3

Я попытался вручную добавить ключ паба для authorized_keys и authorized_keys2. Я также дважды проверил разрешения для .ssh (700) и authorized_keys (644). Я могу войти без пароля на той же машине, используя другого пользователя (пользователя сервера).

Вот вывод из ssh -vvv:

ssh postgres@java7 -vvv
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to java7 [192.168.120.28] port 22.
debug1: Connection established.
debug1: identity file /home/informix/.ssh/identity type -1
debug3: Not a RSA1 key file /home/informix/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/informix/.ssh/id_rsa type 1
debug1: identity file /home/informix/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 118/256
debug2: bits set: 497/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 86
debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 82
debug1: Host 'java7' is known and matches the RSA host key.
debug1: Found key in /home/informix/.ssh/known_hosts:86
debug2: bits set: 513/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/informix/.ssh/id_rsa (0x555560bb41c0)
debug2: key: /home/informix/.ssh/identity ((nil))
debug2: key: /home/informix/.ssh/id_rsa (0x555560bae620)
debug2: key: /home/informix/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.120.28.
debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/informix/.ssh/identity
debug3: no such identity: /home/informix/.ssh/identity
debug1: Offering public key: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/informix/.ssh/id_dsa
debug3: no such identity: /home/informix/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
postgres@java7's password: 

Редактировать:

This is an excerpt of what the ssh server on a different port says:
debug1: PAM: initializing for "postgres"
debug1: PAM: setting PAM_RHOST to "192.168.120.97"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user postgres service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4
Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee
debug1: restore_uid: 0/0
Postponed publickey for postgres from 192.168.120.97 port 45341 ssh2
debug1: userauth-request for user postgres service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4
Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for postgres from 192.168.120.97 port 45341 ssh2
debug1: monitor_child_preauth: postgres has been authenticated by privileged process
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: SELinux support enabled
debug1: PAM: establishing credentials
PAM: pam_open_session(): Authentication failure
User child is on pid 10198
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 26/26
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
debug1: session_pty_req: session 0 alloc /dev/pts/5
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 10199
debug1: session_exit_message: session 0 channel 0 pid 10199
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/pts/5
debug1: session_pty_cleanup: session 0 release /dev/pts/5
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 192.168.120.97
debug1: do_cleanup
Transferred: sent 2296, received 2416 bytes
Closing connection to 192.168.120.97 port 45341
debug1: PAM: cleanup
debug1: PAM: deleting credentials

/var/log/secure.log при запуске другого ssh-сервера:

Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): conversation failed
Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N]
Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): Unable to get valid context for postgres
Apr  4 16:52:31 java7 sshd[10774]: pam_unix(sshd:session): session opened for user postgres by (uid=0)

5 ответов5

2

Я считаю, что в этих условиях лучше всего запустить демон SSH в режиме отладки. Если у вас есть доступ с правами root на компьютере, вы можете запустить:

# /usr/sbin/sshd -d -p 2222

и тогда вы можете использовать:

# ssh -p 2222 postgres@java7

и посмотрите, по какой причине сервер отклонил ключ.

1

Является ли 'postgres' пользователем, сгенерированным при установке сервера PostreSQL? Если так, большинство автоматически сгенерированных пользователей не могут быть "залогинены"; они существуют исключительно для целей демонов, которым требуются разрешения на доступ к файлам.

1

Вы можете включить журналы отладки на вашем существующем ssh-сервере. В файле /etc /ssh /sshd_config измените LogLevel DEBUG3 если причиной неудачного входа в систему является « Could not open authorized keys '/var/lib/pgsql/.ssh/authorized_keys': Permission denied а права доступа для authorized_keys, похоже, в порядке, тогда эта команда поможет

restorecon -FRvv /var/lib/pgsql/.ssh/

объяснение

0

Другое решение для Red Hat Enterprise Linux 6.5 SELinux, не позволяющее sshd читать $ HOME/.ssh, - это использовать restorecon, см. Мой ответ здесь https://superuser.com/a/764020/213743.

-1

убедитесь, что ваш selinux настроен правильно.

я изменил selinux на разрешающий, и он работает, или вы должны добавить .ssh к ролям selinux.

Всё ещё ищете ответ? Посмотрите другие вопросы с метками .