sudo via cron'ed ssh在RHEL6中工作但在RHE7中不工作(/ dev / tty:没有这样的设备或地址)


3

我放弃:

我有一个cronjob脚本,我已经运行多年(从RHEL 6.7机器),通过ssh远程到其他RHEL机器。与RHEL5和6完美配合,但对RHEL7无效。最简单的形式是脚本分解如下:

ssh -tttvi /home/robot/.ssh/passwdlesskey  robot@${ThatIP} sudo -l

在所有远程计算机(RHEL6和7)中,相应的sudoers文件包含

Defaults    requiretty

正如预期的那样,脚本可以从命令行对RHEL7执行得很好。同样,来自cron它对抗RHEL 5和6,但是对7:

debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.

需要注意的一个特别之处是在针对RHEL7服务器运行命令行与cron时SSH输出的差异

              C  R  O  N                                                                 C O M M A N D L I N E
------------------------------------------------------------------------+------------------------------------------------------------------------
debug1: skipped DNS lookup for numerical hostname                       | debug1: skipped DNS lookup for numerical hostname
WARNING: ECDSA key found for host 10.96.16.108                          | debug1: Host '10.96.16.108' is known and matches the ECDSA host key.
in /home/robot/.ssh/known_hosts:416                                     | debug1: Found key in /home/robot/.ssh/known_hosts:416
ECDSA key fingerprint ee:67:90:d3:c3:b8:db:c7:d3:6a:68:6a:78:fd:25:da.  | debug1: SSH2_MSG_NEWKEYS sent
+--[ECDSA  256]---+                                                     | debug1: expecting SSH2_MSG_NEWKEYS
|                 |                                                     | debug1: SSH2_MSG_NEWKEYS received
|                 |                                                     | debug1: Roaming not allowed by server
|                 |                                                     | debug1: SSH2_MSG_SERVICE_REQUEST sent
|                 |                                                     | debug1: SSH2_MSG_SERVICE_ACCEPT received
|        S=       |                                                     | debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password                                          
|       .= +      |                                                     | debug1: Next authentication method: publickey
|       ..= +...  |                                                     | debug1: Offering DSA public key: /home/robot/.ssh/passwdlesskey
|      ..+.*o=o.  |                                                     | debug1: Server accepts key: pkalg ssh-dss blen 433
|       o+*o+Eo   |                                                     | debug1: Authentication succeeded (publickey).
+-----------------+                                                     | Authenticated to 10.96.16.108 ([10.96.16.108]:22).
                                                                        | debug1: channel 0: new [client-session]
debug1: read_passphrase: can't open /dev/tty: No such device or address | debug1: Entering interactive session.
Host key verification failed.                                           | debug1: Sending command: sudo -l
------------------------------------------------------------------------+------------------------------------------------------------------------

我有一个理论:类似于scp / sftp不喜欢交互式shell输出的方式,我认为RHEL7服务器显示的randomart干扰了我的脚本。但即使用-q替换ssh -v也无济于事。

sshd的LogLevel是DEBUG2

Mar  9 10:51:01 rhel7test sshd[26198]: debug1: Forked child 26209.
Mar  9 10:51:01 rhel7test sshd[26209]: Set /proc/self/oom_score_adj to 0
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: inetd sockets after dupping: 3, 3
Mar  9 10:51:01 rhel7test sshd[26209]: Connection from 10.96.16.148 port 55171 on 10.96.16.108 port 22
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Enabling compatibility mode for protocol 2.0
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: fd 3 setting O_NONBLOCK
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: Network child is on pid 26210
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SELinux support enabled [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: permanently_set_uid: 74/74 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT received [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit:  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0  [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 0 used once, disabling now
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 504/1024 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 532/1024 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 6 used once, disabling now
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: kex_derive_keys [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug2: set_newkeys: mode 1 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: Connection closed by 10.96.16.148 [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup [preauth]
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: monitor_read_log: child log fd closed
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup
Mar  9 10:51:01 rhel7test sshd[26209]: debug1: Killing privsep child 26210

我已经读过类似的帖子了

  • 检查了/ dev / tty上的权限
  • 确保无密码密钥正确无误
  • 确保known_hosts文件中没有冲突的条目
  • 检查环境变量是否奇怪
  • 在执行端(-vvv)启动调试到3级,没有新信息从输出中收集。

