나는 무슨 일이 일어나고 있는지 이해하지 못합니다. 이론적으로는 "user" 사용자를 위해 컴퓨터에 키 쌍을 생성했습니다.홈 데스크탑, 공개 키를 다음 주소로 보냅니다.myserver.example.com아래에 입력하시면 myserver:~user/.ssh/authorized_keys비밀번호 없이 로그인이 가능합니다.
문제는 이상하게도 그 컴퓨터의 다른 모든 사용자가홈 데스크탑user@myserver비밀번호 없이 로그인하실 수도 있습니다 ! 키가 전역적으로만 액세스 가능하다고 생각할 수도 있지만 homedesktop:/etc/ssh그렇지 않습니다(디렉토리를 삭제하고 다시 시도했지만 여전히 작동합니다). 실제로 "myserver"뿐만 아니라 "user"라는 공개 키를 가진 모든 서버는 "homedesktop"의 모든 사용자로부터 비밀번호 없는 로그인을 허용합니다. 아래 SSH 로그를 보면 키가 메모리에 있는 것 같나요? 무슨 일이 일어나고 있는지, 다른 사용자가 이 키를 사용하는 것을 방지하는 방법을 이해할 수 없습니다! 또한 homedesktop:~user/.ssh일반 권한으로는 다른 사용자가 읽을 수 없습니다.
이 예에서 "otheruser"는 user@myserver로 로그인을 시도하며 집에 도착하면 액세스할 수 있습니다.사용자@homedesktop열쇠, 어떤 것이 인정되나요?
otheruser@homedesktop:~$ rm -rf .ssh
otheruser@homedesktop:~$ ssh -vvv -p 15555 [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.example.com [123.234.123.234] port 15555.
debug1: Connection established.
debug1: SELinux support disabled
debug1: identity file /home/otheruser/.ssh/id_rsa type -1
debug1: identity file /home/otheruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_dsa type -1
debug1: identity file /home/otheruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519 type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [myserver.example.com]:15555
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f
debug3: put_host_port: [123.234.123.234]:15555
debug3: put_host_port: [myserver.example.com]:15555
debug1: checking without port identifier
The authenticity of host '[myserver.example.com]:15555 ([123.234.123.234]:15555)' can't be established.
ECDSA key fingerprint is 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[myserver.example.com]:15555,[123.234.123.234]:15555' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: user@myserver (0x7fba1acf8000),
debug2: key: user@homedesktop (0x7fbaa1bbcf30),
debug2: key: /home/otheruser/.ssh/id_rsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_dsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ecdsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: user@myserver
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_VTNR
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env KDE_MULTIHEAD
debug1: Sending env LC_ADDRESS = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MONETARY = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_GREETER_DATA_DIR
debug3: Ignored env CLUTTER_IM_MODULE
debug3: Ignored env SELINUX_INIT
debug3: Ignored env SESSION
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env KONSOLE_PROFILE_NAME
debug3: Ignored env GS_LIB
debug3: Ignored env GTK_RC_FILES
debug1: Sending env LC_NUMERIC = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env WINDOWID
debug3: Ignored env GNOME_KEYRING_CONTROL
debug3: Ignored env UPSTART_SESSION
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env USER
debug1: Sending env LC_TELEPHONE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env QT_IM_MODULE
debug1: Sending env LC_IDENTIFICATION = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug3: Ignored env JOB
debug3: Ignored env XMODIFIERS
debug3: Ignored env KONSOLE_DBUS_WINDOW
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env GNOME_KEYRING_PID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env GDM_LANG
debug3: Ignored env MANDATORY_PATH
debug1: Sending env LC_MEASUREMENT = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env IM_CONFIG_PHASE
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env GDMSESSION
debug3: Ignored env SESSIONTYPE
debug3: Ignored env HOME
debug3: Ignored env XDG_SEAT
debug3: Ignored env SHLVL
debug3: Ignored env COLORFGBG
debug3: Ignored env LANGUAGE
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env UPSTART_INSTANCE
debug3: Ignored env PYTHONPATH
debug3: Ignored env LOGNAME
debug3: Ignored env UPSTART_EVENTS
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env QT4_IM_MODULE
debug3: Ignored env LESSOPEN
debug3: Ignored env TEXTDOMAIN
debug3: Ignored env UPSTART_JOB
debug3: Ignored env INSTANCE
debug3: Ignored env DISPLAY
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PROFILEHOME
debug3: Ignored env QT_PLUGIN_PATH
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env PAM_KWALLET_LOGIN
debug1: Sending env LC_TIME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LESSCLOSE
debug3: Ignored env TEXTDOMAINDIR
debug1: Sending env LC_NAME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XAUTHORITY
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to MYSERVER!!
Last login: Tue Nov 1 21:05:47 2016 from 111.222.111.222
user@myserver:~$
답변1
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
키가 세션에 저장되어 있음을 나타냅니다 ssh-agent. ssh연결 없이 실행하면 다음 항목 ssh-agent에 액세스할 수 없습니다.
SSH_AUTH_SOCK="" ssh -vvv -p 15555 [email protected]
프록시를 종료하면 작업도 수행됩니다( eval $(ssh-agent -k)사용하지 않는 경우 gnome-keyring). 그렇지 않으면 DE에서 다시 로그인하면 키가 "새로 고쳐집니다".