linux - 在 Azure 中以 root 身份 SSH 登录-6ren

linux - 在 Azure 中以 root 身份 SSH 登录

转载作者：塔克拉玛干更新时间：2023-11-03 01:25:21

我正在尝试在 Microsoft Azure 上运行的 Linux VM 中以 root 身份启用 SSH 登录。该 VM 基于 Azure Marketplace 中的 Oracle Linux 6.4 镜像。

我希望能够使用公共(public)证书身份验证以 root 用户身份通过 SSH 访问虚拟机。我需要直接 root 登录(而不是使用 sudo)，因为我正在尝试使用 rsync 以 root 身份连接到目标，将软件自动部署到 Azure VM。

这是我尝试过的:

我在authorized_keys 文件中拥有公钥，并且无需密码即可以普通用户身份登录，但不能以root 用户身份登录。
我将与普通用户相同的authorized_keys 文件复制到/root/.ssh 。目录/root 和/root/.ssh 以及文件authorized_keys 均归root 所有，其他任何人都不可写入。
我已经设置了
```
PermitRootLogin yes
```
在/etc/ssh/sshd_config 中，然后重新启动 sshd(并重新启动虚拟机)。
以 root 身份连接时，我收到“服务器拒绝我们的 key ”消息。我成功启用了使用密码身份验证以 root 身份登录 SSH，并且能够使用密码以 root 身份登录:
```
Using username "root".
Server refused our key
Using keyboard-interactive authentication.
Password:
[root@myazureserver ~]#
```

我已在 Debug模式下在不同的端口上启动了 sshd 的第二个实例:

[root@myazureserver ~]# /usr/sbin/sshd -Dd -p 2020
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-Dd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2020'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2020 on 0.0.0.0.
Server listening on 0.0.0.0 port 2020.
debug1: Bind to port 2020 on ::.
Server listening on :: port 2020.

当我连接到 sshd 的调试实例(在端口 2020 上)时，我能够以 root 身份登录而无需密码 - 它接受公钥!

我没有在 Windows 上使用 PuTTY 作为 SSH 客户端，而是尝试在同一虚拟机上使用 ssh 命令(以普通用户身份登录时)。我可以通过 SSH 从一个普通用户帐户登录到另一个帐户而无需密码，但无法从普通帐户登录 root 帐户。以下是在 Debug模式下运行的 ssh 的输出，以 root 身份连接:

[oracle@myazureserver ~]$ ssh -vvv root@myazureserver
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myazureserver [10.0.0.4] port 22.
debug1: Connection established.
debug1: identity file /home/oracle/.ssh/identity type -1
debug3: Not a RSA1 key file /home/oracle/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
...
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/oracle/.ssh/id_rsa type 1
debug1: identity file /home/oracle/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="acdec5c6c2c8cdc9c081cfcecfecc0d5dfcdd8c3de82c0c5d982dfc9" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e6948f8c888287838acb858485a68a9f9587928994c88a8f93c89583" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b2c7dfd3d19f8486f2ddc2d7dcc1c1da9cd1dddf" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="294144484a045b40594c444d181f196946594c475a5a41074a4644" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="95e0f8f4f6b8a3a1d5fae5f0fbe6e6fdbbf6faf8" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="563e3b37357b243f26333b32676066163926333825253e7835393b" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="93e9fffaf1d3fce3f6fde0e0fbbdf0fcfe" rel="noreferrer noopener nofollow">[email protected]</a>,zlib
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7d0711141f3d120d18130e0e15531e1210" rel="noreferrer noopener nofollow">[email protected]</a>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="46342f2c282227232a6b252425062a3f3527322934682a2f33683523" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="fc8e959692989d9990d19f9e9fbc90858f9d88938ed2909589d28f99" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="80f5ede1e3adb6b4c0eff0e5eef3f3e8aee3efed" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ef87828e8cc29d869f8a828bded9dfaf809f8a819c9c87c18c8082" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="087d65696b253e3c4867786d667b7b60266b6765" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,hmac-ri<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6e1e0b030a5f585e2e011e0b001d1d06400d0103" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bdc7d1d4dffdd2cdd8d3ceced593ded2d0" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="dfa5b3b6bd9fb0afbab1acacb7f1bcb0b2" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /home/oracle/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/oracle/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'myazureserver' is known and matches the RSA host key.
debug1: Found key in /home/oracle/.ssh/known_hosts:1
debug2: bits set: 507/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/oracle/.ssh/identity ((nil))
debug2: key: /home/oracle/.ssh/id_rsa (0x7f81f3a5dd70)
debug2: key: /home/oracle/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.0.0.4.
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_54321' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_54321' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_54321' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/oracle/.ssh/identity
debug3: no such identity: /home/oracle/.ssh/identity
debug1: Offering public key: /home/oracle/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1477
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/oracle/.ssh/id_dsa
debug3: no such identity: /home/oracle/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: Wrote 96 bytes for a total of 1573
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

