我在设置 SSH 公钥身份验证时遇到了麻烦。我想用它将我的服务器备份到带有 SSH 的备份服务器。我将使用 cronjob 自动执行此操作,因此我无法输入密码等。
我做了什么:
- 使用
ssh-keygen - 使用以下方式将密钥复制到备份服务器
ssh-copy-id - 使用以下命令启动 SSH 代理
ssh-agent bash - 使用以下方式将密钥添加到代理
ssh-add - 验证一下
ssh-add -l-密钥已添加 - 验证一切 - 一切正常
我使用sudo -s主服务器上的 root 身份(通过)以及备份服务器上的我自己的用户完成了所有这些操作。
但是,现在我从主服务器上的 sudo 注销并重新登录(使用 sudo 以 root 身份登录)。当我尝试使用我的密钥 ( ssh -i the-key the-user@the-host) 打开连接时,我必须再次输入密码!因此我运行ssh-add -l并得到:
Could not open a connection to your authentication agent
我该如何设置才能不再需要输入密码?
这里是ssh -vvv the-user@the-host:
root@cs:/# ssh -vvv [email protected]
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 62.234.74.186 [62.234.74.186] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load "/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "62.234.74.186" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 24:60:36:95:d8:3f:04:b0:20:94:6b:a9:98:bf:22:1b
debug3: load_hostkeys: loading entries for host "62.234.74.186" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '62.234.74.186' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/id_rsa (0x7f4a9ecf0810)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp fe:2f:03:4a:68:c0:ce:b1:e9:b5:74:9c:c5:cb:f5:1f
debug3: sign_and_send_pubkey: RSA fe:2f:03:4a:68:c0:ce:b1:e9:b5:74:9c:c5:cb:f5:1f
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/.ssh/id_rsa':
/var/log/auth.log这是服务器端的相关部分:
Jun 14 10:06:30 laptop-camil sshd[2265]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vivisoft.nl user=camilstaps
Jun 14 10:06:34 laptop-camil sshd[2265]: Connection closed by 164.138.27.37 [preauth]
这是我运行时得到的结果nohup ssh-agent bash &(参见评论):
root@cs:~# nohup ssh-agent bash &
[1] 1287
root@cs:~# nohup: ignoring input and appending output to ânohup.outâ
<here is an empty line with the cursor>
由于某种原因,的输出nohup被放在下一行,并添加了一个新行。
答案1
首先:根据设计,密钥代理应该在您注销时退出。出于安全问题,如果您误注销,您不希望登录信息处于打开状态。因此,您真的不应该为此使用 ssh 密钥代理,这不是正确的使用方式。
第二:可以限制用户使用很少的权限,在 /srv/backup 或任何可以访问的地方存储/接收备份文件。要登录该用户,您需要一个没有任何证书密码的 ssh 证书,因此如果客户端拥有正确的证书,您无需密码即可登录。
然后,您甚至可以限制允许哪些机器连接以及在 ~/.ssh 中运行哪些程序,请在手册中查找。
答案2
当您以 root 身份登录(上面的详细输出显示您已登录)并运行时ssh,它将在 root 的 .ssh 目录中查找密钥;而不是ssh连接字符串中指定的用户的目录。
我不完全确定您为什么要使用其中任何一个来运行它sudo;当您创建和复制密钥时,您需要以您打算使用的用户身份登录ssh。
我对你所做的描述有点困惑,但作为第一步,我建议你确保已经在正确用户的 .ssh 目录中创建了密钥,并且在运行时ssh你以正确的用户身份运行它以获取该密钥文件。
问题的第二部分是关于如何使用ssh-agent来存储密钥的密码。这里有一个很好的指南:http://www.akadia.com/services/ssh_agent.html。同样,您需要ssh-agent以正确的用户身份运行(如果不清楚,则在客户端上运行)。请注意,它只ssh-agent会将密码存储在内存中,因此如果终止它并启动新ssh-agent进程,它将不再记住您的密码。在服务器上,这不是问题;您只需要启动一次代理并使其在后台运行。上面的链接中有详细信息,解释了如何通过将代理套接字的位置存储在备份脚本可以读取的临时文件中来告诉脚本在哪里找到代理。