【问题标题】:SSH from EC2 to itself by different user which is not ec2-user由非 ec2-user 的不同用户从 EC2 向自身 SSH
【发布时间】:2020-05-13 06:08:56
【问题描述】:

我是 AWS 的新手,需要一些帮助。 我通过 adduser 命令在我的 EC2 实例(除了 ec2-user)中创建了用户 (ronen)。 然后我通过以下命令创建了公钥/私钥:

ssh-keygen -b 1024 -f my-cmd-gen-keys -t dsa

创建了以下文件:

my-cmd-gen-keys
my-cmd-gen-keys.pub

我将公共文件的内容复制到/home/ronen/.ssh/authorized_keys。 然后我尝试执行命令并获得权限被拒绝:

**

> ssh -i ronen-key-pair ronen@ip-172-31-19-13 
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

**

(我必须承认,在我终止实例前几天它对我有用,可能遗漏了什么)

下面是带有-v选项的命令

> [ronen@ip-172-31-19-13 ~]$ ssh -i ronen-key-pair ronen@ip-172-31-19-13 -v

> OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config
    > line 58: Applying options for * debug1: Connecting to ip-172-31-19-13
    > [172.31.19.13] port 22. debug1: Connection established. debug1:
    > identity file ronen-key-pair type 2 debug1: key_load_public: No such
    > file or directory debug1: identity file ronen-key-pair-cert type -1
    > debug1: Enabling compatibility mode for protocol 2.0 debug1: Local
    > version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version
    > 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug1: Authenticating to
    > ip-172-31-19-13:22 as 'ronen' debug1: SSH2_MSG_KEXINIT sent debug1:
    > SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256
    > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex:
    > server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit>
    > compression: none debug1: kex: client->server cipher:
    > chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    > debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: kex:
    > curve25519-sha256 need=64 dh_need=64 debug1: expecting
    > SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256
    > SHA256:gQm7jn7pje2jeEY+LrwW2BIWuS/7qF+QfI6HQ9JZ5Jw debug1: Host
    > 'ip-172-31-19-13' is known and matches the ECDSA host key. debug1:
    > Found key in /home/ronen/.ssh/known_hosts:1 debug1: rekey after
    > 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting
    > SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after
    > 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1:
    > kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
    > debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that
    > can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next
    > authentication method: gssapi-keyex debug1: No valid Key exchange
    > context debug1: Next authentication method: gssapi-with-mic debug1:
    > Unspecified GSS failure.  Minor code may provide more information No
    > Kerberos credentials available (default cache:
    > KEYRING:persistent:1001)
    > 
    > debug1: Unspecified GSS failure.  Minor code may provide more
    > information No Kerberos credentials available (default cache:
    > KEYRING:persistent:1001)
    > 
    > debug1: Next authentication method: publickey debug1: Offering DSA
    > public key: ronen-key-pair debug1: Authentications that can continue:
    > publickey,gssapi-keyex,gssapi-with-mic debug1: No more authentication
    > methods to try. Permission denied
    > (publickey,gssapi-keyex,gssapi-with-mic).

以下是该用户的目录/文件权限:

[ronen@ip-172-31-19-13 ~]$ ls -lrtaR
.:
total 24
-rw-r--r-- 1 ronen ronen  231 Jul 27  2018 .bashrc
-rw-r--r-- 1 ronen ronen  193 Jul 27  2018 .bash_profile
-rw-r--r-- 1 ronen ronen   18 Jul 27  2018 .bash_logout
drwxr-xr-x 4 root  root    35 Jan 27 17:42 ..
-rw-r--r-- 1 ronen ronen  641 Jan 27 17:44 ronen-key-pair.pub
-rw------- 1 ronen ronen  672 Jan 27 17:44 ronen-key-pair
drwxrwxr-x 2 ronen ronen   48 Jan 27 17:49 .ssh
-rw-rw-r-- 1 ronen ronen    0 Jan 27 18:56 client
-rw-rw-r-- 1 ronen ronen    0 Jan 27 18:56 server
drwx------ 3 ronen ronen  171 Jan 27 18:56 .
-rw------- 1 ronen ronen 3539 Jan 27 18:58 .bash_history

./.ssh:
total 8
-rw-rw-r-- 1 ronen ronen 641 Jan 27 17:45 authorized_keys
drwxrwxr-x 2 ronen ronen  48 Jan 27 17:49 .
-rw-r--r-- 1 ronen ronen 380 Jan 27 17:55 known_hosts
drwx------ 3 ronen ronen 171 Jan 27 18:56 ..
[ronen@ip-172-31-19-13 ~]$

感谢您的帮助, 罗南

【问题讨论】:

  • I must to confess that it worked for me few days ago before I terminated the instance, probably missing something ,这是什么意思,你的实例还在运行吗?
  • 尝试重启sshd服务

标签: amazon-ec2 ssh


【解决方案1】:

Meta:这不是编程问题,可能属于超级用户或 unix.SX,或者可能属于 security.SX。但上次我尝试迁移一些东西时,它比它的价值更麻烦。

https://man.openbsd.org/sshd.8#FILES(格式简化)

~/.ssh/authorized_keys

如果此文件、~/.ssh 目录或用户的主目录可由其他用户写入,则该文件可能被未经授权的用户修改或替换。在这种情况下,除非 StrictModes 选项设置为“no”,否则 sshd 将不允许使用它。

您可以按组写入 .ssh (drwxrwxr-x) 和 .ssh/authorized_keys (-rw-rw-r--)。在现代 Linux 系统上,用户 ID 通常放在自己的组中,因此“组”访问实际上不允许其他用户访问,但 OpenSSH 实际上无法检测到这一点(尤其是在可能的 Kerberos、LDAP 或 YP/NIS 环境中) 并且必须假设“组”访问确实允许其他用户并且是不安全的。

此外,最新版本的 OpenSSH(自 7.0 起,包括您的 7.4)默认不再支持 DSA 密钥。这个可以修复,见:
https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-for-password-less-authentication
https://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey-and-asking-for-a-password
https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

但除非您有明确的理由专门使用 DSA,否则我建议您更改为 rsa-2048(兼容一切且足够安全)或 ecdsa(-any) 或 ed25519(现在普遍但不普遍,更高效,并且略高的安全边际)。

【讨论】:

  • 谢谢 dave_thompson_085。您的回答有助于解决问题。还有一条评论,我还必须将主目录权限更改为 700。例如:chmod 700 /home/
  • 这太令人惊讶了——你 Q 中发布的 ls 已经将 . 显示为 700,这就是我省略它的原因。 (注意手册页引用列出了所有三个。)
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 2011-05-12
  • 1970-01-01
  • 2019-03-04
  • 2012-02-25
  • 2017-10-13
  • 2018-01-23
  • 1970-01-01
相关资源
最近更新 更多