수년 동안 Linux에서 SSH에 pubkey 인증을 사용해 왔으며 이제 Windows 2016 서버 의 Win32 포트 에서 작동하도록 노력하고 있습니다. 지금까지 실패했습니다. sshd_config 에 대한 도움말 파일을 읽었습니다.이 파일 <user>/.ssh/authorized_keys
은 일반 Linux 설정에서와 같이 자격 증명을 . 또한 ACL을보고 사용자와 관리자 그룹 만 읽을 수 있음을 확인했습니다. 또한 클라이언트 공개 키를에 넣을 수 있도록 준비 %programdata%/ssh/administrators_authorized_keys
했으므로 그렇게했습니다. 그래도 안돼. 이벤트 뷰어에서 무슨 일이 일어나고 있는지에 대한 특별한 징후를 찾았지만 공개 키 인증을 가리키는 특별한 징후는 볼 수 없었습니다. 일반적인 해커 군중의 로그온 시도입니다.
클라이언트가 내 RSA 키를 서버에 제공하려고 시도하고 서버가 publickey
로그온 방법으로 수락하는 것을 볼 수 있습니다 .
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U /home/myuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8 myuser@ubuntu
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug1: Trying private key: /home/myuser/.ssh/id_ecdsa
debug1: Trying private key: /home/myuser/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
기본 키 67hw/H...
와 GCE 용 키, cicl5t...
. Windows의 서버 로그는 둘 다 거부되었음을 보여줍니다.
sshd: Failed publickey for myuser from 77.88.92.5 port 57621 ssh2: RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U
sshd: Failed publickey for myuser from 77.88.92.5 port 57621 ssh2: RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8
지문이 유효합니다.
$ ssh-keygen -l -E sha256 -f ~/.ssh/id_rsa.pub
2048 SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U myuser@i9-ACME (RSA)
하단에있는 서버의 로그 덤프를 보면 .ssh/authorized_keys
파일 을 열려고하지 않는 것을 알 수 있습니다 . 대신 \ProgramData\ssh\administrators_authorized_keys
. 그러나 여기에 키를 추가했지만 여전히 로그인을 거부합니다.
지문이 동일하기 때문에 Windows 서버 측에서 올바르게 추가했음을 알 수도 있습니다.
PS C:\Users\myuser\.ssh> ssh-keygen -l -f .\authorized_keys
2048 SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U i9-ACME (RSA)
불필요하게 광범위한 읽기 권한을 피하면서 파일 설정 지침을 따랐 습니다.
PS C:\Users\myuser\.ssh> icacls .\authorized_keys /inheritance:r
processed file: .\authorized_keys
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\myuser\.ssh> icacls.exe .\authorized_keys
.\authorized_keys NT AUTHORITY\SYSTEM:(N)
BUILTIN\Administrators:(N)
Successfully processed 1 files; Failed processing 0 files
아직 안돼. 또한 변경 후 OpenSSH 서비스를 다시 시작했습니다.
의 전체 서버 로그 sshd -dd
:
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 77.88.92.5 port 52794 on 10.166.0.3 port 22
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,Open
SSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug2: Network child is on pid 1900
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-n
istp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-
group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: MACs stoc: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: compression ctos: none,[email protected] [preauth]
debug2: compression stoc: none,[email protected] [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-n
istp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-
group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: host key algorithms: [email protected],[email protected],ecdsa-sha
[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh
.com,[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: MACs stoc: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: compression ctos: none,[email protected],zlib [preauth]
debug2: compression stoc: none,[email protected],zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug2: monitor_read: 6 used once, disabling now
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user myuser service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug2: parse_server_config: config reprocess config len 294
debug1: user myuser matched group list administrators at line 88
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for myuser [preauth]
debug2: input_userauth_request: try method none [preauth]
debug2: monitor_read: 4 used once, disabling now
debug1: userauth-request for user myuser service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: valid user myuser querying public key rsa-sha2-512 AAAAB3NzaC1yc2EAAAADAQABAAABAQCtB10ag2fipH
7Cnls3gZvl5eBJx0OvQaLu7hndL5sif3m4CTGmrN/MuP0lei0Rt23cBy5Ey2DqAjmizCAhdc3jSQm0pXisKG92Juo2HxiJw+eMUucoPhjbEy35sKKrru2//5
uPpK5IEeVEve3bIXCAQUQgyOESmHBgXmKSCz0jQXEvcV8GxxkdXK7/UQVSe5wtxzPHOoP+yeRdNGfMdl1SeXwUCEXwexAn7YM8ZlISufuxXMInpBMrxVXLAi
h0ZG2WGD2BAJZcwXmMjLPPVP+bjHXnQkiqk5oDeP3ewPorrvxbOeOcqk0b1qrAQYSXHqXv6lENfWIceIz1EsZlRsIV [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U [preauth]
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
Authentication refused.
