【原创】PAM引发ssh无法连接
现象:客户端用ssh连接服务器时客户端总是报permission denied的错误,试图将ssh公钥添加到服务器后尝试连接直接报connection closed.而换telnet完全正常。
在服务端开启sshd debug尝试诊断故障原因:
#/usr/sbin/sshd -ddd
……省去n多冗余信息……
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 20 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 21 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 2007e848
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys
debug1: fd 8 clearing O_NONBLOCK
debug1: matching key found: file //.ssh/authorized_keys, line 1
Found matching DSA key: 0d:6c:57:59:29:4b:60:32:8d:75:d8:48:33:3d:23:4d
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 2007e848 is allowed
debug1: Failed to collect Cookie from Keystore
……从上面看得出密钥对已经匹配成功,继续……
debug1: Keystore Opening wil be failed after login
debug3: mm_request_send entering: type 21
debug1: Cookie received :
[preauth]
debug3: mm_key_verify entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug1: ssh_dss_verify: signature correct
debug3: mm_answer_keyverify: key 2007e898 signature verified
debug3: mm_request_send entering: type 23
debug3: mm_request_receive_expect entering: type 46
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 17 (User account has expired)
debug3: mm_request_send entering: type 47
Failed publickey for root from 145.0.33.204 port 49619 ssh2
debug1: audit event euid 0 user root event 6 (SSH_failpubkey)
debug1: Return Val-1 for auditproc:0
debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss [preauth]
debug1: Entering sshefs_option_check [preauth]
debug1: AllowPkcs12KeystoreAutoOpen option not set [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 46 [preauth]
debug3: mm_request_receive_expect entering: type 47 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 0 [preauth]
Access denied for user root by PAM account configuration [preauth]
debug1: do_cleanup [preauth]
debug3: PAM: sshpam_thread_cleanup entering [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 14418072
debug1: audit event euid 0 user root event 12 (SSH_connabndn)
debug1: Return Val-1 for auditproc:0
到这里服务端就发出连接被拒的信息,并且在客户端会反馈permission denied或connection closed的状态。通过仔细检查debug信息,不难发现在PAM验证时出现账户过期的报错,由此初步判断无法ssh连接是账户原油造成的。
随即检查/etc/security/user
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 8
minage = 0
maxage = 13
maxexpired = -1
minalpha = 1
minother = 1
minlen = 6
mindiff = 3
maxrepeats = 2
dictionlist =
pwdchecks =
default_roles =
root:
admin = true
SYSTEM = "compat"
registry = files
loginretries = 0
account_locked = false
admgroups =
sugroups = suauth
histsize = 0
maxage = 0
minlen = 0
minalpha = 0
minlen = 0
minalpha = 0
minother = 0
maxrepeats = 8
mindiff = 0
发现root用户并没有设置账户过期时间,更何况使用telnet或终端都能正常用root登陆,所以肯定和这个文件没有关系。
再回到刚刚的报错信息,因为是PAM模块的报错,遂联想到检查pam配置文件,打开/etc/pam.conf,和手头其他主机进行对比,立即发现正常使用ssh的主机在pam.conf文件中有如下配置信息:
sshd auth required /ikeypam/bin/libikeypam.so FILENAME=normal
sshd auth required pam_aix use_first_pass
sshd account required pam_aix
sshd password required pam_aix
sshd session required /ikeypam/bin/libikeypam.so FILENAME=normal
sshd session required pam_aix use_first_pass
这很恰当的解释了服务器在进行ssh的pam验证不通过的原因,把这些内容拷贝至服务器端,重启ssh服务后客户端发起连接,立即顺利通过!
在服务端开启sshd debug尝试诊断故障原因:
#/usr/sbin/sshd -ddd
……省去n多冗余信息……
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 20 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 21 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 2007e848
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys
debug1: fd 8 clearing O_NONBLOCK
debug1: matching key found: file //.ssh/authorized_keys, line 1
Found matching DSA key: 0d:6c:57:59:29:4b:60:32:8d:75:d8:48:33:3d:23:4d
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 2007e848 is allowed
debug1: Failed to collect Cookie from Keystore
……从上面看得出密钥对已经匹配成功,继续……
debug1: Keystore Opening wil be failed after login
debug3: mm_request_send entering: type 21
debug1: Cookie received :
[preauth]
debug3: mm_key_verify entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug1: ssh_dss_verify: signature correct
debug3: mm_answer_keyverify: key 2007e898 signature verified
debug3: mm_request_send entering: type 23
debug3: mm_request_receive_expect entering: type 46
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 17 (User account has expired)
debug3: mm_request_send entering: type 47
Failed publickey for root from 145.0.33.204 port 49619 ssh2
debug1: audit event euid 0 user root event 6 (SSH_failpubkey)
debug1: Return Val-1 for auditproc:0
debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss [preauth]
debug1: Entering sshefs_option_check [preauth]
debug1: AllowPkcs12KeystoreAutoOpen option not set [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 46 [preauth]
debug3: mm_request_receive_expect entering: type 47 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 0 [preauth]
Access denied for user root by PAM account configuration [preauth]
debug1: do_cleanup [preauth]
debug3: PAM: sshpam_thread_cleanup entering [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 14418072
debug1: audit event euid 0 user root event 12 (SSH_connabndn)
debug1: Return Val-1 for auditproc:0
到这里服务端就发出连接被拒的信息,并且在客户端会反馈permission denied或connection closed的状态。通过仔细检查debug信息,不难发现在PAM验证时出现账户过期的报错,由此初步判断无法ssh连接是账户原油造成的。
随即检查/etc/security/user
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 8
minage = 0
maxage = 13
maxexpired = -1
minalpha = 1
minother = 1
minlen = 6
mindiff = 3
maxrepeats = 2
dictionlist =
pwdchecks =
default_roles =
root:
admin = true
SYSTEM = "compat"
registry = files
loginretries = 0
account_locked = false
admgroups =
sugroups = suauth
histsize = 0
maxage = 0
minlen = 0
minalpha = 0
minlen = 0
minalpha = 0
minother = 0
maxrepeats = 8
mindiff = 0
发现root用户并没有设置账户过期时间,更何况使用telnet或终端都能正常用root登陆,所以肯定和这个文件没有关系。
再回到刚刚的报错信息,因为是PAM模块的报错,遂联想到检查pam配置文件,打开/etc/pam.conf,和手头其他主机进行对比,立即发现正常使用ssh的主机在pam.conf文件中有如下配置信息:
sshd auth required /ikeypam/bin/libikeypam.so FILENAME=normal
sshd auth required pam_aix use_first_pass
sshd account required pam_aix
sshd password required pam_aix
sshd session required /ikeypam/bin/libikeypam.so FILENAME=normal
sshd session required pam_aix use_first_pass
这很恰当的解释了服务器在进行ssh的pam验证不通过的原因,把这些内容拷贝至服务器端,重启ssh服务后客户端发起连接,立即顺利通过!