这是作为普通用户连接的 ssh 的输出:

[oracle@myazureserver ~]$ ssh -vvv jziabick@myazureserver
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myazureserver [10.0.0.4] port 22.
debug1: Connection established.
debug1: identity file /home/oracle/.ssh/identity type -1
debug3: Not a RSA1 key file /home/oracle/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
...
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/oracle/.ssh/id_rsa type 1
debug1: identity file /home/oracle/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0f7d6665616b6e6a63226c6d6c4f63767c6e7b607d2163667a217c6a" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0d7f646763696c6861206e6f6e4d61747e6c79627f23616478237e68" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="89fce4e8eaa4bfbdc9e6f9ece7fafae1a7eae6e4" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bbd3d6dad896c9d2cbded6df8a8d8bfbd4cbded5c8c8d395d8d4d6" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6411090507495250240b14010a17170c4a070b09" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="acc4c1cdcf81dec5dcc9c1c89d9a9cecc3dcc9c2dfdfc482cfc3c1" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="255f494c47654a55404b56564d0b464a48" rel="noreferrer noopener nofollow">[email protected]</a>,zlib
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9fe5f3f6fddff0effaf1ececf7b1fcf0f2" rel="noreferrer noopener nofollow">[email protected]</a>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f7859e9d999396929bda949594b79b8e8496839885d99b9e82d98492" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6e1c0704000a0f0b02430d0c0d2e02171d0f1a011c4002071b401d0b" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2f5a424e4c02191b6f405f4a415c5c47014c4042" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a0c8cdc1c38dd2c9d0c5cdc4919690e0cfd0c5ced3d3c88ec3cfcd" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1d68707c7e302b295d726d78736e6e75337e7270" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-ripemd160,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="076f6a66642a756e77626a63363137476877626974746f2964686a" rel="noreferrer noopener nofollow">[email protected]</a>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d6acbabfb496b9a6b3b8a5a5bef8b5b9bb" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit: none,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2d5741444f6d425d48435e5e45034e4240" rel="noreferrer noopener nofollow">[email protected]</a>
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 119/256
debug2: bits set: 535/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /home/oracle/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/oracle/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'myazureserver' is known and matches the RSA host key.
debug1: Found key in /home/oracle/.ssh/known_hosts:1
debug2: bits set: 529/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/oracle/.ssh/identity ((nil))
debug2: key: /home/oracle/.ssh/id_rsa (0x7f2ae500fd70)
debug2: key: /home/oracle/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.0.0.4.
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_54321' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_54321' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_54321' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/oracle/.ssh/identity
debug3: no such identity: /home/oracle/.ssh/identity
debug1: Offering public key: /home/oracle/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1477
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: SHA1 fp b6:aa:fd:7b:bf:d2:99:78:48:38:cc:9e:b0:26:05:dc:1c:4e:83:35
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug3: Wrote 640 bytes for a total of 2117
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d0bebffdbdbfa2b5fda3b5a3a3b9bfbea390bfa0b5bea3a3b8feb3bfbd" rel="noreferrer noopener nofollow">[email protected]</a>
debug1: Entering interactive session.
debug3: Wrote 128 bytes for a total of 2245
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env HOSTNAME
debug3: Ignored env SELINUX_ROLE_REQUESTED
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env HISTSIZE
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SELINUX_USE_CURRENT_RANGE
debug3: Ignored env SSH_TTY
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env SELINUX_LEVEL_REQUESTED
debug3: Ignored env HISTCONTROL
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env LESSOPEN
debug3: Ignored env G_BROKEN_FILENAMES
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: Wrote 448 bytes for a total of 2693
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0

编辑 - 下面的附加日志文件信息。在/var/log/secure 中，我看到成功登录的信息:

Mar 17 18:55:09 myazureserver sshd[1196]: Server listening on :: port 22.
Mar 17 19:08:18 myazureserver sshd[1383]: Accepted publickey for jziabick from xx.xx.xx.xx port 53533 ssh2
Mar 17 19:08:19 myazureserver sshd[1383]: pam_unix(sshd:session): session opened for user jziabick by (uid=0)

对于登录失败(以 root 身份)，我在/var/log/secure 中看到

Mar 18 10:52:24 myazureserver sshd[1992]: Server listening on :: port 22.
Mar 18 10:53:02 myazureserver sshd[1997]: Received disconnect from xx.xx.xx.xx: 14: No supported authentication methods available

在/var/log/audit/audit.log 中我发现(对于以 root 身份登录失败的情况):

type=AVC msg=audit(1458311548.677:733): avc:  denied  { read } for  pid=1948 comm="sshd" name="authorized_keys" dev=sda3 ino=259748 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1458311548.677:733): arch=c000003e syscall=2 success=no exit=-13 a0=7f8c6621d470 a1=800 a2=1 a3=4 items=0 ppid=1196 pid=1948 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1458311548.679:734): user pid=1948 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=xx.xx.xx.xx terminal=ssh res=failed'
type=USER_AUTH msg=audit(1458311668.148:735): user pid=1950 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=c-xx-xx-xx-xx.hsd1.il.comcast.net addr=xx.xx.xx.xx terminal=ssh res=failed'

我错过了什么？我已经在 Oracle Linux 上多次设置了带有公钥身份验证的 SSH(包括以 root 身份登录)。这必须是特定于 Azure 配置的内容。

最佳答案

你可以责怪 SELinux。您的 authorized_keys 文件标记错误(也可能是其他文件)。

type=AVC msg=audit(1458311548.677:733): avc: denied { read } for pid=1948 comm="sshd" name="authorized_keys" dev=sda3 ino=259748 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

安全的解决方案是重新标记 /root/:

restorecon -rf /root/

或者如果没有帮助，只需修复该特定文件的标签:

chcon -t ssh_home_t /root/.ssh/authorized_keys

这应该可以做到。如果没有，请使用当前结果更新问题(来自审核的 AVC 消息通常很有用)。

关于linux - 在 Azure 中以 root 身份 SSH 登录，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/36051793/

