Сложная проблема входа через authorized_keys только для root на Solaris 11

Содержание

Вопрос или проблема
Ответ или решение
Решение проблемы с входом по SSH под пользователем root на Solaris 11 с использованием authorized_keys
1. Проверка правильности копирования ключа
2. Проверка прав доступа
3. Проверка конфигурации SSH
4. Диагностика с использованием логов
5. Дополнительные проверки
Заключение

Вопрос или проблема

Вот сложная проблема с SSH, которую я не могу решить на Solaris 11, хотя думаю, что я опытный системный администратор UNIX/Linux. 🙂

Я скопировал файл root@server1:/root/.ssh/id_rsa.pub в:

root@server2:/root/.ssh/authorized_keys

oracle@server2:/home/oracle/.ssh/authorized_keys

Нет проблем с входом или выполнением команд удаленно для oracle@server2.

Я продолжаю получать запрос пароля для root@server2.

Если я запускаю “sshd -d” (режим отладки) на сервере 2 и запускаю “ssh root@server2 uptime” с сервера 1, я вижу следующую информацию на сервере 2, пока не получу запрос пароля и не нажму Ctrl-C, чтобы прервать это:

server2# /usr/lib/ssh/sshd -d
debug1: sshd version Sun_SSH_2.2
debug1: key_load_private: loading /etc/ssh/ssh_host_rsa_key
debug1: ssh_kmf_check_uri: /etc/ssh/ssh_host_rsa_key
debug1: read PEM private key done: type RSA
debug1: Private host key #0 of type 1 (RSA).
debug1: key_load_private: loading /etc/ssh/ssh_host_dsa_key
debug1: ssh_kmf_check_uri: /etc/ssh/ssh_host_dsa_key
debug1: read PEM private key done: type DSA
debug1: Private host key #1 of type 2 (DSA).
debug1: Creating a global KMF session.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 10.71.4.10 port 21911
debug1: Client protocol version 2.0; client software version Sun_SSH_2.2
debug1: match: Sun_SSH_2.2 pat Sun_SSH_2.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_2.2
monitor debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: Reloading X.509 host keys to avoid PKCS#11 fork issues.
monitor debug1: reading the context from the child
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: My KEX proposal before adding the GSS KEX algorithm:
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: My KEX proposal I sent to the peer:
debug1: KEX proposal I received from the peer:
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: Host key algorithm 'ssh-rsa' chosen for the KEX.
debug1: Peer sent proposed langtags, ctos: en-US
debug1: Peer sent proposed langtags, stoc: en-US
debug1: Мы предложили langtags, ctos: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
debug1: Мы предложили langtags, stoc: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
debug1: Negotiated main locale: en_US.UTF-8
debug1: Negotiated messages locale: en_US.UTF-8
debug1: Host key type is 1.
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 252/512
debug1: bits set: 2051/4095
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 2036/4095
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
Failed none for root from 10.71.4.10 port 21911 ssh2
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 initial attempt 0 failures 0 initial failures 0
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug1: Test whether the public key is acceptable.
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Found matching RSA key: 8e:7f:c6:54:09:e7:fa:6e:5c:cc:c7:13:e2:13:90:22
debug1: restore_uid: 0/0
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 2 initial attempt 0 failures 0 initial failures 0
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug1: We received a signature in the user auth packet.
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Found matching RSA key: 8e:7f:c6:54:09:e7:fa:6e:5c:cc:c7:13:e2:13:90:22
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
Failed publickey for root from 10.71.4.10 port 21911 ssh2
debug1: userauth-request for user root service ssh-connection method keyboard-interactive
debug1: attempt 3 initial attempt 0 failures 2 initial failures 0
debug1: keyboard-interactive devs
Connection closed by 10.71.4.10
debug1: Calling cleanup 0x2df78(0xec5010)
debug1: Calling cleanup 0x262a8(0xece938)
debug1: Calling cleanup 0x53590(0x0)
monitor debug1: child closed the communication pipe before user auth was finished
monitor debug1: Calling cleanup 0x53590(0x0)
monitor debug1: Calling cleanup 0x53590(0x0)

