如何优雅地解决ssh中Too-many-authentication-failures的问题
/*********************************************************************
- Author : Samson
- Date : 12/27/2021
- Test platform:
- Debian 10
- *******************************************************************/
问题描述
当sshd服务器端设置了MaxAuthTries的值时,在输入次数达到时,会拒绝再次尝试,但在有ssh证书的情况下,ssh客户端会默认先使用已有的ssh公钥进行认证,这个失败次数一样会影响到MaxAuthTries这个值,例如在sshd服务器端设置MaxAuthTries值为3,而ssh客户端有2个ssh公钥,在这个时候在进行ssh连接时只要输入错误一次密码就会出现"Too many authentication failures"错误提示,如下:
~$ ssh test@172.30.18.165
test@172.30.18.165's password:
Received disconnect from 172.30.18.165 port 22:2: Too many authentication failures
Authentication failed.
问题解决的思路
1、直接修改sshd的MaxAuthTries更大
直接修改服务器端的/etc/ssh/sshd_config中的MaxAuthTries的值更大,但这会给系统带来安全的问题,况且有的服务器本身也是客户端不能够直接控制的;
2、直接删除本地ssh公钥
直接使用如下命令进行客户端本地的ssh公钥,也可解决此种问题,但这种方式对于客户端并不友好,太过粗暴,并不建议这样使用;
3、ssh客户端修改认证的顺序
可以从’man ssh’中看到’-i’参数的说明中:
-i identity_file
Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). If no certificates have been explicitly specified by the CertificateFile directive, ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
从此描述信息中可以看到如果没有使用-i进行指定ssh公钥进行认证的话,则会对于~/.ssh目录下的*.pub进行尝试认证;
在’man ssh_config’中,通过查看PreferredAuthentications的说明,可知道默认的认证顺序为:
gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
可见证书认证是在密码认证之前的;
关于PreferredAuthentications参数的说明如下:
PreferredAuthentications
Specifies the order in which the client should try authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). The default is:
gssapi-with-mic,hostbased,publickey,
keyboard-interactive,password'
那么在ssh客户端中的/etc/ssh/ssh_config对PreferredAuthentications参数进行配置,即可改变默认的认证顺序,即可解决本例中的问题;
PreferredAuthentications password,gssapi-with-mic,hostbased,publickey,keyboard-interactive
再次进行ssh连接,即可解决此问题;
以上三种方法虽然都可以解决此例中的问题,但第三种方法是最优雅的解决方法,建议使用第三种方法。
关于如何查看认证的顺序的调试方法
可使用如下命令进行查看:
ssh -v test@172.30.18.165
...
...
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/test/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering ED25519 public key: /home/test/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/test/.ssh/id_dsa
debug1: Trying private key: /home/test/.ssh/id_ecdsa
debug1: Next authentication method: password
由以上信息可以看到’debug1: Offering RSA public key: /home/test/.ssh/id_rsa’及’debug1: Offering ED25519 public key: /home/test/.ssh/id_ed25519’两个公钥进行了尝试,都失败了,且’debug1: Authentications that can continue: publickey,password’表明默认的顺序是先公钥认证再密码认证。
按上文中的第三种方法配置后,在同样的环境中再进行调试可看到首先出现的是’Next authentication method: password’,输入三次错误密码后,才会出现’Too many authentication failures’的错误。如下:
ssh -v test@172.30.18.165
...
...
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
test@172.30.18.165's password:
727
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
