linux连接sftp标签页失败,ssh – SFTP突然因为亚马逊Linux上的chroot帐户而失败

65 阅读 0 评论 43 点赞

我是靠谱客的博主野性外套，最近开发中收集的这篇文章主要介绍linux连接sftp标签页失败,ssh – SFTP突然因为亚马逊Linux上的chroot帐户而失败，觉得挺不错的，现在分享给大家，希望可以做个参考。

概述

令人沮丧的是,SFTP用户突然无法连接到我的Amazon

Linux服务器.

/ var / log / secure显示以下错误：

sshd[7291]: fatal: safely_chroot: stat("/chroot/uhleeka"): Permission denied [postauth]

在/ var /日志/安全：

==> /var/log/secure <==

Nov 21 23:49:23 amzl-lamp sshd[7291]: Accepted password for uhleeka from 172.31.0.254 port 47170 ssh2

Nov 21 23:49:24 amzl-lamp sshd[7291]: pam_unix(sshd:session): session opened for user uhleeka by (uid=0)

Nov 21 23:49:24 amzl-lamp sshd[7291]: fatal: safely_chroot: stat("/chroot/uhleeka"): Permission denied [postauth]

Nov 21 23:49:24 amzl-lamp sshd[7291]: pam_unix(sshd:session): session closed for user uhleeka

SSHD的调试输出：

$/usr/sbin/sshd -ddd -p 33333

...

debug1: SELinux support disabled

debug1: PAM: establishing credentials

debug3: PAM: opening session

debug1: monitor_reinit: /dev/log doesn't exist in /chroot/%u chroot - will try to log via monitor using [postauth] suffix

User child is on pid 6655

debug1: PAM: establishing credentials [postauth]

debug3: safely_chroot: checking '/' [postauth]

debug3: safely_chroot: checking '/chroot/' [postauth]

debug3: safely_chroot: checking '/chroot/uhleeka' [postauth]

safely_chroot: stat("/chroot/uhleeka"): Permission denied [postauth]

debug1: do_cleanup [postauth]

debug3: PAM: sshpam_thread_cleanup entering [postauth]

debug3: mm_request_send entering: type 124 [postauth]

debug3: mm_request_receive entering

debug3: monitor_read: checking request 124

debug3: mm_request_receive entering

debug1: do_cleanup

debug1: PAM: cleanup

debug1: PAM: closing session

debug1: PAM: deleting credentials

debug3: PAM: sshpam_thread_cleanup entering

SELinux被禁用：

$sestatus

SELinux status: disabled

$ls -lZ /chroot/uhleeka/

drwxr-x--- root root ? .

drwx--x--- root sftp-only ? ..

drwx--x--- root sftp-only ? etc

drwxr-xr-x root sftp-only ? home

没有配置更改或权限更改,但昨天运行了yum update：

$rpm -qa --last

system-release-2016.09-0.8.noarch Mon 21 Nov 2016 04:34:40 PM UTC

cloud-init-0.7.6-2.14.amzn1.noarch Mon 21 Nov 2016 04:34:40 PM UTC

python26-botocore-1.4.74-1.60.amzn1.noarch Mon 21 Nov 2016 04:34:39 PM UTC

openssh-server-6.6.1p1-31.62.amzn1.x86_64 Mon 21 Nov 2016 04:34:39 PM UTC

openssh-clients-6.6.1p1-31.62.amzn1.x86_64 Mon 21 Nov 2016 04:34:39 PM UTC

aws-cli-1.11.17-1.43.amzn1.noarch Mon 21 Nov 2016 04:34:39 PM UTC

python27-botocore-1.4.74-1.60.amzn1.noarch Mon 21 Nov 2016 04:34:38 PM UTC

bind-utils-9.8.2-0.47.rc1.51.amzn1.x86_64 Mon 21 Nov 2016 04:34:38 PM UTC

bind-libs-9.8.2-0.47.rc1.51.amzn1.x86_64 Mon 21 Nov 2016 04:34:38 PM UTC

openssh-6.6.1p1-31.62.amzn1.x86_64 Mon 21 Nov 2016 04:34:37 PM UTC

...

It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root.

/ etc / ssh / sshd_config具有：

UsePAM yes

#UseLogin no

#PermitUserEnvironment no

最新的更新似乎是最可能的罪魁祸首.是否存在配置问题导致只有chroot用户突然停止被拒绝访问最新的openssh？