Дополнительная информация о конфигурации SSH-сервера:

server2# diff /root/.ssh/authorized_keys /home/oracle/.ssh/authorized_keys
server2#

server2# ls -l /root/.ssh/authorized_keys /home/oracle/.ssh/authorized_keys
-rw-------   1 oracle   dba          396 Aug 29 08:53 /home/oracle/.ssh/authorized_keys
-rw-------   1 root     root         396 Aug 29 08:53 /root/.ssh/authorized_keys

server2# ls -ld /root /home/oracle
drwxr-xr-x  30 oracle   dba           69 Aug 20 06:13 /home/oracle
drwx------  22 root     root          43 Aug 29 08:52 /root

server2# ls -ld /root/.ssh /home/oracle/.ssh
drwx--x--x   2 root     root           5 Mar 20  2014 /home/oracle/.ssh
drwx--x--x   2 root     root           3 Aug 29 08:53 /root/.ssh

server2# grep Root /etc/ssh/sshd_config
PermitRootLogin yes

Ниже показан журнал authlog удаленного сервера server2, когда я попытался ssh root@server2 uptime с сервера 1:

Aug 30 09:46:48 db01 sshd[11916]: [ID 800047 auth.debug] debug1: Forked child 13172.
Aug 30 09:46:48 db01 sshd[13172]: [ID 800047 auth.info] Connection from 10.71.4.10 port 28154
Aug 30 09:46:48 db01 sshd[13172]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version Sun_SSH_2.2
Aug 30 09:46:48 db01 sshd[13172]: [ID 800047 auth.debug] debug1: match: Sun_SSH_2.2 pat Sun_SSH_2.*
Aug 30 09:46:48 db01 sshd[13172]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Aug 30 09:46:48 db01 sshd[13172]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-Sun_SSH_2.2
Aug 30 09:46:48 db01 sshd[13172]: [ID 800047 auth.debug] monitor debug1: list_hostkey_types: ssh-rsa,ssh-dss
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Reloading X.509 host keys to avoid PKCS#11 fork issues.
Aug 30 09:46:48 db01 sshd[13172]: [ID 800047 auth.debug] monitor debug1: reading the context from the child
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: use_engine is 'yes'
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: pkcs11 engine initialization complete
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: My KEX proposal before adding the GSS KEX algorithm:
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: My KEX proposal I sent to the peer:
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: KEX proposal I received from the peer:
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: kex: client->server aes128-ctr hmac-sha2-256 none
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: kex: server->client aes128-ctr hmac-sha2-256 none
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Host key algorithm 'ssh-rsa' chosen for the KEX.
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, ctos: en-US
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, stoc: en-US
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Мы предложили langtags, ctos: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Мы предложили langtags, stoc: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Negotiated main locale: en_US.UTF-8
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Negotiated messages locale: en_US.UTF-8
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Host key type is 1.
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: dh_gen_key: priv key bits set: 267/512
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: bits set: 2056/4095
Aug 30 09:46:48 db01 sshd[13173]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: bits set: 2053/4095
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: set_newkeys: setting new keys for 'out' mode
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: set_newkeys: setting new keys for 'in' mode
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: KEX done
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: userauth-request for user root service ssh-connection method none
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.info] Failed none for root from 10.71.4.10 port 28154 ssh2
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: userauth-request for user root service ssh-connection method publickey
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 0 initial failures 0
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: ssh_kmf_key_from_blob: blob length is 277.
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Test whether the public key is acceptable.
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 0/0 (e=0/0)
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: trying public key file /root/.ssh/authorized_keys
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: ssh_kmf_key_from_blob: blob length is 277.
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.info] Found matching RSA key: 8e:7f:c6:54:09:e7:fa:6e:5c:cc:c7:13:e2:13:90:22
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: restore_uid: 0/0
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: userauth-request for user root service ssh-connection method publickey
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 0 failures 0 initial failures 0
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: ssh_kmf_key_from_blob: blob length is 277.
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: We received a signature in the user auth packet.
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 0/0 (e=0/0)
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: trying public key file /root/.ssh/authorized_keys
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: ssh_kmf_key_from_blob: blob length is 277.
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.info] Found matching RSA key: 8e:7f:c6:54:09:e7:fa:6e:5c:cc:c7:13:e2:13:90:22
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: restore_uid: 0/0
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: ssh_rsa_verify: signature correct
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.notice] Failed publickey for root from 10.71.4.10 port 28154 ssh2
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: userauth-request for user root service ssh-connection method keyboard-interactive
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: attempt 3 initial attempt 0 failures 2 initial failures 0
Aug 30 09:46:49 db01 sshd[13173]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Aug 30 09:46:51 db01 sshd[13173]: [ID 800047 auth.info] Connection closed by 10.71.4.10
Aug 30 09:46:51 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Calling cleanup 0x2df78(0x34f960)
Aug 30 09:46:51 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Calling cleanup 0x262a8(0x3592f8)
Aug 30 09:46:51 db01 sshd[13173]: [ID 800047 auth.debug] debug1: Calling cleanup 0x53590(0x0)
Aug 30 09:46:51 db01 sshd[13172]: [ID 800047 auth.debug] monitor debug1: child closed the communication pipe before user auth was finished
Aug 30 09:46:51 db01 sshd[13172]: [ID 800047 auth.debug] monitor debug1: Calling cleanup 0x53590(0x0)
Aug 30 09:46:51 db01 last message repeated 1 time

