背景:Fedora 32 ,刚装好系统,控制台可以正常登录,但是通过SSH软件,即使root密码正确也是没法登录
1、通过ssh软件登录报认证失败,但密码肯定没问题
2、关掉防火墙,关掉selinux,重启服务器,无效
systemctl stop firewalld
systemctl disable firewalld
vim /etc/selinux/config
...
SELINUX=disabled
...
3、通过另一台机器ssh -vvvv [email protected]查看,水平太low没看懂,反正看起来是认证失败
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
4、检查/var/log/message,没看出问题
Aug 17 11:14:33 Fedora1 audit[1929]: CRYPTO_KEY_USER pid=1929 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:8d:68:2a:43:56:c2:1d:df:30:f3:a5:3b:89:c8:fa:43:dc:bf:c4:d7:50:b1:9b:de:b0:9a:33:25:f2:1e:33:c6 direction=? spid=1929 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Aug 17 11:14:33 Fedora1 audit[1928]: CRYPTO_SESSION pid=1928 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server [email protected] ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=1929 suid=74 rport=40338 laddr=192.168.106.140 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.106.132 terminal=? res=success'
Aug 17 11:14:33 Fedora1 audit[1928]: CRYPTO_SESSION pid=1928 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client [email protected] ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=1929 suid=74 rport=40338 laddr=192.168.106.140 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.106.132 terminal=? res=success'
Aug 17 11:14:35 Fedora1 audit[1928]: USER_AUTH pid=1928 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=192.168.106.132 addr=192.168.106.132 terminal=ssh res=failed'
5、检查/var/log/secure,还是说认证失败
Aug 17 11:14:35 Fedora1 sshd[1928]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.106.132 user=root
Aug 17 11:14:37 Fedora1 sshd[1928]: Failed password for root from 192.168.106.132 port 40338 ssh2
6、检查/etc/sshd/sshd_config,没有发现有些文章说的,配置了No:
PermitRootLogin yes /yes表示root可以ssh登录。可能这里是no
7、想检查/etc/hosts.allow和 /etc/hosts.deny,发现fedora默认没有这俩文件
8、又在网上看了不少案例,决定尝试创建一个普通用户test来试试,发现ssh可以正常登录。于是肯定了不是IP受限,也不是防火墙或者selinux的问题,而是root用户受限,但是仍然不知道哪里有限制。
9、最后本着死马当活马医的精神 ,将前面/etc/sshd/sshd_config的参数复制一行,然后修改:
vim /etc/sshd/sshd_config
...
#PermitRootLogin prohibit-password
PermitRootLogin yes
...
systemctl restart sshd
然后发现可以ssh远程登陆了,原因就是Fedoar默认不允许root用户远程ssh登录,而且必须要显式声明允许root登录;而Centos默认是允许root用户远程登录的。
10、下面对比一下Centos和Fedora的sshd_config相关root登录默认参数配置
Centos7:
[root@Centos7 etc]# cat /etc/ssh/sshd_config |grep -A 5 Permit
#PermitRootLogin yes
Fedora 32:
[root@Fedora1 ~]# cat /etc/ssh/sshd_config |grep -A 5 Permit
#PermitRootLogin prohibit-password
参考文档:
https://www.bilibili.com/read/cv6231213/
https://blog.csdn.net/weixin_42551369/article/details/88946622
https://blog.csdn.net/Joseph25/article/details/89349051