Buat pengguna baru bisa masuk melalui ssh


8

Saya telah diberi server untuk digunakan untuk beberapa perhitungan. Saya telah diberi kata sandi root dan mereka mengatakan kepada saya untuk membuat akun sendiri.

Saya mengakses server menggunakan ssh root@host dan memasukkan kata sandi root. Saya kemudian membuat pengguna dengan sudo useradd -m mynamedan mengatur kata sandi. Kemudian saya logout, dan mencoba melakukan sshssh myname@host

Namun, segera setelah saya memasukkan kata sandi, koneksi saya ditutup:

Connection to host closed by remote host.
Connection to host closed.

Saya mencoba melihat ke file host.deny dan host.allow, tetapi mereka tampaknya tidak dimodifikasi (mereka berkomentar dengan #)

Kemudian saya mencoba melihat ke dalam etc/ssh/sshd_config, tetapi saya tidak tahu persis apa yang harus dicari. Ini adalah beberapa parameter yang tampaknya relevan:

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Apa yang bisa menjadi masalah? Perhatikan bahwa saya tidak mencoba masuk menggunakan ssh-keys, memasukkan kata sandi baik-baik saja. Bagaimana saya bisa membuatnya bekerja?

Sunting Ini adalah isi seluruh file sshd_config:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Sunting 2 Ini adalah hasil upaya koneksi denganssh -vv username@host

OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "host_name" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to host_name [ip_address] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /localhome/username/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 pat OpenSSH* compat 0x04000000
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to host_name:22 as ‘username_on_server’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
[…]
debug1: Server host key: [serverkey]
debug1: Host 'host_name' is known and matches the ECDSA host key.
debug1: Found key in /localhome/username/.ssh/known_hosts:5
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /localhome/username/.ssh/id_rsa ((nil))
debug2: key: /localhome/username/.ssh/id_dsa ((nil))
debug2: key: /localhome/username/.ssh/id_ecdsa ((nil))
debug2: key: /localhome/username/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /localhome/username/.ssh/id_rsa
debug1: Trying private key: /localhome/username/.ssh/id_dsa
debug1: Trying private key: /localhome/username/.ssh/id_ecdsa
debug1: Trying private key: /localhome/username/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
username_on_server@host_name's password: <——- Here I inserted my password
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to host_name ([ip_address]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: channel 0: free: client-session, nchannels 1
Connection to host_name closed by remote host.
Connection to host_name closed.
Transferred: sent 1736, received 1388 bytes, in 0.0 seconds
Bytes per second: sent 9760471.5, received 7803879.3
debug1: Exit status -1

Edit 3 profil .pengguna baru di server

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
        . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin directories
PATH="$HOME/bin:$HOME/.local/bin:$PATH"

2
- Apakah Anda membuat kata sandi untuk nama saya (menggunakan passwd), atau mengatur kunci publik di ~ / .ssh / otor_keys? - apa yang ada di sshd_config untuk AllowUsers?
tonioc

1
Coba ssh -vvv untuk melihat apakah Anda dapat melihat pesan kesalahan. Periksa log pesan di server juga
Raman Sailopal

2
tonioc benar. Anda perlu 1. kata sandi yang ditetapkan pada akun untuk membukanya, dan 2. pengaturan auth kunci publik untuk pengguna tersebut. Sepertinya kotak hanya menerima otentikasi kunci publik. Lihat bagaimana PasswordAuthenticationberkomentar?
Patrick

@ Patrick - baris komentar yang baru saja menunjukkan pengaturan default. Untuk mengubahnya menjadi TIDAK, Anda harus menghapus tanda komentarnya. Jadi kemungkinan itu memang menerima kata sandi, dan pada kenyataannya, dalam pertanyaan semut semut menyatakan dia login root pengguna dan kata sandi.
EightBitTony

1
Gunakan ssh -vv myname@hostdan jika Anda tidak dapat melihat masalah di output, tambahkan output (diformat) ke pertanyaan Anda.
EightBitTony

Jawaban:


1

Pastikan direktori home pengguna yang Anda coba masuki telah dibuat, bahwa kepemilikannya juga adalah pengguna Anda, dan bahwa ~ / .ssh diatur ke chmod 700. Juga periksa / var / log / amankan untuk kesalahan apa pun saat Anda mencoba masuk.


0

The ssh -vvOutput tampaknya menunjukkan auth sandi diterima, sehingga akan tampak bahwa semuanya terserah baik ke titik itu, tapi ada sesuatu yang terjadi tepat setelah itu yang menutup sidang. Hal-hal yang akan saya periksa:

  1. Tampak jelas tetapi karena ini adalah pengguna baru, sudahkah Anda memverifikasi shell login diatur ke sesuatu yang valid? (Yaitu /bin/bashdan tidak nologinatau nottydll.)
  2. Lebih dari kemungkinan, tetapi periksa untuk sesuatu yang aneh di ~ / .bashrc, ~ / .profile, dll yang bisa mencoba untuk mengeksekusi saat login. Seperti yang disarankan @ceving di atas, Anda dapat mencoba sesi ssh yang tidak mengeksekusi. Profil di shell login Anda.
Dengan menggunakan situs kami, Anda mengakui telah membaca dan memahami Kebijakan Cookie dan Kebijakan Privasi kami.
Licensed under cc by-sa 3.0 with attribution required.