SSH s'arrête à "utiliser le nom d'user" avec les IPTables en vigueur

Nous avons utilisé UFW mais nous ne pouvions pas ouvrir les ports Source Dedicated, ce qui était étrange, alors nous avons purgé UFW et nous sums passés à des IPTables, en utilisant Webmin pour configurer.

Si la string entrante est sur DENY et le port SSH ouvert [jugé à partir de Webmin], PuTTY dira d' using username "root" et s'arrête à cela au lieu de requestr la key publique pw. Chaîne entrante sur ACCEPT le pw est demandé. Ce problème ne s'est pas produit avec UFW.

Image de la configuration IPTables dans Webmin: http://s284544448.onlinehome.us/public/PlusLINE%20Dedicated%20Server,%20Webmin,%20IPTables,%200.jpg
L'adresse correspond au précédent rautamiekka.org .


EDIT 1: J'ai réalisé que le système avait Portsentry en cours d'exécution, mais aptitude remove n'a pas aidé à ce sujet. Je ne peux pas encore redémarrer.


EDIT 2: tentative sur Ubuntu 11.10

 administrator@rauta-m1530-ubuntu:~$ ssh -v -v -v -v -v -v -i ~/<filename removed> -l root <IP removed> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to <IP removed> [<IP removed>] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/administrator/<filename removed>" as a RSA1 public key debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/administrator/<filename removed> type -1 debug1: identity file /home/administrator/<filename removed>-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1 debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version ssortingng SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading ensortinges for host "<IP removed>" from file "<filename removed>" debug3: load_hostkeys: found key type RSA in file <filename removed>:6 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: blowfish-cbc debug2: kex_parse_kexinit: blowfish-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client blowfish-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server blowfish-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 130/256 debug2: bits set: 521/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA f6:0a:d9:17:c1:ff:04:ec:f1:00:96:a7:61:20:5c:2e debug3: load_hostkeys: loading ensortinges for host "<IP removed>" from file "<filename removed>" debug3: load_hostkeys: found key type RSA in file <filename removed>:6 debug3: load_hostkeys: loaded 1 keys debug1: Host '<IP removed>' is known and matches the RSA host key. debug1: Found key in <filename removed>:6 debug2: bits set: 514/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/administrator/<filename removed> ((nil)) debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/administrator/<filename removed> debug1: key_parse_private_pem: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/home/administrator/<filename removed>': debug1: read PEM private key done: type RSA debug3: sign_and_send_pubkey: RSA 43:0d:b5:28:53:51:74:b8:3f:cb:0b:d0:9a:45:9e:6c debug2: we sent a publickey packet, wait for reply debug1: Authentication succeeded (publickey). Authenticated to <IP removed> ([<IP removed>]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IP_TOS 0x10 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env SSH_AGENT_PID debug3: Ignored env GPG_AGENT_INFO debug3: Ignored env TERM debug3: Ignored env SHELL debug3: Ignored env XDG_SESSION_COOKIE debug3: Ignored env WINDOWID debug3: Ignored env GNOME_KEYRING_CONTROL debug3: Ignored env GTK_MODULES debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env XDG_SESSION_PATH debug3: Ignored env XDG_SEAT_PATH debug3: Ignored env SSH_AUTH_SOCK debug3: Ignored env SESSION_MANAGER debug3: Ignored env USERNAME debug3: Ignored env DEFAULTS_PATH debug3: Ignored env XDG_CONFIG_DIRS debug3: Ignored env PATH debug3: Ignored env DESKTOP_SESSION debug1: Sending env LC_MESSAGES = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env PWD debug3: Ignored env GNOME_KEYRING_PID debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env MANDATORY_PATH debug3: Ignored env UBUNTU_MENUPROXY debug3: Ignored env GDMSESSION debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env LANGUAGE debug3: Ignored env GNOME_DESKTOP_SESSION_ID debug3: Ignored env LOGNAME debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env LESSOPEN debug3: Ignored env DISPLAY debug3: Ignored env XDG_CURRENT_DESKTOP debug3: Ignored env LESSCLOSE debug3: Ignored env COLORTERM debug3: Ignored env XAUTHORITY debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Fri Apr 13 13:46:17 2012 from 87-95-192-159.bb.dnainternet.fi -bash-4.1# exitdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: rcvd close debug3: channel 0: will not send data after close logout debug3: channel 0: will not send data after close debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) Connection to <IP removed> closed. Transferred: sent 3256, received 1888 bytes, in 22.1 seconds Bytes per second: sent 147.1, received 85.3 debug1: Exit status 0 administrator@rauta-m1530-ubuntu:~$ 

