SSH без пароля не работает с пользователем postgres

2897
Doppelganger

Я попытался вручную добавить ключ паба для authorized_keys и authorized_keys2. Я также дважды проверил разрешения для .ssh (700) и authorized_keys (644). Я могу войти без пароля на той же машине, используя другого пользователя (пользователя сервера).

Вот вывод из ssh -vvv:

ssh postgres@java7 -vvv OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to java7 [192.168.120.28] port 22. debug1: Connection established. debug1: identity file /home/informix/.ssh/identity type -1 debug3: Not a RSA1 key file /home/informix/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/informix/.ssh/id_rsa type 1 debug1: identity file /home/informix/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit: first_kex_follows 0  debug2: kex_parse_kexinit: reserved 0  debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit:  debug2: kex_parse_kexinit: first_kex_follows 0  debug2: kex_parse_kexinit: reserved 0  debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 118/256 debug2: bits set: 497/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts debug3: check_host_in_hostfile: match line 86 debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts debug3: check_host_in_hostfile: match line 82 debug1: Host 'java7' is known and matches the RSA host key. debug1: Found key in /home/informix/.ssh/known_hosts:86 debug2: bits set: 513/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/informix/.ssh/id_rsa (0x555560bb41c0) debug2: key: /home/informix/.ssh/identity ((nil)) debug2: key: /home/informix/.ssh/id_rsa (0x555560bae620) debug2: key: /home/informix/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 192.168.120.28. debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195  debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195  debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195  debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/informix/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/informix/.ssh/identity debug3: no such identity: /home/informix/.ssh/identity debug1: Offering public key: /home/informix/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/informix/.ssh/id_dsa debug3: no such identity: /home/informix/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password postgres@java7's password:  

Редактировать:

This is an excerpt of what the ssh server on a different port says: debug1: PAM: initializing for "postgres" debug1: PAM: setting PAM_RHOST to "192.168.120.97" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user postgres service ssh-connection method publickey debug1: attempt 1 failures 0 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 26/26 (e=0/0) debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4 Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee debug1: restore_uid: 0/0 Postponed publickey for postgres from 192.168.120.97 port 45341 ssh2 debug1: userauth-request for user postgres service ssh-connection method publickey debug1: attempt 2 failures 0 debug1: temporarily_use_uid: 26/26 (e=0/0) debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4 Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct debug1: do_pam_account: called Accepted publickey for postgres from 192.168.120.97 port 45341 ssh2 debug1: monitor_child_preauth: postgres has been authenticated by privileged process debug1: temporarily_use_uid: 26/26 (e=0/0) debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism debug1: restore_uid: 0/0 debug1: SELinux support enabled debug1: PAM: establishing credentials PAM: pam_open_session(): Authentication failure User child is on pid 10198 debug1: PAM: establishing credentials debug1: permanently_set_uid: 26/26 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: session 0 ssh_selinux_setup_pty: security_compute_relabel: Invalid argument debug1: session_pty_req: session 0 alloc /dev/pts/5 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 10199 debug1: session_exit_message: session 0 channel 0 pid 10199 debug1: session_exit_message: release channel 0 debug1: session_by_tty: session 0 tty /dev/pts/5 debug1: session_pty_cleanup: session 0 release /dev/pts/5 debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug1: channel 0: free: server-session, nchannels 1 Connection closed by 192.168.120.97 debug1: do_cleanup Transferred: sent 2296, received 2416 bytes Closing connection to 192.168.120.97 port 45341 debug1: PAM: cleanup debug1: PAM: deleting credentials 

/var/log/secure.log при запуске другого ssh-сервера :

Apr 4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): conversation failed Apr 4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Apr 4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): Unable to get valid context for postgres Apr 4 16:52:31 java7 sshd[10774]: pam_unix(sshd:session): session opened for user postgres by (uid=0) 
3

5 ответов на вопрос

2
Majenko

Я считаю, что в этих условиях лучше всего запустить демон SSH в режиме отладки. Если у вас есть доступ с правами root на компьютере, вы можете запустить:

# /usr/sbin/sshd -d -p 2222 

и тогда вы можете использовать:

# ssh -p 2222 postgres@java7 

и посмотрите, по какой причине сервер отклонил ключ.

Я добавил вывод с сервера ssh. Я считаю, что проблема в «PAM: pam_open_session (): Ошибка аутентификации», но я все еще ищу решение. Doppelganger 13 лет назад 0
Ok, so now you need to go look in /etc/pam.d/sshd and check through each of the 'required' entries and also follow to any @included files, to see if there are any criteria that would fail for the postgres account. You could also check in /var/log/auth.log for any clues relating to pam. Majenko 13 лет назад 0
Добавлена ​​выдержка из / var / log / secure (у меня нет auth.log). Doppelganger 13 лет назад 0
Поправьте меня, если я ошибаюсь, но если я могу войти, написав пароль, проблем с Пэм не должно быть. Правильно? Doppelganger 13 лет назад 0
It depends on what is 'sufficient' to log in with your configuration. There's different parts to pam - authentication is just one, and will be skipped if the key works, which it does. The account section of pam is probably where it is falling down, which may succeed if it has done the authentication part first, as with entering the password. Majenko 13 лет назад 0
Хорошо, хотя я не мог найти решение для своей проблемы (я не хочу упасть в глубокую дыру, которую PAM означает для меня), вы помогли мне понять, ПОЧЕМУ она терпела неудачу, поэтому я отмечу этот ответ как правильный. Doppelganger 13 лет назад 0
1

Является ли 'postgres' пользователем, сгенерированным при установке сервера PostreSQL? Если так, большинство автоматически сгенерированных пользователей не могут быть "залогинены"; они существуют исключительно для целей демонов, которым требуются разрешения на доступ к файлам.

Да, это так, и он может быть авторизован. Когда ключ аутентификации не удается, он запрашивает пароль. Когда я ввожу пароль, пользователь входит в систему как любой пользователь. Doppelganger 13 лет назад 0
1
tyfyh

Вы можете включить журналы отладки на вашем существующем ssh-сервере. Измените файл / etc / ssh / sshd_config, LogLevel DEBUG3 если причина неудачного входа в систему Could not open authorized keys '/var/lib/pgsql/.ssh/authorized_keys': Permission deniedи права доступа к авторизованному ключу в порядке, то эта команда поможет

restorecon -FRvv /var/lib/pgsql/.ssh/

объяснение

0
buzz3791

Another solution for Red Hat Enterprise Linux 6.5 SELinux feature preventing sshd from reading $HOME/.ssh is to use restorecon, see my answser here https://superuser.com/a/764020/213743.

-1
Mazen Maxmax

убедитесь, что ваш selinux настроен правильно.

я изменил selinux на разрешающий, и он работает, или вы должны добавить .ssh к ролям selinux.