文章推荐： c++ - 命令使用 shell 运行但卡在 QProcess 中

文章推荐： c++ - WIN32显示图像，为什么不显示？

文章推荐： c# - Asp.net调用C#层调用Managed C++调用Native C++

文章推荐： linux - 如何从内核向进程地址空间写入数据？

c++ - 如何遍历几个每小时的 ROOT (.root) 文件并将它们组合成更大的每日数据 .root 文件？
我在我的实验室中通过终端使用 ROOT，我们经常收集数据并且每小时都有一个文件夹，其中包含微小的 .root 文件。我正在尝试创建一个每日 .root 文件，其中包含某一天获取的所有数据，目前我有许
linux - 以非 root 用户身份启动容器与以 root 用户身份启动然后降级为非 root 用户
我正在创建一些 Docker 镜像，并且正在阅读其他人是如何做到这一点的。当涉及到在容器内运行进程的用户时，我已经确定了三种一般模式: 它使用 root 用户处理一切(在 root 下运行的容器内生
MySQL root@localhost、root@127.0.0.1 和 root@::1 有不同的密码 - 这正常吗？
使用此命令设置密码后: mysqladmin.exe --user=root password 我在“根”用户的用户表中看到 3 行: http://i.stack.imgur.com/Y4Rkd.
python - Tkinter:root.after(), root.after_cancel()
我有这个秒表，我试图在计数达到 0 后重置它。但是我在使用“after_cancel”功能时遇到了问题。谁能帮忙？发生的是它无休止地继续，我想杀死“之后”功能。 def countdown(self
PHP file_exists 仅适用于 root :root
if(file_exists( $_SERVER['DOCUMENT_ROOT'] . "/index.html")) echo '文件存在'; 当文件的所有者和组设置为 root:root 时，仅返
mysql - [root@localhost ~]# mysql -u root -p 输入密码 : ERROR 1045 (28000): Access denied for user 'root' @'localhost' (using password: YES)
我尝试在 AWS 和 Google Drive 上的 Redhat 7 上安装 MySQL，但是在安装 mysql-server 5.7 后，我收到了相同的错误。 [root@localhost ~]
.htaccess - htaccess 代理重定向 root 且仅 root
我试图仅将根域(而不是其子文件夹)重定向到另一个 URL，而不更改地址。我正在使用 .htaccess 并使用 [P] 标志进行重定向，这适用于子目录但不适用于根目录。编写以下 .htaccess
python - 从非 root 用户执行 root 所需的脚本
我正在使用 Apache CGI mod 来允许通过 HTTP(S) 请求执行 python 脚本。问题是我想要执行的脚本 backup.py 在某个时刻执行一个子进程调用，其中 mysqldump
linux - 在没有 root 用户的情况下执行 root 命令避免密码提示
我有一个 script.sh 文件执行以下命令: chown -R apache:apache /var/www/html/my/data 如果我尝试使用非 root 用户(用户名 = marco)执
android - 使用 Root 权限运行服务或使用 root 添加权限
我目前正在开发一款可以在开车时读出短信/电子邮件的应用程序。许多用户希望支持 WhatsApp/KakaoTalk。但是，由于没有“官方”方式来接收他们的消息，因此只有三个选项，都需要 root:
android - Rooted Android - 在 root 拥有的目录中创建和读取文件
我已经看到这个问题问了几次，但从未得到完全回答(我能找到)。需要说明的是，我的手机已 root。我需要做的是在 root 拥有的目录下读取和写入文件，例如 /data。我知道我需要使用 super
root - sudoers - Google Compute Engine - 无法访问 root
我有一个 Google Compute Engine VM 实例，上面运行着 Asterisk Server。当我尝试运行 sudo 时收到此消息: sudo: parse error in /etc
Laravel 帆 : login as root or create an root user
我正在使用sail 并尝试以root 身份使用shell，这是不可能的。切换到 root 用户要求输入密码，我不知道。我尝试更改 dockerfile: ARG WWWROOTGROUP RUN
root - 如何使用 root 帐户使用 rvm(ruby 版本管理器)？
rvm 的全部意义在于能够安装多个 ruby 并从用户帐户访问它们。当您需要从 root 访问任何这些 ruby 时，您会怎么做？或者使用安装在其中一个 rvms 中的 gems？有没有一种优雅的(
docker - Openshift Volume Mounts 显示 root :root
我正在尝试在 Openshift 中运行 SonarQube pod，但它似乎正在以 root 作为所有者安装持久卷。我们如何将其更改为非 root 用户？我用“hostPath”创建了我的持久卷
Ansible角色抛出错误@/root/roles :/root:/etc/ansible/roles
我是 Ansible 的新手，我已经创建了我的第一个 Ansible 角色剧本，当我尝试运行它时，它抛出了下面的错误，而角色之外的其他模块(如处理程序、模板)工作正常。我仅通过剧本中的角色观察到这个问
docker - 以 root 和非 root 身份运行 docker
对“以非 root 用户和 root 用户身份运行 docker”感到困惑。第一个问题(以非root用户运行):基于Post-installation steps for Linux ，要以非 ro
architecture - 领域驱动设计 : Aggregate root & Sub Aggregate roots
在我的项目中，我发现需要以分层方式打破我的聚合，使用顶级根级别聚合，以确保根级别的规则一致性，然后我的根下的对象可以分组为各种聚合。在计算根级聚合的完整性时，根验证自己的规则，然后委托(delegat
mysql - 将 MAMP Pro 用户名和密码重置为 root/root
我不知道我是怎么做到的，但在过去几天的某个时候，我设法将我的 MAMP Pro 用户名和密码更改为 root:root 以外的其他名称。我一直在本地开发 Wordpress 版本，所以它一定是我当时做
mysql - 启用远程访问后，ROOT 失去权限，授予 ROOT 权限不起作用
update user set host='%' where user='root 之后，我失去了我的 MySQL root 用户的一些权限。所以我停止了服务器并用 --skip-grant-tabl

塔克拉玛干

个人简介

我是一名优秀的程序员,十分优秀！

作者热门文章

滴滴打车优惠券免费领取

全站热门文章

首页

博学

6Ren·AI

商城

linux - 在 Azure 中以 root 身份 SSH 登录