Также ниже показан вывод на сервере 1 (на исходном сервере), когда я использовал “ssh -v -v -v root@server2” с сервера 1 для подключения к серверу 2:

server1# ssh -v -v -v root@server2
Sun_SSH_2.2, SSH protocols 1.5/2.0, OpenSSL 0x1000110f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to db01 [10.65.4.139] port 22.
debug1: Connection established.
debug1: ssh_kmf_check_uri: /root/.ssh/identity
debug1: Identity file/URI '/root/.ssh/identity' pubkey type UNKNOWN
debug1: ssh_kmf_check_uri: /root/.ssh/id_rsa
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug1: Identity file/URI '/root/.ssh/id_rsa' pubkey type ssh-rsa
debug1: ssh_kmf_check_uri: /root/.ssh/id_dsa
debug1: Identity file/URI '/root/.ssh/id_dsa' pubkey type UNKNOWN
debug1: Logging to host: db01
debug1: Local user: root Remote user: root
debug1: Remote protocol version 2.0, remote software version Sun_SSH_2.2
debug1: match: Sun_SSH_2.2 pat Sun_SSH_2.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_2.2
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Creating a global KMF session.
debug1: My KEX proposal before adding the GSS KEX algorithm:
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,x509v3-sign-rsa,x509v3-sign-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: en-US
debug2: kex_parse_kexinit: en-US
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible)

debug1: SSH2_MSG_KEXINIT sent
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug1: SSH2_MSG_KEXINIT received
debug1: My KEX proposal I sent to the peer:
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
debug2: kex_parse_kexinit: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: mac_setup: found hmac-sha2-256
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug2: mac_setup: found hmac-sha2-256
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: Host key algorithm 'ssh-rsa' chosen for the KEX.
debug1: Peer sent proposed langtags, ctos: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
debug1: Peer sent proposed langtags, stoc: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
debug1: Мы предложили langtags, ctos: en-US
debug1: Мы предложили langtags, stoc: en-US
debug1: Negotiated lang: en-US
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: Remote: Negotiated main locale: en_US.UTF-8
debug1: Remote: Negotiated messages locale: en_US.UTF-8
debug1: dh_gen_key: priv key bits set: 262/512
debug1: bits set: 2025/4095
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug3: check_host_in_hostfile: match line 17
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug3: check_host_in_hostfile: match line 17
debug1: Host 'db01' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:17
debug1: bits set: 2075/4095
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug2: set_newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug2: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: ssh_kmf_check_uri: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277 lastkey 73cee8 hint 1
debug3: Pubkey type from SSH_MSG_USERAUTH_PK_OK is ssh-rsa.
debug1: ssh_kmf_key_from_blob: blob length is 277.
debug2: input_userauth_pk_ok: fp 8e:7f:c6:54:09:e7:fa:6e:5c:cc:c7:13:e2:13:90:22
debug3: sign_and_send_pubkey
debug1: ssh_kmf_check_uri: /root/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: ssh_kmf_check_uri: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Пароль:
debug3: packet_send2: добавление 32 (len 14 padlen 18 extra_pad 64)
Соединение закрыто 10.65.4.139
debug1: Calling cleanup 0x418a8(0x0)

Я скопировал файл root@server1:/root/.ssh/id_rsa.pub в:
root@server2:/root/.ssh/authorized_keys

Это зависит от того, как вы копируете.
Поэтому важно копировать ключи не через вырезание и вставку между сеансами входа.
Просто используйте “scp”, чтобы скопировать ваш ключ id_rsa.pub с сервера 1 на сервер 2:

scp root@server1:/root/.ssh/id_rsa.pub root@server2:/root/.ssh/authorized_keys

Убедитесь, что права на домашний каталог не слишком открыты, об этом сообщит sshd в syslog.

