SSH远程登录提示Permission denied, please try again,但是密码正确

一、问题现象

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.

/etc/ssh/sshd_config

$OpenBSD: sshd_config, v 1.100 2016/08/15 12: 32:04 naddy Exp $

# This is the sshd server system- wide confiquration file. See 
# sshd config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin: /usr/bin

# The strategy used for options in the default sshd_config shipped with 
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Unconmented options override the 
# default value.

# If you want to change the port on a SELinux system, you have to tell 
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
Port 22
#AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

二、分析

  • 查看sshd日志

    journalctl -xe -u sshd -f -n 50

  • 查看lastb 试图登陆但没成功的用户

    lastb

  • ssh_config(客户端)sshd_config(服务端)配置文件修改完,重启才会生效!!!

  • 分析linux下ssh登录日志文件位置:

    cat /var/log/secure

tail /var/log/secure

每行信息各字段含义
月份 日期 时分秒 服务器主机名 程序(sshd或则su) 模块 详细信息

三、解决方案

  1. 本地的.ssh文件夹里面的known_host文件删除

  2. 查看ssh进程

    ps -ef | grep sshd

    root      1052     1  0 11:53 ?        00:00:00 /usr/sbin/sshd -D

    ps -eo pid,lstart,etime | grep 1052

  3. 开启22端口

    • 验证SELinux开放

      semanage port -l|grep ssh

    • 开放SELinux端口

      semanage port -a -t ssh_port_t -p tcp 22

    • 查看防火墙22端口是否被开启

      firewall-cmd --permanent --query-port=22/tcp

    • 开放防火墙

      firewall-cmd --permanent --zone=public --add-port=22/tcp 
firewall-cmd --reload

    • 重启ssh服务

      systemctl restart sshd

  4. 查看相应用户的 Shell 是否被修改成了 nologin

    cat /etc/passwd | grep <user>

    <user>:x:1000:1000::/home/<user>:/sbin/nologin

    --

    修改

    vim /etc/passwd

将 /sbin/nologin 修改为 /bin/bash

  5. 修改sshd_config文件

    vim /etc/ssh/sshd_config

    修改后

    LoginGraceTime 120
#允许超级用户登录
PermitRootLogin yes
#允许服务端的任意一个存在的用户通过登陆系统的密码做sshd的认证
PasswordAuthentication yes
PubkeyAuthentication yes
StrictModes yes

    重启ssh服务

    systemctl restart sshd

  6. 查询账号过期时间

    chage -l <user>

    修改/etc/shadow这个文件将-2去掉,修改掉-2之后

    vim /etc/shadow

oracle:$1$pWh44Lv.$NAdyWSH.ZcYzU6w1JmYVx1:17744:6:99999:30:::

原来:
oracle:$1$pWh44Lv.$NAdyWSH.ZcYzU6w1JmYVx1:17744:6:99999:30::-2:

  7. 关闭SELinux,修改SELinux配置,改成disabled(关闭) 或permissive(宽容模式)

    • 临时关闭

      setenforce 0

    • 永久关闭

    vim /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=permissive4

    SELinux配置修改后,一定要重启才能够生效!!!

    reboot
#或者
shutdown -r now

  8. 设定白名单

    修改sshd_config文件,在58行添加AllowUesrs tom lee设定用户的白名单,此名单里面的用户可以做sshd服

    服务端不存在用户直接输入即可生成此错误观点, 多个用户用空格隔开,若写入服务端本身不存在的用户,那么当客户端连接服务端的时需要密码就不知道是什么,因此必须先在服务端建立实验用户并且设置实验用户的密码,这样在客户端连接的时候才能看到实验效果

    AuthorizedKeysFile	.ssh/authorized_keys
AllowUsers          tom less

    重启ssh服务

    systemctl restart sshd

三、免密操作

  • 服务端输入 ssh-keygen ,生成钥匙和密码 , id_rsa是钥匙 ,id_rsa.pub是锁

    ssh-keygen | 生成密钥

  • 服务端输入:ssh-copy-id -i /root/.ssh/id_rsa.pub root@<IP地址> 先给自己上锁即给服务端上锁

  • 服务端输入:scp /root/.ssh/id_rsa root@<IP地址>:/root/.ssh/ 将密码传给客户端

四、sshd常用的安全设定

安全设定含义
/etc/ssh/sshd_config的第78行 PasswordAuthentication yes/no是否允许服务端的任意一个存在的用户通过登陆系统的密码做sshd的认证
/etc/ssh/sshd_config的第48行 PermitRootLogin yes/no是否允许服务端的root用户通过sshd的服务
加入AllowUesrs 用户名设定用户的白名单,此名单内的用户可以做sshd服务 (文件里不存在 直接输入即可 多个用户用空格隔开)
加入DenyUsers 用户名设定用户的黑名单,此名单内的用户不可以做sshd服务

五、常用的审计命令

命令含义
w查看正在使用当前系统的用户
w -i显示正在连接我的主机的ip
w -f查看使用的客户端来源,显示主机名等信息
last查看使用过并且退出的用户信息
lastb试图登陆但没成功的用户

六、Windows SSH连接

  • 链接命令

    ssh -vvv root@<IP地址>

    私钥地址

    C:\\User\<name>/.ssh/**

  • 1