sshd AuthorizedKeysCommand 抛出状态 127
sshd AuthorizedKeysCommand throws status 127
我正在尝试构建一个 ssh 服务以允许 push/pull 进行 phabricator 回购。我已经 docker 化了所有服务,目前 运行 遇到一个奇怪的错误,无法执行 ssh 所需的身份验证脚本。
docker 映像 运行 包含 php-fpm 和 sshd 服务,其想法是将 ssh 与必需的 php 脚本结合起来。
特别是,我有以下 /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser git
AllowUsers git
Port 2222
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
#PrintLastLog no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthorizedKeysFile none
PidFile /var/run/sshd-phabricator.pid
(附带说明,PrintLastLog 在我启动 sshd 时抛出错误,我认为这不相关,但可能是??)
当我手动运行
su - git -c "/srv/phabricator/scripts/ssh/ssh-auth.php git",我能够成功执行脚本。
但是,当我在 运行 处于调试模式 (/usr/sbin/sshd -d -d -d) 时检查 sshd 日志时,我收到以下错误:
...other stuff...
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x5564c1f473c0
debug3: subprocess: AuthorizedKeysCommand command "/usr/libexec/phabricator-ssh-hook.sh git" running as git
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: restore_uid: 0/0
debug3: subprocess: AuthorizedKeysCommand pid 885
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug2: key not found
AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 127
debug1: restore_uid: 0/0
Failed publickey for git from some.ip.address.here port 58378 ssh2: ED25519 SHA256:GBGS4ag9s8msV3XsuojlIoqATF63tvXU3t5GIUN0eYY
debug3: mm_answer_keyallowed: key 0x5564c1f473c0 is not allowed
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by 24.5.151.66 port 58378 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: Killing privsep child 884
EDIT: It seems like /usr/libexec/phabricator-ssh-hook.sh actually does execute, but the script it executes /srv/phabricator/bin/ssh-auth , presumably fails. That file (the phabricator directory) is actually on a host volume. I wonder if that could be the cause of these status 127 issues.
我读到,当从 PATH 中找不到给定的命令并且它不是内置的 shell 命令(或者找不到库时,/bin/sh 会返回状态 127由脚本使用)。
也就是说,我可以手动执行脚本,所以状态 127 似乎不太可能指的是这个。
注意上面,我也可以作为 git 用户执行。
docker 容器版本信息:
Linux version 4.11.9-1-ARCH (builduser@tobias) (gcc version 7.1.1 20170621 (GCC) ) #1 SMP PREEMPT Wed Jul 5 18:23:08 CEST 2017
如能提供正确方向的帮助,我们将不胜感激。
编辑
docker版本
Client:
Version: 17.06.0-ce
API version: 1.30
Go version: go1.8.3
Git commit: 3dfb8343
Built: Wed Jul 26 18:03:33 2017
OS/Arch: linux/amd64
Server:
Version: 17.06.0-ce
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 02c1d87617
Built: Wed Jul 26 20:03:39 2017
OS/Arch: linux/amd64
Experimental: false
docker 信息
Containers: 10
Running: 10
Paused: 0
Stopped: 0
Images: 147
Server Version: 17.06.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: cfb82a876ecc11b5ca0977d1733adbe58599088a
runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 4.11.9-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.631GiB
Name: <host-name>
ID: KYNR:4YHS:T4C2:URUY:GIB5:KCNF:DCNC:JLUT:DYO3:D5P7:VVOD:C2YV
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
我也曾为此苦苦挣扎。最后发现执行phabricator-ssh-hook.sh时php不在PATH中。在我的例子中,它安装在 /usr/local/bin(FreeBSD 默认),所以我添加了:
export PATH="/usr/local/bin:$PATH"
在 phabricator-ssh-hook.sh 的最后一行之前。
我遇到了类似的问题,但 docker 容器中没有。上面 ephemient 的评论为我解决了这个问题: https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ 脚本本身和脚本所在的父目录都必须由 root 拥有,并且脚本必须具有 755 权限。如果你不这样做,sshd 将拒绝执行钩子。”你检查了吗?
我能够使用以下配置使它工作
AuthorizedKeysCommand /bin/sh /etc/ssh/auth.sh %u %f %k
AuthorizedKeysCommandUser root
当 运行 脚本直接抛出时
May 13 17:22:11 ip-10-0-0-100 sshd[5833]: error: AuthorizedKeysCommand /etc/ssh/auth.sh user failed, status 127
直接调用/bin/sh后成功了!
