/motd.dynamic
    session    optional     pam_motd.so noupdate

    # Print the status of the user's mailbox upon successful login.
    session    optional     pam_mail.so standard noenv # [1]

    # Set up user limits from /etc/security/limits.conf.
    session    required     pam_limits.so

    # Read environment variables from /etc/environment and
    # /etc/security/pam_env.conf.
    session    required     pam_env.so # [1]
    # In Debian 4.0 (etch), locale-related environment variables were moved to
    # /etc/default/locale, so read that as well.
    session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

    # SELinux needs to intervene at login time to ensure that the process starts
    # in the proper default security context.  Only sessions which are intended
    # to run in the user's context should be run after this.
    session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

    # Standard Un*x password updating.
    @include common-password

O que estou perdendo aqui?

    
por Bob SD 19.04.2016 / 15:45

1 resposta

2

A linha

umask 002

não é uma configuração válida do PAM por conta própria. Remova-o.

Para definir o umask para sessões ssh, veja este tópico Serverfault:

Como configurar o umask do ssh para todo tipo de conexões

    
por 19.04.2016 / 16:44