Failed publickey for myuser from 77.88.92.5 port 52794 ssh2: RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
debug1: userauth-request for user myuser service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: valid user myuser querying public key rsa-sha2-512 AAAAB3NzaC1yc2EAAAADAQABAAABAQDCaISFI0hCDM
K5SIqIBlsboBQTBCoW98bvjUjoCDn9S4kXSOtVvwNeXc/Kb+9lXqKR8CbtYgOZySPqI+5VADdAIcfot2S65Fq5qOQ1IH7Uo29nzvhyjfRbckAs3gaTF6uzxE
A0THqyAZ1oGIyK3vDI8W/Ofczi08oIYWpMmWA8dQNQuKRujloDuFElpjZEjbEyfkn/e7iSm1VxZ8aLEw7M3/BsJLmtwxa+tYyTAfKx63NRFbSWf873GLOyAK
CnE5ls27ftlTjDJMISI3RZd1KMdyg+6KAwN7YsCTwJXarNXr9v2GcY8lrpC7dQ/lGK1nBsPa0kOSYKQzJ0LIDxfOan [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8 [preauth]
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
Authentication refused.
Failed publickey for myuser from 77.88.92.5 port 52794 ssh2: RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
debug1: userauth-request for user myuser service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 3 failures 2 [preauth]
debug2: input_userauth_request: try method keyboard-interactive [preauth]
debug1: keyboard-interactive devs [preauth]
debug1: auth2_challenge: user=myuser devs= [preauth]
debug1: kbdint_alloc: devices '' [preauth]
debug2: auth2_challenge_start: devices [preauth]
출력 net user myuser
PS C:\Windows\system32> net user myuser
User name myuser
Full Name myuser
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 12/20/2019 9:13:31 AM
Password expires Never
Password changeable 12/20/2019 9:13:31 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/6/2020 3:09:27 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
PS C:\Windows\system32>
-d
sshd 구성에 THIRD 를 추가 하면 문제를 확인할 수있었습니다.
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug3: Bad permissions. Try removing permissions for user: NT AUTHORITY\\Authenticated Users (S-1-5-11) on file C:/Prog
ramData/ssh/administrators_authorized_keys.
Authentication refused.
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
authorized_keys
관리자 사용자에게는 사용되지 않습니다. 이유가 확실하지 않습니다.administrators_authorized_keys
.authorized_keys
적용됩니다 administrators_authorized_keys
.debug1
그리고 debug2
문제를 보여 주지만,하지 debug3
않았다 : 그것의 내용을 볼 수있는 내 자신의 사용자에 대한 권한이었다 administrators_authorized_keys
그이 어질러 유지했다. 그것을 제거한 후 마침내 로그인 할 수있었습니다.
administrators_authorized_keys
그래도 설명하는 출처를 아직 찾지 못했습니다 ... 이 문제 는 지금까지 최고입니다.
이 기사는 인터넷에서 수집됩니다. 재 인쇄 할 때 출처를 알려주십시오.
침해가 발생한 경우 연락 주시기 바랍니다[email protected] 삭제
몇 마디 만하겠습니다