A linha
umask 002
não é uma configuração válida do PAM por conta própria. Remova-o.
Para definir o umask para sessões ssh, veja este tópico Serverfault:
Tendo problemas para obter uma conexão SSH simples até mesmo localhost no meu Ubuntu 15.10. O servidor foi configurado há muitos meses e conseguiu criar acesso para SSH com chaves, mas não pode duplicar esse acesso remoto para um novo usuário. Eu posso acessar com PuTTY do meu usuário original, mas mesmo esse usuário não pode acessar via localhost.
Para a solução de problemas, tentei acessar simplesmente via host local e senha simples, esperançosamente minimizando as variáveis que podem estar erradas - se houver um teste melhor, avise-me.
Tenho fail2ban e firewall, mas como consigo acessar o servidor remotamente com a conta original, não suspeito imediatamente que esse seja o problema. Ainda assim, as regras de firewall são exibidas abaixo.
Aqui estão os passos que segui e mais alguns dados:
crie um novo usuário & definir senha
sudo useradd teachers -m -s /bin/bash;
sudo passwd teachers;
config SSH (/ etc / ssh / sshd_config) para acesso básico para testes
AllowUsers teachers
PasswordAuthentication yes
LogLevel VERBOSE
Ainda não há chaves SSH neste momento, pois estou tentando obter acesso por senha.
Aqui está a saída da minha tentativa na linha de comando:
~$ ssh -v localhost
OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: SELinux support disabled
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
debug1: match: OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'teachers'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client [email protected] <implicit> none
debug1: kex: client->server [email protected] <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
################################################################################
# This is a restricted system.... #
################################################################################
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/teachers/.ssh/id_rsa
debug1: Trying private key: /home/teachers/.ssh/id_dsa
debug1: Trying private key: /home/teachers/.ssh/id_ecdsa
debug1: Trying private key: /home/teachers/.ssh/id_ed25519
debug1: Next authentication method: password
teachers@localhost's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
teachers@localhost's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
teachers@localhost's password:
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).
Aqui está o auth.log da minha tentativa de acesso:
Apr 19 05:41:52 lists sshd[27165]: Set /proc/self/oom_score_adj to 0
Apr 19 05:41:52 lists sshd[27165]: Connection from 127.0.0.1 port 45192 on 127.0.0.1 port 22
Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) illegal module type: umask
Apr 19 05:42:03 lists sshd[27165]: PAM pam_parse: expecting return value; [...002]
Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) no module name supplied
Apr 19 05:42:13 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
Apr 19 05:42:20 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
Apr 19 05:42:27 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
Apr 19 05:42:27 lists sshd[27165]: Connection closed by 127.0.0.1 [preauth]
Aqui está a saída do meu iptables:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 222.0.0.0/8 anywhere tcp dpt:ssh
fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
DROP tcp -- 222.186.34.202 anywhere tcp dpt:ssh
fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:2812
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-postfix (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-sasl (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
E acredito que isso demonstra que a porta 22 deve estar disponível:
$ nc -z -v -w 5 localhost 22
Connection to localhost 22 port [tcp/ssh] succeeded!
EDIT: incluindo a configuração do sshd:
$ cat /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
AllowUsers listman teachers
Apenas o arquivo em /etc/pam.d/ é / etc / pam.d / sshd:
$ cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
umask 002
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
O que estou perdendo aqui?
A linha
umask 002
não é uma configuração válida do PAM por conta própria. Remova-o.
Para definir o umask para sessões ssh, veja este tópico Serverfault: