启用 FIPS 后,使用公有密钥身份验证的 SSH 会意外提示输入密码
适用场景
- ONTAP 9.3及更高版本
- 联邦信息处理标准(FIPS)
- 公共密钥身份验证
问题描述
- 使用公共密钥身份验证的帐户出现意外密码提示
- 最近在此集群上启用了FIPS
- SSH尝试报告错误(这些错误是从完整输出中提取的)
root@linuxhost:/root/.ssh# ssh -vvv admin@cluster01
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
debug2: host key algorithms: ecdsa-sha2-nistp256
debug1: Will attempt key: /root/.ssh/cluster01 RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: input_userauth_banner
Access restricted to authorized users
debug3: receive packet: type 51 ---Packet type 51 indicates SSH user authentication failure
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
- 登录
/mroot/etc/log/messages.log
:
[daemon_xinetd:info:6650] START: ssh pid=97704 from=::ffff:<client_ip> vsid=-1 role=0x20
[auth_sshd:info:97704] mm_answer_pwnamallow: Got passwd creds user (username), homedir (/var/home/username), uid (1008) from FILES
[auth_sshd:error:97704] error: get_socket_address: getnameinfo 4 failed: hostname nor servname provided, or not known
[auth_sshd:info:97704] userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
[auth_sshd:info:97704] Connection closed by <client_ip> port ##### [preauth]
[daemon_xinetd:info:6650] EXIT: ssh status=255 pid=97704 duration=28(sec)