chave privada SSH de alguma forma acessível a todos os usuários

2

Eu não consigo descobrir o que está acontecendo. Em teoria, produzi um par de chaves para o usuário "user" na máquina homedesktop , e enviei a chave pública para myserver.example.com e coloquei em myserver:~user/.ssh/authorized_keys , Eu consigo logar sem senha, sem problemas.

O problema é que, estranhamente, todos os outros usuários na máquina homedesktop também podem fazer o login como user@myserver , sem uma senha! Você acha que a chave é apenas acessível globalmente em homedesktop:/etc/ssh talvez, mas não é (eu deletei o diretório e tentei novamente, ainda funciona). Na verdade, não é apenas "myserver", todos os servidores que possuem a chave pública "user" aceitam logins sem senha de todos os usuários em "homedesktop". Parece do log SSH abaixo como se a chave estivesse na memória? Eu não entendo o que está acontecendo e como evitar que os outros usuários usem essa chave! Além disso, homedesktop:~user/.ssh tem permissões normais, não legíveis para outros usuários.

Neste exemplo, "otheruser" tenta efetuar login como user @ myserver, home acessa a chave user @ homedesktop , o que é aceito?

otheruser@homedesktop:~$ rm -rf .ssh
otheruser@homedesktop:~$ ssh -vvv -p 15555 [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.example.com [123.234.123.234] port 15555.
debug1: Connection established.
debug1: SELinux support disabled
debug1: identity file /home/otheruser/.ssh/id_rsa type -1
debug1: identity file /home/otheruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_dsa type -1
debug1: identity file /home/otheruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519 type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [myserver.example.com]:15555
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f
debug3: put_host_port: [123.234.123.234]:15555
debug3: put_host_port: [myserver.example.com]:15555
debug1: checking without port identifier
The authenticity of host '[myserver.example.com]:15555 ([123.234.123.234]:15555)' can't be established.
ECDSA key fingerprint is 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[myserver.example.com]:15555,[123.234.123.234]:15555' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: user@myserver (0x7fba1acf8000),
debug2: key: user@homedesktop (0x7fbaa1bbcf30),
debug2: key: /home/otheruser/.ssh/id_rsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_dsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ecdsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: user@myserver
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_VTNR
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env KDE_MULTIHEAD
debug1: Sending env LC_ADDRESS = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MONETARY = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_GREETER_DATA_DIR
debug3: Ignored env CLUTTER_IM_MODULE
debug3: Ignored env SELINUX_INIT
debug3: Ignored env SESSION
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env KONSOLE_PROFILE_NAME
debug3: Ignored env GS_LIB
debug3: Ignored env GTK_RC_FILES
debug1: Sending env LC_NUMERIC = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env WINDOWID
debug3: Ignored env GNOME_KEYRING_CONTROL
debug3: Ignored env UPSTART_SESSION
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env USER
debug1: Sending env LC_TELEPHONE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env QT_IM_MODULE
debug1: Sending env LC_IDENTIFICATION = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug3: Ignored env JOB
debug3: Ignored env XMODIFIERS
debug3: Ignored env KONSOLE_DBUS_WINDOW
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env GNOME_KEYRING_PID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env GDM_LANG
debug3: Ignored env MANDATORY_PATH
debug1: Sending env LC_MEASUREMENT = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env IM_CONFIG_PHASE
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env GDMSESSION
debug3: Ignored env SESSIONTYPE
debug3: Ignored env HOME
debug3: Ignored env XDG_SEAT
debug3: Ignored env SHLVL
debug3: Ignored env COLORFGBG
debug3: Ignored env LANGUAGE
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env UPSTART_INSTANCE
debug3: Ignored env PYTHONPATH
debug3: Ignored env LOGNAME
debug3: Ignored env UPSTART_EVENTS
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env QT4_IM_MODULE
debug3: Ignored env LESSOPEN
debug3: Ignored env TEXTDOMAIN
debug3: Ignored env UPSTART_JOB
debug3: Ignored env INSTANCE
debug3: Ignored env DISPLAY
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PROFILEHOME
debug3: Ignored env QT_PLUGIN_PATH
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env PAM_KWALLET_LOGIN
debug1: Sending env LC_TIME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LESSCLOSE
debug3: Ignored env TEXTDOMAINDIR
debug1: Sending env LC_NAME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XAUTHORITY
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to MYSERVER!!

Last login: Tue Nov  1 21:05:47 2016 from 111.222.111.222
user@myserver:~$
    
por fheshwfq 01.11.2016 / 21:14

1 resposta

4
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).

Diz que a chave está armazenada na sua sessão no seu ssh-agent . A execução do ssh sem a conexão com o seu ssh-agent não permitirá o acesso:

SSH_AUTH_SOCK="" ssh -vvv -p 15555 [email protected]

Matar também o agente fará o trabalho: eval $(ssh-agent -k) (se você não estiver usando gnome-keyring ). Caso contrário, o novo login do seu DE irá "liberar" a chave.

    
por 01.11.2016 / 21:30