我有一个SSH公钥问题。 在服务器上有一个帐户,我已经将我的公钥上传到了.ssh/authorized_keys ,并且按预期工作(我可以不用密码login)。 然后在同一台服务器上有一个帐户(我已经做了几次),但仍然要求我input密码才能login。
这些帐户匹配的设置如下:
scp ~/.ssh/id_rsa.pub [email protected]:.ssh/authorized_keys几次。 如果我尝试添加-v到SSH连接,我得到以下信息,不工作:
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /Users/pacis/.ssh/config debug1: Reading configuration data /opt/local/etc/ssh/ssh_config debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. debug1: Connection established. debug1: identity file /Users/pacis/.ssh/identity type -1 debug1: identity file /Users/pacis/.ssh/id_rsa type 1 debug1: identity file /Users/pacis/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.7 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key. debug1: Found key in /Users/pacis/.ssh/known_hosts:40 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /Users/pacis/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Trying private key: /Users/pacis/.ssh/identity debug1: Trying private key: /Users/pacis/.ssh/id_dsa debug1: Next authentication method: password
而且正如预期的那样,这里也是一样的:
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /Users/pacis/.ssh/config debug1: Reading configuration data /opt/local/etc/ssh/ssh_config debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. debug1: Connection established. debug1: identity file /Users/pacis/.ssh/identity type -1 debug1: identity file /Users/pacis/.ssh/id_rsa type 1 debug1: identity file /Users/pacis/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.7 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key. debug1: Found key in /Users/pacis/.ssh/known_hosts:40 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /Users/pacis/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session
这里是/etc/ssh/sshd_config :
Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes
最后的信息我可以想到,这是相对的这是两个帐户家庭dirs和.ssh dirs的ls -la 。
工作一:
total 40 drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 . drwxr-x--x 6 root www-data 4096 2009-10-27 23:09 .. .... drwx------ 2 user1 user1 4096 2009-10-23 07:20 .ssh total 12 drwx------ 2 user1 user1 4096 2009-10-23 07:20 . drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 .. -rw------- 1 user1 user1 413 2009-10-23 07:20 authorized_keys
不工作一:
total 68 drwxrwxr-- 6 user2 www-data 4096 2009-11-07 12:13 . drwxr-x--x 5 root root 4096 2009-10-09 14:29 .. .... drwx------ 2 user2 user2 4096 2009-11-07 15:52 .ssh total 12 drwx------ 2 user2 user2 4096 2009-11-08 20:32 . drwxrwxr-- 6 user2 www-data 4096 2009-11-07 12:13 .. -rw------- 1 user2 user2 412 2009-11-07 09:55 authorized_keys
我不知道为什么它不起作用,我已经多次检查并重新检查了一切。 我错过了什么?
感谢您的时间。
尝试删除组的写入访问权限的帐户user2主目录不工作…如果任何人有写访问帐户以外的用户SSH会抱怨。 如果你看看发布的工作目录列表:
drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 ..
非工作帐户有:
drwxrwxr-- 6 user2 www-data 4096 2009-11-07 12:13 ..
正如我在之前对原始问题的评论中指出的,这是一个权限/所有权问题。 一旦信息提供,这显然是明显的。
看看我自己的帐户之一,我得到以下几点:
$ ls -lnd . drwxr-xr-x 14 97037 97037 4096 Nov 8 09:31 . $ ls -lnd .ssh drwx------ 2 97037 97037 4096 Jun 16 11:30 .ssh $ ls -lnd .ssh/authorized_keys -rw------- 1 97037 97037 388 Jun 16 11:30 .ssh/authorized_keys
我只能想象,www-data的组成员身份是一种限制访问主目录的错误指导方式,同时允许Apache为users目录内的网页提供服务。
此外,为了在~/.ssh目录中build议权限,cawer的build议被给予了一个简短的解雇,说明所有的权限是正确的,而且是相同的,但是提供的证据是另外的。
由于certificate是在布丁…这是ssh连接日志到我的帐户:
$ ssh -v example.com OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /home/jbouse/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to example.com [xxxx] port 22. debug1: Connection established. debug1: identity file /home/jbouse/.ssh/keys.d/id_rsa.example type -1 debug1: identity file /home/jbouse/.ssh/keys.d/id_dsa.example type -1 debug1: identity file /home/jbouse/.ssh/keys.d/jbouse@example type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH_4* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'example.com' is known and matches the RSA host key. debug1: Found key in /home/jbouse/.ssh/known_hosts:85 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_rsa.example debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_dsa.example debug1: Trying private key: /home/jbouse/.ssh/keys.d/jbouse@example debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8
如果我然后运行以下设置我的主目录权限与您的user2帐户相同:
$ ls -lnd . drwxr-xr-x 14 97037 97037 4096 Nov 8 09:31 . $ chmod g+w . $ ls -lnd . drwxrwxr-x 14 97037 97037 4096 Nov 8 09:31 .
最后尝试再次连接,我得到以下的SSH日志:
$ ssh -v example.com OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /home/jbouse/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to example.com [xxxx] port 22. debug1: Connection established. debug1: identity file /home/jbouse/.ssh/keys.d/id_rsa.example type -1 debug1: identity file /home/jbouse/.ssh/keys.d/id_dsa.example type -1 debug1: identity file /home/jbouse/.ssh/keys.d/jbouse@example type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH_4* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'example.com' is known and matches the RSA host key. debug1: Found key in /home/jbouse/.ssh/known_hosts:85 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_rsa.example debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_dsa.example debug1: Trying private key: /home/jbouse/.ssh/keys.d/jbouse@example debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password
当我通过删除组写入权限来更改权限时,我可以再次login该帐户。
检查您尝试login的服务器上的文件夹.ssh的权限。 运行chmod -R 600 .ssh 。 当涉及到损坏的权限和公钥时,Ssh很挑剔。
您已经检查了所有常见的候选密钥validation失败; 接下来我要做的是在服务器上提高日志logging级别,然后检查/var/log/auth.log ,看看这两个login有什么不同的报告。
另一个值得澄清的事情 – 在要求input密码的帐户上,如果input密码,它是否有效并允许您login? 如果PAM限制拒绝特定账户的login(并且您已经configurationSSH来使用PAM),则可以得到这种结果,因为对于密码validation,其他PAM限制只有在input密码后才会被检查。
您的“authorized_keys”文件可以具有不同的名称。 一探究竟:
cat /etc/ssh/sshd_config | grep AuthorizedKeys #AuthorizedKeysFile %h/.ssh/authorized_keys
如果未覆盖,请检查该文件及其目录的权限:对于login的用户,它必须是可读的。
这是一个Debian系统? 如果是的话,不工作的用户可能有一个弱钥匙。
请参阅Debian wiki以了解如何testing您的密钥。
如果你有一个弱钥匙,你必须升级客户端系统上的ssh软件包,并为有问题的用户重新生成密钥。
ln -s authorized_keys authorized_keys2
通常为我解决了这个问题。 请注意,IIRC的文件不鼓励这一点。