Контейнер SSH rkt на базе CentOS7: сбой настройки сеанса PAM


1

Я не могу войти в SSH-хост, работающий в контейнере rkt на базе CentOS7, потому что установка сеанса PAM никогда не завершается - даже если для ведения журнала установлено значение DEBUG3, сообщения об ошибке нет - журналы просто заканчиваются, к sshd[10]: debug3: PAM: opening sessionчему ведет клиентская сторона Write failed: Broken pipe. Демон SSH продолжает работать.

/etc/ssh/sshd_config:

#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel DEBUG3

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox     # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

/etc/pam.d/sshd:

#%PAM-1.0
auth       required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session optional pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

Журнал на стороне сервера: pastebin . Это заканчивается:

Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: Accepted publickey for root from 172.16.28.1 port 45040 ssh2: RSA dc:7b:dc:02:bd:87:0b:7a:ad:a0:71:78:e4:18:86:5
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: monitor_child_preauth: root has been authenticated by privileged process
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Waiting for new keys
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 26
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_from_blob: 0x7eff5524bd40(138)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: mac_setup: setup hmac-md5-etm@openssh.com
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Waiting for second key
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_from_blob: 0x7eff5524bd40(138)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: mac_setup: setup hmac-md5-etm@openssh.com
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Getting compression state
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Getting Network I/O buffers
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 122
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 123
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_do_pam_account entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 102 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_do_pam_account returning 1 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Sending new keys: 0x7eff55233ce0 0x7eff552382d0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_to_blob: converting 0x7eff55233ce0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_to_blob: converting 0x7eff552382d0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: New keys have been sent [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Sending compression state [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 26 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Finished sending state [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 122 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 123 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: monitor_read_log: child log fd closed
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_share_sync: Share sync
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_share_sync: Share sync end
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: ssh_sandbox_parent_finish: finished
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: restore_uid: 0/0
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: SELinux support disabled
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: PAM: establishing credentials
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: PAM: opening session

Журнал на стороне клиента: pastebin

Если я отключу PAM (который не поддерживается в RHEL & CentOS, но только для тестирования), сессия будет установлена ​​и немедленно прервана клиентом (я опубликую вставку в комментарии). Я тоже пытался ...

  • закомментируйте UsePrivilegeSeparation sandbox
  • отключил SELinux в контейнере (оказывается, что он даже не установлен внутри)

без заметного эффекта. Кто-нибудь знает, что может заставить PAM вести себя так плохо, что нет даже сообщения об ошибке? Я видел во многих других потоках, что PAM создает проблемы в сочетании с chroot, но все еще есть явные сообщения об ошибках, здесь это похоже на внезапную смерть ... (sshd все еще работает)

PS: кто-нибудь с достаточной репутацией может создать тэг rkt, пожалуйста? Спасибо


Pastebin для журнала на стороне сервера с отключенным PAM: pastebin.com/nnKpg5Z4
DonTseTse

Что такое пользователи, к которым вы подключаетесь, оболочка в контейнере?
Jakuje

@Jakuje: root. По умолчанию в контейнере нет другого пользователя
DonTseTse
Используя наш сайт, вы подтверждаете, что прочитали и поняли нашу Политику в отношении файлов cookie и Политику конфиденциальности.
Licensed under cc by-sa 3.0 with attribution required.