我有一台装有 SSH 服务器的 ubuntu server 14.10,并且我的 System76 darter 笔记本电脑运行 Debian Sid,密码验证工作正常。我想切换到 rsa-key 验证。
在本地系统上,我生成了密钥,将公钥放在服务器上,然后编辑 /etc/ssh/sshd_config 以允许密钥认证,然后重新启动服务。当我尝试通过 ssh 进入服务器时,系统提示我输入密码。我停止了服务,然后以调试模式重新启动了 sshd:
sudo /usr/sbin/sshd -d
然后我尝试登录,并收到以下消息(由于过度偏执,我用#删除了大量内容,但我认为它们并不相关):
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port ##### on 192.168.1.###.
Server listening on 192.168.1.### port #####.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.### port 34258 on 192.168.1.### port #####
debug1: Client protocol version 2.0; client software version OpenSSH_6.7p1 Debian-3
debug1: match: OpenSSH_6.7p1 Debian-3 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: permanently_set_uid: 107/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes128-ctr [email protected] none [preauth]
debug1: kex: server->client aes128-ctr [email protected] none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user surfrock66 service ssh-connection method non [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "surfrock66"
debug1: PAM: setting PAM_RHOST to "sr66-darter.######.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user surfrock66 service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/surfrock66/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /home/surfrock66
debug1: restore_uid: 0/0
Failed publickey for surfrock66 from 192.168.1.### port 34258 ssh2: RSA ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Connection closed by 192.168.1.### [preauth]
debug1: do_cleanup [preauth]
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 14705
具体来说,我看到了
Authentication refused: bad ownership or modes for directory /home/surfrock66
我进行了大量研究,发现 .ssh 目录及其下文件的权限存在问题,但我从未听说过与主目录权限有关的问题。我怀疑这与 sshd 启动时所用的用户没有访问我的主目录的权限有关。以下是相关权限:
surfrock66@sr66-blade:~$ ls -as1l /home/
total 12
4 drwxr-xr-x 3 root root 4096 Sep 8 2013 .
4 drwxr-xr-x 22 root root 4096 Dec 11 07:47 ..
4 drwxrwxrwx 54 surfrock66 surfrock66 4096 Dec 28 12:30 surfrock66
surfrock66@sr66-blade:~$ ls -as1l /home/surfrock66/ | grep .ssh
4 drwx------ 2 surfrock66 surfrock66 4096 Dec 28 12:04 .ssh
surfrock66@sr66-blade:~$ ls -as1l /home/surfrock66/.ssh/
total 28
4 drwx------ 2 surfrock66 surfrock66 4096 Dec 28 12:04 .
4 drwxrwxrwx 54 surfrock66 surfrock66 4096 Dec 28 12:30 ..
4 -rw-r--r-- 1 surfrock66 surfrock66 404 Dec 28 12:04 authorized_keys
4 -rw------- 1 surfrock66 surfrock66 1679 Nov 12 2012 id_rsa
4 -rw-r--r-- 1 surfrock66 surfrock66 403 Nov 12 2012 id_rsa.pub
4 -rw------- 1 surfrock66 surfrock66 3964 Nov 10 19:51 known_hosts
4 -rw------- 1 surfrock66 surfrock66 3078 Dec 10 2013 known_hosts.old
如果有帮助,这里是服务器运行和登录失败期间 /var/log/auth.log 的输出:
Dec 28 14:32:30 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/sbin/sshd -d
Dec 28 14:32:30 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type RSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #0 type 1 RSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type DSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #1 type 2 DSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type ECDSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #2 type 3 ECDSA
Dec 28 14:32:35 sr66-blade sudo: pam_unix(sudo:session): session closed for user root
Dec 28 14:32:44 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/bin/tail -n /var/log/auth.log
Dec 28 14:32:44 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)
Dec 28 14:32:44 sr66-blade sudo: pam_unix(sudo:session): session closed for user root
Dec 28 14:32:48 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/bin/tail -n 100 /var/log/auth.log
Dec 28 14:32:48 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)
这是 /etc/ssh/sshd_config
surfrock66@sr66-blade:~$ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port #####
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.1.###
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
为了完整起见,这是 /etc/ssh/ssh_config
surfrock66@sr66-blade:~$ cat /etc/ssh/ssh_config
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes
# RhostsRSAAuthentication no
RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
任何帮助/想法都将不胜感激!
答案1
在这里找到答案:https://unix.stackexchange.com/questions/37164/ssh-and-home-directory-permissions
事实证明,/home/surfrock66 不能是 777(它本来就不应该是 777)。现在它是 750,并且运行正常。