Я сдаюсь:
У меня есть сценарий cronjob, который я запускал в течение многих лет (из машины RHEL 6.7) для удаленного подключения к другим машинам RHEL через ssh. Работает безупречно против RHEL5 и 6, но не работает против RHEL7. В простейшем виде скрипт ломается так:
ssh -tttvi /home/robot/.ssh/passwdlesskey robot@${ThatIP} sudo -l
На всех удаленных машинах (RHEL6 и 7) соответствующий файл sudoers содержит
Defaults requiretty
Как и ожидалось, скрипт хорошо работает из командной строки против RHEL7. Опять же, из cron он работает против RHEL 5 и 6, но не работает против 7:
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
Одна особенность, которую следует отметить, - это разница в выходных данных SSH при запуске командной строки против cron на сервере RHEL7.
C R O N C O M M A N D L I N E
------------------------------------------------------------------------+------------------------------------------------------------------------
debug1: skipped DNS lookup for numerical hostname | debug1: skipped DNS lookup for numerical hostname
WARNING: ECDSA key found for host 10.96.16.108 | debug1: Host '10.96.16.108' is known and matches the ECDSA host key.
in /home/robot/.ssh/known_hosts:416 | debug1: Found key in /home/robot/.ssh/known_hosts:416
ECDSA key fingerprint ee:67:90:d3:c3:b8:db:c7:d3:6a:68:6a:78:fd:25:da. | debug1: SSH2_MSG_NEWKEYS sent
+--[ECDSA 256]---+ | debug1: expecting SSH2_MSG_NEWKEYS
| | | debug1: SSH2_MSG_NEWKEYS received
| | | debug1: Roaming not allowed by server
| | | debug1: SSH2_MSG_SERVICE_REQUEST sent
| | | debug1: SSH2_MSG_SERVICE_ACCEPT received
| S= | | debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
| .= + | | debug1: Next authentication method: publickey
| ..= +... | | debug1: Offering DSA public key: /home/robot/.ssh/passwdlesskey
| ..+.*o=o. | | debug1: Server accepts key: pkalg ssh-dss blen 433
| o+*o+Eo | | debug1: Authentication succeeded (publickey).
+-----------------+ | Authenticated to 10.96.16.108 ([10.96.16.108]:22).
| debug1: channel 0: new [client-session]
debug1: read_passphrase: can't open /dev/tty: No such device or address | debug1: Entering interactive session.
Host key verification failed. | debug1: Sending command: sudo -l
------------------------------------------------------------------------+------------------------------------------------------------------------
У меня была одна теория: подобно тому, как scp/sftp не нравится вывод интерактивной оболочки, я подумал, что randomart, отображаемый сервером RHEL7, мешает моему сценарию. Но даже замена ssh -v на -q не помогает.
LogLevel sshd является DEBUG2
Mar 9 10:51:01 rhel7test sshd[26198]: debug1: Forked child 26209.
Mar 9 10:51:01 rhel7test sshd[26209]: Set /proc/self/oom_score_adj to 0
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: inetd sockets after dupping: 3, 3
Mar 9 10:51:01 rhel7test sshd[26209]: Connection from 10.96.16.148 port 55171 on 10.96.16.108 port 22
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Enabling compatibility mode for protocol 2.0
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: fd 3 setting O_NONBLOCK
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: Network child is on pid 26210
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SELinux support enabled [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: permanently_set_uid: 74/74 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT received [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 0 used once, disabling now
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 504/1024 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 532/1024 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 6 used once, disabling now
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_derive_keys [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: set_newkeys: mode 1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: Connection closed by 10.96.16.148 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: monitor_read_log: child log fd closed
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Killing privsep child 26210
Читая похожие посты, я уже
- проверил разрешения на /dev /tty
- убедился, что ключи без пароля верны
- убедился, что в файле known_hosts нет конфликтующих записей
- проверил переменные среды на что-нибудь странное
- поднял отладку до уровня 3 на исполняющей стороне (-vvv) без новой информации, которую можно извлечь из вывода.
Наконец, поскольку я уверен, что это будет задано, sshd_config из RHEL6 & 7
R H E L 7 R H E L 6
--------------------------------------------------------------------------------+---------------------------------------------------------------------
HostKey /etc/ssh/ssh_host_rsa_key |
HostKey /etc/ssh/ssh_host_ecdsa_key |
HostKey /etc/ssh/ssh_host_ed25519_key |
SyslogFacility AUTHPRIV | AUTHPRIV
LogLevel DEBUG2 |
PermitRootLogin no | no
StrictModes yes |
MaxAuthTries 3 |
MaxSessions 10 |
PubkeyAuthentication yes |
AuthorizedKeysFile .ssh/authorized_keys |
IgnoreRhosts yes |
PermitEmptyPasswords no |
PasswordAuthentication yes | yes
ChallengeResponseAuthentication no | no
GSSAPIAuthentication yes | yes
GSSAPICleanupCredentials no | yes
UsePAM yes | yes
X11Forwarding yes | yes
PrintMotd no |
PrintLastLog no |
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS | XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server | sftp /usr/libexec/openssh/sftp-server
Так что я в растерянности относительно причины проблемы.