Foo*_*ger 5 powershell ssh known-hosts windows-server-2012-r2
我一直在尝试在运行 Windows Server 2012 R2 的 VM 上使用OpenSSH的PowerShell 端口进行公钥身份验证。
我忠实地遵循了安装说明,并确保我的文件权限对于.ssh\authorized_keys. (无法在 Win32-OpenSSH wiki 中发布特定说明的链接,因为我太少,无法发布两个以上的链接,请参阅下面的评论)。
我可以使用用户名/密码按预期从 linux 主机登录到 windows 主机。然而,密钥认证不走运。
我的本地 .ssh/config文件包含:
Host remotehostname
HostName remotehostname
User remoteuser
Port 22
IdentityFile /home/myusername/.ssh/id_dsa
本地.ssh目录中的权限显示正确:
[me@localhost.ssh]$ ls -ltrh
total 56K
-rw------- 1 cengadmin cengadmin 1.6K Sep 11 10:01 known_hosts
-r-------- 1 cengadmin cengadmin 672 Sep 11 10:06 id_dsa
-r-------- 1 cengadmin cengadmin 580 Sep 11 10:13 config
.ssh我的远程主机上的目录如下:
Directory of C:\Users\REMOTEUSER\.ssh
09/11/2017 10:07 AM <DIR> .
09/11/2017 10:07 AM <DIR> ..
09/11/2017 10:07 AM 623 authorized_keys
09/11/2017 10:05 AM 672 id_dsa
09/11/2017 10:05 AM 623 id_dsa.pub
5 File(s) 4,012 bytes
2 Dir(s) 10,752,004,096 bytes free
C:\Users\REMOTEUSER\.ssh>icacls authorized_keys
authorized_keys NT SERVICE\sshd:(R)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
FOODOM1\REMOTEUSER:(F)
C:\Users\REMOTEUSER\.ssh>icacls id_dsa
id_dsa BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
DHDOM1\REMOTEUSER:(R,W)
我的authorized_keys文件只包含type id_dsa.pub > authorized_keys.
C:\Users\REMOTEUSER\.ssh>fc id_dsa.pub authorized_keys
Comparing files id_dsa.pub and AUTHORIZED_KEYS
FC: no differences encountered
sshd_config 已PubkeyAuthentication启用
PubkeyAuthentication yes
配置和权限对我来说似乎很正常。但是,missing begin marker当我破坏权限时,我总是会遇到无处不在的错误。
我懂了:
debug2: key not found
这通常意味着我输入了错误的密钥,authorized_keys但我认为上面的差异反驳了这个问题。
线索?温柔点,我已经近 10 年没有在愤怒中使用 Windows。
(请注意,我在此目录中还有其他 rsa 密钥,为清楚起见未在上面列出)
$ ssh -v -i .ssh/id_dsa myhostname
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/localuser/.ssh/config
debug1: /home/localuser/.ssh/config line 21: Applying options for raleys-etl
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/localuser/.ssh/config
debug1: /home/localuser/.ssh/config line 15: Applying options for remotehostname
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to remotehostname [00:00:00:00] port 22.
debug1: Connection established.
debug1: identity file /home/localuser/.ssh/id_dsa type -1
debug1: identity file /home/localuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/localuser/.ssh/ssis_rsa type -1
debug1: identity file /home/localuser/.ssh/ssis_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5
debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none
debug1: kex: curve25519-sha256@libssh.org need=20 dh_need=20
debug1: kex: curve25519-sha256@libssh.org need=20 dh_need=20
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e7:aa:c8:d4:8b:02:58:da:64:e6:18:26:d3:be:6a:b2
debug1: Host 'remotehostname' is known and matches the ECDSA host key.
debug1: Found key in /home/localuser/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: localuser@localhost.localdomain
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering RSA public key: localuser@localhost.localdomain
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering RSA public key: localuser@localhost.localdomain
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/localuser/.ssh/id_dsa
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Received disconnect from 00:00:00:00: 2: Too many authentication failures
bob*_*ogo 15
哇。只花了几个小时调试这个。
因此,打开 ssh 服务器的日志记录:
/ProgramData/ssh/sshd_config
SyslogFacility LOCAL0LogLevel DEBUG3Windows+R组合键,并输入services.msc在出现的运行对话框)现在您会发现完整的调试信息正在写入/ProgramData/ssh/logs/sshd.log. 在您尝试通过ssh进入机器后,只需查看日志文件即可。
我有两个问题:
调试日志说:
2019-03-08 … debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
啊,那不是.ssh/authorized_keys。我在管理员组中,sshd_config为我们这些人准备了一个特别的节。我将.ssh/authorized_keys文件的内容复制到/ProgramData/ssh/administrators_authorized_keys,然后重新启动服务器。
现在我有
2019-03-08 … debug3: Bad permissions. Try removing permissions for user: S-1-9-22 on file C:/ProgramData/ssh/administrators_authorized_keys.
icacls说
C:\ProgramData\ssh> icacls administrators_authorized_keys
administrators_authorized_keys NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(RX)
从文件夹及以上继承了很多权限(这就是意义所在(I))。删除继承。/inheritance:r是你的朋友吗?
C:\ProgramData\ssh> icacls administrators_authorized_keys /inheritance:r
processed file: administrators_authorized_keys
Successfully processed 1 files; Failed processing 0 files
现在看起来不错:
C:\ProgramData\ssh> icacls administrators_authorized_keys
administrators_authorized_keys NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
所以我重新启动了服务器,它正在工作。嘘。
不要忘记撤消更改到的LogLevel和SyslogFacility在sshd_config。
| 归档时间: |
|
| 查看次数: |
9055 次 |
| 最近记录: |