基于 OpenSSH 主机的身份验证 - mm_answer_keyallowed:不允许使用密钥 0x58c400

我正在尝试为一小部分主机设置基于主机的验证。 我想我已经连续获得了所有的鸭子:

  • 将公钥复制到 /etc/ssh/ssh_known_hosts 数据
  • 将所有主机放入 /etc/shosts.equiv
  • /etc/ssh/sshd_config/etc/ssh/ssh_config 中启用 HostbasedAuthentication
  • 设置 /usr/lib64/ssh/ssh-keysign 二进制文件并在客户端的 /etc/ssh/ssh_config 文档中设置 EnableSSHKeysign yes

但是,它仍然不起作用。 在调试设置中运行 Web 服务器,我得到以下结果:

debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 10.3.128.10.
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: parse_server_config: config reprocess config len 137
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for kamil
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 45
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "kamil"
debug1: PAM: setting PAM_RHOST to "foo.bar.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user kamil service ssh-connection method hostbased
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-dss slen 55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x58c400
debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10
debug2: stripping trailing dot from chost foo.bar.com.
debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
debug1: userauth-request for user kamil service ssh-connection method hostbased
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-rsa slen 143
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x58c400
debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10
debug2: stripping trailing dot from chost foo.bar.com.
debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
debug1: userauth-request for user kamil service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive

问题的症结似乎在于这条线:

debug3: mm_answer_keyallowed: key 0x58c400 is disallowed

想法?

0
2022-06-07 14:36:30
资源 分享
答案: 3

好的,我的组件严重失败。 我开发了 /etc/shosts.equiv 而不是 /etc/ssh/shosts.equiv(请参阅我关注的因素 2)。 它在我的一些其他系统上工作的因素是,它们还有一个重复出现的 /etc/hosts.equiv 文件,该文件来自同事以前的一些工作。

当正确的文件放在正确的位置时,事情会变得更好。 在 Web 服务器上使用了一些 strace 来发现它从哪些文件中读取的内容,最终让我了解了解决方案。

1
2022-06-08 01:44:35
资源

您是否允许客户使用 EnableSSHKeysign? 这是我需要让基于主机的身份验证工作的附加项目。

1
2022-06-07 15:03:06
资源

您是否使用旧主机密钥在 debian 上? openssh - 黑名单包可能会阻止使用受 臭名昭著的 SSL 漏洞 影响的密钥。

如果这是真的,请重新生成您的主机密钥。

0
2022-06-07 15:01:10
资源