我有这个奇怪的问题,我试图用SSH连接到远程服务器。
我从命令行执行此操作,并且私钥和公钥都位于我的当前目录中。 它们分别被命名为id_rsa和id_rsa.pub。 我通过指纹validation他们是匹配的公钥和私钥。
当我发出以下命令:
ssh -vT -i ./id_rsa user @ remotehost
我得到以下错误:权限被拒绝(公钥)。
但是,如果我将我的id_rsa.pub重命名为其他东西,它工作正常。 什么可能导致这个? 它可能是造成这个远程服务器上的设置?
当我在同一目录中的id_rsa.pub -vT的输出是(和失败):
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 50: Applying options for * debug1: Connecting to remotehost port 22. debug1: Connection established. debug1: identity file ./id_rsa type 1 debug1: identity file ./id_rsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7 debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH_5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA <removed> debug1: Host remotehost is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:10 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received Ubuntu 10.04.4 LTS debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. Permission denied (publickey). 重命名id_rsa.pub时的debugging输出是:
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 50: Applying options for * debug1: Connecting to remotehost port 22. debug1: Connection established. debug1: identity file ./id_rsa type -1 debug1: identity file ./id_rsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_53p1 Debian-3ubuntu7 debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH_5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA <removed> debug1: Host remotehost is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:10 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received Ubuntu 10.04.4 LTS debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: ./id_rsa debug1: key_parse_private_pem: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key './id_rsa': debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to reoteserver:22). debug1: channel 0: new [client-session] debug1: Requesting [email protected] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8
我能够通过使用一个公钥和一个私钥来重现你的症状。 即使两个密钥被authorized_keys许可,当公钥和私钥不匹配时,login都会失败。
从我可以告诉以下事情发生。
当你删除公钥时,客户端会要求input密码,而不知道服务器是否接受密钥。 这意味着您最终可能会被要求键入私钥的密码,只是发现服务器无法接受它。
这可能是OpenSSH中的一个错误,或者是服务器的authorized_keys的密钥,而您的私钥毕竟不匹配。 当authentication成功时,你会得到
debug1: identity file ./id_rsa type -1
这意味着OpenSSH无法加载身份文件(我认为公钥)在那个阶段。 在密钥加载部分的源代码中有这个代码段( authfile.c ):
/* try ssh2 public key */ pub = key_new(KEY_UNSPEC); if (key_try_load_public(pub, filename, commentp) == 1) return pub; if ((strlcpy(file, filename, sizeof file) < sizeof(file)) && (strlcat(file, ".pub", sizeof file) < sizeof(file)) && (key_try_load_public(pub, file, commentp) == 1)) return pub;
这意味着OpenSSH会尝试将-i参数+“.pub”中给出的内容作为公钥加载,并按照日志中的说明进行操作。 没有在当前目录中带有后缀“.pub”的公钥,这将失败。 稍后,在进行身份validation时( sshconnect2.c ):
/* * send a test message if we have the public key. for * encrypted keys we cannot do this and have to load the * private key instead */ if (id->key && id->key->type != KEY_RSA1) { debug("Offering %s public key: %s", key_type(id->key), id->filename); sent = send_pubkey_test(authctxt, id); } else if (id->key == NULL) { debug("Trying private key: %s", id->filename); id->key = load_identity_file(id->filename); if (id->key != NULL) { id->isprivate = 1; sent = sign_and_send_pubkey(authctxt, id); key_free(id->key); id->key = NULL; } }
如果公钥存在,OpenSSH将把它作为一个testing消息(?)发送,由于某种原因失败。 没有预装公钥,它会尝试私钥并成功。
我不知道为什么发生公钥失败(如果我有时间,我会试图找出更多的)。 与其他path相比,处理.ssh/中的文件可能有些不匹配,或者与您的密钥有一些不匹配。
我几乎肯定这是一个权限问题。 检查文件夹的权限,以确保它不是770但740或类似的。 如果你没有使用.ssh目录,这很容易导致你遇到的问题。
要更正,请使用chmod ow /root 。 我强烈build议使用这些密钥的专用文件夹作为主文件夹的权限设置是棘手的。