Что касается вашего вывода, вы можете увидеть (ssh -v -v -v root@server2):

key_read: no key found

Похоже, что ваш ключ id_rsa недействителен. Пожалуйста, попробуйте запустить ssh-keygen, чтобы создать действительный ключ и снова добавить открытый ключ.

Согласно логам, используется ssh-rsa. Вы, возможно, использовали ssh-keygen -t rsa для генерации открытого ключа

debug1: Host key algorithm 'ssh-rsa' chosen for the KEX.

В журнале пытается использовать алгоритм dsa.

debug1: Trying private key: /root/.ssh/id_dsa
debug1: ssh_kmf_check_uri: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa

Пожалуйста, попробуйте сгенерировать открытый ключ с алгоритмом dsa

ssh-keygen -t dsa

ssh-copy-id -i /root/.ssh/id_dsa.pub server2

Ответ или решение

Решение проблемы с входом по SSH под пользователем root на Solaris 11 с использованием authorized_keys

Ваша проблема с авторизацией root на сервере Solaris 11 требует комплексного подхода к диагностике и устранению ошибок. Давайте подробно разберем каждый аспект, начиная от проверки ключей SSH и заканчивая правильной конфигурацией.

1. Проверка правильности копирования ключа

Вы упомянули, что скопировали файл id_rsa.pub из /root/.ssh/ на server1 в файл /root/.ssh/authorized_keys на server2. Самым надежным методом передачи публичного ключа является использование scp, а не копирование через буфер обмена. Убедитесь, что вы использовали следующую команду:

scp root@server1:/root/.ssh/id_rsa.pub root@server2:/root/.ssh/authorized_keys

Также убедитесь, что содержимое файла /root/.ssh/authorized_keys на server2 соответствует содержимому id_rsa.pub, используемого на server1.

2. Проверка прав доступа

SSH требует строгого контроля доступа к файлам и директориям, связанным с SSH. Определите, что права доступа к директории /root и файлам в ней настроены корректно:

ls -ld /root /root/.ssh
ls -l /root/.ssh/authorized_keys

Для root директория /root должна иметь права 700, а файл authorized_keys — 600. Если права отличаются, исправьте их:

chmod 700 /root
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

Также стоит обратить внимание на права доступа к пользователю и группе. Убедитесь, что владелец файла authorized_keys — root.

3. Проверка конфигурации SSH

Вы уже указали, что в конфигурационном файле SSH (/etc/ssh/sshd_config) параметр PermitRootLogin установлен в yes. Тем не менее, убедитесь, что другие параметры не препятствуют аутентификации по ключу. Например, если включено требование PasswordAuthentication, это может мешать аутентификации по ключу.

4. Диагностика с использованием логов

Вы привели вывод из /var/log/authlog и отладки сервера SSH (sshd -d). Ключевой момент, который указывает на возможную ошибку, — строка:

ssh_rsa_verify: signature correct
Failed publickey for root from 10.71.4.10 port 21911 ssh2

Это говорит о том, что сервер успешно нашёл ключ и проверил подпись, однако аутентификация всё равно не была успешной. Это может быть вызвано:

Неправильной или поврежденной парой ключей (проверьте конфигурацию на server1 и server2).
Вариациями в формате ключей. Попробуйте заново сгенерировать ключи, чтобы убедиться, что они корректны:

ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa

Не забудьте после этого создать или обновить файл authorized_keys.

5. Дополнительные проверки

Убедитесь, что на клиенте (server1) используется тот же приватный ключ, который соответствует публичному ключу на сервере (server2). Вы можете указать конкретный ключ для использования:

ssh -i /root/.ssh/id_rsa root@server2

Попробуйте временно отключить проверки хоста, чтобы убедиться, что проблема связана именно с ключами:

ssh -o StrictHostKeyChecking=no root@server2

Проверьте наличие возможных конфликта с другими методами аутентификации, включая выполнить поочередно:

ssh -v root@server2

Заключение

Процесс устранения ошибок входа по SSH может потребовать времени, но следуя приведённым шагам, вы сможете выявить и решить проблему. Убедитесь, что вы корректно настроили ключи, права доступа и конфигурацию SSH. Если проблема не уходит, рассмотрите возможность переустановки SSH или более глубокую проверку системных логов на наличие других подсказок.