最后,因为我确定会被问到RHEL6&7的sshd_config

         R H E L 7                                                                 R H E L 6
--------------------------------------------------------------------------------+---------------------------------------------------------------------
HostKey                         /etc/ssh/ssh_host_rsa_key                       | 
HostKey                         /etc/ssh/ssh_host_ecdsa_key                     |
HostKey                         /etc/ssh/ssh_host_ed25519_key                   |
SyslogFacility                  AUTHPRIV                                        | AUTHPRIV
LogLevel                        DEBUG2                                          | 
PermitRootLogin                 no                                              | no
StrictModes                     yes                                             |
MaxAuthTries                    3                                               |
MaxSessions                     10                                              |
PubkeyAuthentication            yes                                             |
AuthorizedKeysFile              .ssh/authorized_keys                            |
IgnoreRhosts                    yes                                             |
PermitEmptyPasswords            no                                              |
PasswordAuthentication          yes                                             | yes
ChallengeResponseAuthentication no                                              | no
GSSAPIAuthentication            yes                                             | yes
GSSAPICleanupCredentials        no                                              | yes
UsePAM                          yes                                             | yes
X11Forwarding                   yes                                             | yes
PrintMotd                       no                                              |
PrintLastLog                    no                                              |
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES   | LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT               | LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE                                     | LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS                                                            | XMODIFIERS
Subsystem               sftp  /usr/libexec/openssh/sftp-server                  | sftp  /usr/libexec/openssh/sftp-server

所以我不知道问题的原因是什么。


您可以尝试使用“ssh -o StrictHostKeyChecking = no”运行脚本,看看是否能解决问题?
VDR

VDR:我不会认为特定的选项可以解决这个问题,但它有。改为ssh -ttttvi /home/robot/.ssh/passwdlesskey -o StrictHostKeyChecking =没有机器人@ $ {ThatIP} sudo -l完全应该做的事情。现在我只需要对其他服务器进行测试,以确保我的脚本不会中断(或者我必须为RHEL7服务器明确分支更多代码)
Ogal Finklestein 2016年

Answers:


2

它不是sudo要求TTY,而是要求ssh您在建立安全连接之前必须要做的关于ssh的唯一安全事项的客户端。它是hostkey的验证,如果没有事先配置,则需要用户手动输入。它与系统版本无关,而与配置无关。

您需要将服务器主机密钥(公共部分)存储到客户端known_hosts。有几种可能性如何做到这一点:

  • 作为robot运行cron(sudo -i -u robot)的user(),尝试连接到远程服务器:

    ssh -i /home/robot/.ssh/passwdlesskey  robot@${ThatIP}
    

    和手动向提示写“是”

  • 使用ssh-keyscan工具,它完全相同,但不必运行交互式(确保您以不同的用户身份运行它,目标用户将具有对该文件的正确访问权限):

    ssh-keyscan {ThatIP} >> /home/robot/.ssh/known_hosts
    

感谢您的回答,但我并不是所有这些都不是新手,因为没有完成所有这些步骤。是的,我非常清楚它是ssh而不是sudo,但我添加了sudo信息以防止人们评论它。
Ogal Finklestein 2016年

0

用户VDR评论我需要添加

-o StrictHostKeyChecking=no

作为通过cron调用ssh的附加选项。


这不是理想的解决方案。运行代码的客户端系统是什么(这显然是个问题)?
Jakuje 2016年

Jakuje,你怎么能这样呢?我知道代码,并且已经在我的OP中发布了代码片段。我接受了VDR的推荐,实施了它并且有效。问题解决了; 找到解决方案
Ogal Finklestein 2016年

0

同样的情况 - 我将目标系统从CentOS 6更新到CentOS 7,突然我的cron作业会Host key validation failed出错,但如果我从命令行运行它,那就没问题了。我完全没有意识到这个ssh-keyscan工具,所以感谢@Jakuje的写作。在我的情况下,运行ssh-keyscan工具输出绝对没有,所以我添加-v,并得到:

>ssh-keyscan -v hostname.example.com
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: hostname.example.com doesn't support ssh1

EISH。看起来源机器上的SSH不支持SSH2。所以我调查了源系统上的ssh版本:

>sudo yum list installed | grep ssh
openssh.x86_64                           4.3p2-82.el5                  installed
openssh-askpass.x86_64                   4.3p2-82.el5                  installed
openssh-clients.x86_64                   4.3p2-82.el5                  installed
openssh-server.x86_64                    4.3p2-82.el5                  installed

尼斯。仅落后几年。这篇文章 http://www.jbytechnologies.com/linux/sshd-add-dsa-key.html帮助我深入了解CentOS 7禁用DSA密钥。解?在CentOS 7上生成并启用DSA密钥。但是,DSA密钥比RSA弱,因此这将使我的新服务器不变硬。

在我的案例中最佳解决方案:在源计算机上升级openssh。

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.