En utilisant le plink.exe fourni avec PuTTY installé:

 C:\Program Files\PuTTY>plink -v -v -v -ssh -l root -2 -i <filename removed> <IP removed> Looking up host "<IP removed>" Connecting to <IP removed> port 22 We claim version: SSH-2.0-PuTTY_Release_0.62 Server version: SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 Using SSH protocol version 2 Doing Diffie-Hellman group exchange Doing Diffie-Hellman key exchange with hash SHA-256 Host key fingerprint is: ssh-rsa 2048 f6:0a:d9:17:c1:ff:04:ec:f1:00:96:a7:61:20:5c:2e Initialised Blowfish-128 CBC client->server encryption Initialised HMAC-SHA1 client->server MAC algorithm Initialised Blowfish-128 CBC server->client encryption Initialised HMAC-SHA1 server->client MAC algorithm Reading private key file "<filename removed>" Using username "root". Offered public key Offer of public key accepted Authenticating with public key "imported-openssh-key" Passphrase for key "imported-openssh-key": Sent public key signature Access granted Opened channel for session Allocated pty (ospeed 38400bps, ispeed 38400bps) Started a shell/command Last login: Fri Apr 13 11:59:39 2012 from <address removed> -bash-4.1# exitServer sent command exit status 0 logout Disconnected: All channels closed C:\Program Files\PuTTY> 

EDIT 4: J'ai abandonné LoginGraceTime à 0 au lieu de 20 environ et la key pw est interrogée environ 30 secondes après avoir déclaré la connection en tant que root et la connection fonctionne. Minecraft prend un peu plus de time pour répondre initialement mais fonctionne normalement après cela.

Je pense que vous voulez /etc/ssh/sshd_config , alors voici:

 # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listn for Port 22 # Use these options to ressortingct which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 4096 # Logging SyslogFacility AUTH LogLevel ERROR # Authentication: LoginGraceTime 0 PermitRootLogin without-password SsortingctModes yes RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile <filename removed> # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM no Ciphers blowfish-cbc MaxAuthTries 2 GatewayPorts no AllowTcpForwarding no KeepAlive yes AllowUsers root 

iptables-save lorsque sur INPUT DENY:

 # Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012 *mangle :PREROUTING ACCEPT [1430:156843] :INPUT ACCEPT [1430:156843] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1415:781598] :POSTROUTING ACCEPT [1415:781598] COMMIT # Completed on Wed Apr 11 16:09:20 2012 # Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012 *nat :PREROUTING ACCEPT [2:104] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed Apr 11 16:09:20 2012 # Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1247:708906] -A INPUT -i lo -m comment --comment "Machine-within traffic - always allowed" -j ACCEPT -A INPUT -p tcp -m comment --comment "Services - TCP" -m tcp -m multiport --dports 22,80,443,10000,20,21 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m comment --comment "Minecraft - TCP" -m tcp --dport 25565 -j ACCEPT -A INPUT -p udp -m comment --comment "Minecraft - UDP" -m udp --dport 25565 -j ACCEPT -A INPUT -p tcp -m comment --comment "Source Dedicated - TCP" -m tcp --dport 27015 -j ACCEPT -A INPUT -p udp -m comment --comment "Source Dedicated - UDP" -m udp -m multiport --dports 4380,27000:27030 -j ACCEPT -A INPUT -p udp -m comment --comment "TS3 - UDP - main port" -m udp --dport 9987 -j ACCEPT -A INPUT -p tcp -m comment --comment "TS3 - TCP - ServerQuery" -m tcp --dport 10011 -j ACCEPT -A OUTPUT -o lo -m comment --comment "Machine-within traffic - always allowed" -j ACCEPT COMMIT # Completed on Wed Apr 11 16:09:20 2012 

iptables --list lorsque sur INPUT DENY:

 Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere /* Machine-within traffic - always allowed */ ACCEPT tcp -- anywhere anywhere /* Services - TCP */ tcp multiport dports ssh,www,https,webmin,ftp-data,ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere /* Minecraft - TCP */ tcp dpt:25565 ACCEPT udp -- anywhere anywhere /* Minecraft - UDP */ udp dpt:25565 ACCEPT tcp -- anywhere anywhere /* Source Dedicated - TCP */ tcp dpt:27015 ACCEPT udp -- anywhere anywhere /* Source Dedicated - UDP */ udp multiport dports 4380,27000:27030 ACCEPT udp -- anywhere anywhere /* TS3 - UDP - main port */ udp dpt:9987 ACCEPT tcp -- anywhere anywhere /* TS3 - TCP - ServerQuery */ tcp dpt:10011 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere /* Machine-within traffic - always allowed */ 

L'UFW règle avant la purge sur INPUT DENY:

 127.0.0.1 ALLOW IN 127.0.0.1 3306 DENY IN Anywhere 20,21/tcp ALLOW IN Anywhere 22/tcp (OpenSSH) ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 989 ALLOW IN Anywhere 990 ALLOW IN Anywhere 8075/tcp ALLOW IN Anywhere 9987/udp ALLOW IN Anywhere 10000/tcp ALLOW IN Anywhere 10011/tcp ALLOW IN Anywhere 25565/tcp ALLOW IN Anywhere 27000:27030/tcp ALLOW IN Anywhere 4380/udp ALLOW IN Anywhere 27014:27050/tcp ALLOW IN Anywhere 30033/tcp ALLOW IN Anywhere 

One Solution collect form web for “SSH s'arrête à "utiliser le nom d'user" avec les IPTables en vigueur”

Les règles du pare-feu semblent correctes. Je ne suis pas sûr de ce que signifie la sortie de Putty en termes d'état de connection – pouvez-vous fournir une sortie ssh -v à partir d'un autre client?

Si elle établit une connection, puis suspends, je soupçonnerais les problèmes MTU ou MSS. Essayez de diminuer le MTU sur le server et le client et vérifiez si les choses fonctionnent.

Est-ce que les autres protocoles ouverts se comportent normalement à partir de la même machine cliente que vous testez?

  • Un server peut-il voir le trafic vers un autre server à l'intérieur d'un VLAN?
  • Quelle est la mauvaise utilisation de la key SSH par défaut du server NX?
  • Comment puis-je get la key publique ssh de mon hyperviseur hôte VSphere ESXi 5.1 résidant dans vcenter avec cloudprovisioner puppet-enterprise
  • Existe-t-il un moyen simple de démoniser une tâche simple?
  • Authentification de SSHD contre AWS Simple Directory Service
  • Authentification de certificate SSH pour l'user sans directory d'accueil
  • La phrase secrète de la key ssh n'est pas correcte, mais c'est juste
  • Comment puis-je définir le mot de passe root dans un conteneur docker à partir d'un script?
  • MobaXTerm - Authentification key SSH
  • OpenSSH + Kerberos SSO: Aucune input de tablette trouvée pour host / localhost.localdomain
  • Validation de rsync via SSH authorized_keys command = "..."
  • Les astuces du serveur de linux et windows, tels que ubuntu, centos, apache, nginx, debian et des sujets de rĂ©seau.