我的脚本指定了 #!/bin/bash 但 bash 不可用。我不得不将其更改为 #!/bin/sh
我正在尝试构建一个 ssh 服务以允许 push/pull 进行 phabricator 回购。我已经 docker 化了所有服务,目前 运行 遇到一个奇怪的错误,无法执行 ssh 所需的身份验证脚本。
docker 映像 运行 包含 php-fpm 和 sshd 服务,其想法是将 ssh 与必需的 php 脚本结合起来。
特别是,我有以下 /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser git
AllowUsers git
Port 2222
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
#PrintLastLog no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthorizedKeysFile none
PidFile /var/run/sshd-phabricator.pid
(附带说明,PrintLastLog 在我启动 sshd 时抛出错误,我认为这不相关,但可能是??)
当我手动运行
su - git -c "/srv/phabricator/scripts/ssh/ssh-auth.php git",我能够成功执行脚本。
但是,当我在 运行 处于调试模式 (/usr/sbin/sshd -d -d -d) 时检查 sshd 日志时,我收到以下错误:
...other stuff...
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x5564c1f473c0
debug3: subprocess: AuthorizedKeysCommand command "/usr/libexec/phabricator-ssh-hook.sh git" running as git
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: restore_uid: 0/0
debug3: subprocess: AuthorizedKeysCommand pid 885
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug2: key not found
AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 127
debug1: restore_uid: 0/0
Failed publickey for git from some.ip.address.here port 58378 ssh2: ED25519 SHA256:GBGS4ag9s8msV3XsuojlIoqATF63tvXU3t5GIUN0eYY
debug3: mm_answer_keyallowed: key 0x5564c1f473c0 is not allowed
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by 24.5.151.66 port 58378 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: Killing privsep child 884
EDIT: It seems like
/usr/libexec/phabricator-ssh-hook.shactually does execute, but the script it executes/srv/phabricator/bin/ssh-auth, presumably fails. That file (the phabricator directory) is actually on a host volume. I wonder if that could be the cause of thesestatus 127issues.
我读到,当从 PATH 中找不到给定的命令并且它不是内置的 shell 命令(或者找不到库时,/bin/sh 会返回状态 127由脚本使用)。
也就是说,我可以手动执行脚本,所以状态 127 似乎不太可能指的是这个。
注意上面,我也可以作为 git 用户执行。
docker 容器版本信息:
Linux version 4.11.9-1-ARCH (builduser@tobias) (gcc version 7.1.1 20170621 (GCC) ) #1 SMP PREEMPT Wed Jul 5 18:23:08 CEST 2017
如能提供正确方向的帮助,我们将不胜感激。
编辑
docker版本
Client:
Version: 17.06.0-ce
API version: 1.30
Go version: go1.8.3
Git commit: 3dfb8343
Built: Wed Jul 26 18:03:33 2017
OS/Arch: linux/amd64
Server:
Version: 17.06.0-ce
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 02c1d87617
Built: Wed Jul 26 20:03:39 2017
OS/Arch: linux/amd64
Experimental: false
docker 信息
Containers: 10
Running: 10
Paused: 0
Stopped: 0
Images: 147
Server Version: 17.06.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: cfb82a876ecc11b5ca0977d1733adbe58599088a
runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 4.11.9-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.631GiB
Name: <host-name>
ID: KYNR:4YHS:T4C2:URUY:GIB5:KCNF:DCNC:JLUT:DYO3:D5P7:VVOD:C2YV
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
我也曾为此苦苦挣扎。最后发现执行phabricator-ssh-hook.sh时php不在PATH中。在我的例子中,它安装在 /usr/local/bin(FreeBSD 默认),所以我添加了:
export PATH="/usr/local/bin:$PATH"
在 phabricator-ssh-hook.sh 的最后一行之前。
我遇到了类似的问题,但 docker 容器中没有。上面 ephemient 的评论为我解决了这个问题: https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ 脚本本身和脚本所在的父目录都必须由 root 拥有,并且脚本必须具有 755 权限。如果你不这样做,sshd 将拒绝执行钩子。”你检查了吗?
我能够使用以下配置使它工作
AuthorizedKeysCommand /bin/sh /etc/ssh/auth.sh %u %f %k
AuthorizedKeysCommandUser root
当 运行 脚本直接抛出时
May 13 17:22:11 ip-10-0-0-100 sshd[5833]: error: AuthorizedKeysCommand /etc/ssh/auth.sh user failed, status 127
直接调用/bin/sh后成功了!
我的脚本指定了 #!/bin/bash 但 bash 不可用。我不得不将其更改为 #!/bin/sh