具体现象表现为使用SecureCRT登陆时,出现如下出错提示:
Public-key authentication with the server for user sw failed. Please verify username and public/private key pair.
查看服务器日志,找不到有用的相关记录。
之后直接在另一台机器上使用ssh连接,打开verbose模式(ssh -vvv),如下:
123
...
debug1: Next authentication method: password
sw@xxx.xxx.xxx.xxx's password:
求助万能的Google,发现serverfault上有一个案例的现象和出错信息与我遇到几乎一样,提问者怀疑是SELinux导致的。
案例 见 http://www.linuxidc.com/Linux/2013-07/87267p2.htm
下面的回复证实了确实是SELinux的问题,并且给出了解决方案:
Yes, SELinux is likely the cause. The .ssh dir is probably mislabeled. Look at /var/log/audit/audit.log. It should be labeled ssh_home_t. Check with ls -laZ. Run restorecon -r -vv /root/.ssh if need be.
Yep, SELinux was the cause: type=AVC msg=audit(1318597097.413:5447): avc:denied { read } for pid=19849 comm=“sshd” name=“authorized_keys” dev=dm-0 ino=262398 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
It works after running “restorecon -r -vv /root/.ssh”. Thanks a lot.
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
redhat官方提供检测方式
运行命令:
1
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
The technical details of the vulnerability follow.
Bash supports exporting not just shell variables, but also shell
functions to other bash instances, via the process environment to
(indirect) child processes. Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment. The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition. For example, an environment variable setting of
1
VAR=() { ignored; }; /bin/id
will execute /bin/id when the environment is imported into the bash
process. (The process is in a slightly undefined state at this point.
The PATH variable may not have been set up yet, and bash could crash
after executing /bin/id, but the damage has already happened at this
point.)
The fact that an environment variable with an arbitrary name can be
used as a carrier for a malicious function definition containing
trailing commands makes this vulnerability particularly severe; it
enables network-based exploitation.
So far, HTTP requests to CGI scripts have been identified as the major
attack vector.
A typical HTTP request looks like this:
123
GET /path?query-param-name=query-param-value HTTP/1.1
Host: www.example.com
Custom: custom-header-value
The CGI specification maps all parts to environment variables. With
Apache httpd, the magic string “() {” can appear in these places:
Host (“www.example.com”, as REMOTE_HOST)
Header value (“custom-header-value”, as HTTP_CUSTOM in this example)
Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)
The user name embedded in an Authorization header could be a vector as
well, but the corresponding REMOTE_USER variable is only set if the
user name corresponds to a known account according to the
authentication configuration, and a configuration which accepts the
magic string appears somewhat unlikely.
In addition, with other CGI implementations, the request method
(“GET”), path (“/path”) and query string
(“query-param-name=query-param-value”) may be vectors, and it is
conceivable for “query-param-value” as well, and perhaps even
“query-param-name”.
The other vector is OpenSSH, either through AcceptEnv variables, TERM
or SSH_ORIGINAL_COMMAND.
Other vectors involving different environment variable set by
additional programs are expected.
