所以我一直在努力尝试在没有密码的情况下进行身份验证。这是我的所有步骤。
在源主机上使用 ssh-keygen 并将文件保存到默认目录中,其中空白关键字(回车)
drwx------ 2 root root 4096 Dec 11 18:08 .ssh是文件权限。ssh-keyscan 192.168.117.131 > known_hostsssh-copy-id [email protected]并输入“用户”的密码。输入密码后,我得到:
ssh 复制 ID[电子邮件受保护] /usr/bin/ssh-copy-id:信息:尝试使用新密钥登录,以过滤掉任何已安装的密钥 /usr/bin/ssh-copy-id: INFO: 1 个密钥仍需安装 - 如果现在提示您安装新密钥 [电子邮件受保护]的密码: 添加的钥匙数量:1 现在尝试使用以下命令登录计算机:“ssh”[电子邮件受保护]'` 并检查以确保仅添加了您想要的密钥。
ssh [email protected]并且仍然需要密码。
在远程主机上
drwxr-xr-x 2 user user 4096 Dec 12 08:27 .ssh
和
-rwxr-xr-x 1 user user 391 Dec 12 08:27 authorized_keys
authorized_key文件的密钥与id_rsa.pub源服务器上的密钥相同。
我的sshd_config文件有以下设置:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
/etc/init.d/ssh restart从源服务器再次尝试 SSH,但仍然要求输入密码。
这也是我的调试日志:
root@kali:~/.ssh# ssh -v [email protected]
OpenSSH_7.4p1 Debian-10, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.117.131 [192.168.117.131] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1 Ubuntu-10
debug1: match: OpenSSH_7.5p1 Ubuntu-10 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.117.131:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:uGQe2r9lvKFm6w5p5jInX8Ywrg2PmICccUvC+q+Wc18
debug1: Host '192.168.117.131' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Skipping ssh-rsa key /root/.ssh/id_rsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
[email protected]'s password:
请帮忙,过去两天我一直在努力解决这个问题。
答案1
从调试消息来看,您的本地 ssh 似乎需要进行一些配置更改。您可以看到本地 ssh debug1:,跳过您的 RSA 密钥:
debug1: Skipping ssh-rsa key /root/.ssh/id_rsa - not in PubkeyAcceptedKeyTypes
您可以通过查看以下手册页来了解如何配置此选项ssh_config:
PubkeyAcceptedKeyTypes
Specifies the key types that will be used for public key authentication as a comma-separated pattern list. Alternately if the speci‐
fied value begins with a ‘+’ character, then the key types after it will be appended to the default instead of replacing it. If the
specified value begins with a ‘-’ character, then the specified key types (including wildcards) will be removed from the default set
instead of replacing them. The default for this option is:
[email protected],
[email protected],
[email protected],
[email protected],
[email protected],
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa
The list of available key types may also be obtained using "ssh -Q key".
因此,查询您的 ssh 配置:
ssh -Q key
应该为本地 ssh 客户端生成所有接受的密钥类型。
看来你的配置不是标准的默认配置。这似乎可能是由于您正在运行的 GNU/Linux 的专用版本:“Kali”
答案2
您遇到的错误是:
.ssh/id_dsa 表示不在 PubkeyAcceptedKeyTypes 中
Openssh(版本 7.0+)已弃用DSA 键并且是不是默认情况下使用它们,而不是使用RSA 密钥作为默认算法。
但是,如果您真的需要使用DSA 键,您必须在客户端配置文件中明确允许它们~/.ssh/config添加以下行,PubkeyAcceptedKeyTypes +ssh-dss如下所示:
nano ~/.ssh/config
## The file might lock like this
Host <remote-host>
HostName <remote-host>
User <user>
PubkeyAcceptedKeyTypes +ssh-dss
笔记:
我建议您验证您的目录$HOME和.ssh以及公钥和私钥在客户端中是否具有正确的权限。与远程主机中的目录$HOME和文件相同:.sshauthorized_keys
## in the client
sudo chmod -v 700 ~
sudo chmod -v 700 ~/.ssh
sudo chmod -v 600 ~/.ssh/id_rsa
sudo chmod -v 644 ~/.ssh/id_rsa.pub
## in the remote host
sudo chmod -v 700 ~
sudo chmod -v 700 ~/.ssh
sudo chmod -v 600 ~/.ssh/authorized_keys
chmod 700使文件可执行chmod 600允许用户读取和写入文件。chmod 644允许用户读写,而组和其他人只能读取该文件。
如果您使用配置文件,~/.ssh/config请检查您的用户是否是所有者及其权限是否正确:
sudo chown -v $USER:$USER ~/.ssh/config
sudo chmod -v 600 ~/.ssh/config
另外,使用更新密钥
ssh-agent bash
ssh-add ~/.ssh/id_rsa
检查/etc/ssh/sshd_config服务器以确保RSAAuthentication、PubkeyAuthentication和UsePAM选项未禁用。您可以通过删除#并将其设置为 来启用它们yes。
RSAAuthentication yes
PubkeyAuthentication yes
UsePAM yes
答案3
在主机上,~/.ssh除用户外,任何人都不能读取目录 ( drwx------),并且authorized_keys文件应该相同 ( -rw-------)。
如果不是这样,SSH 将忽略它。
答案4
我遇到了同样的问题。就我而言,尽管所有权限.ssh/都是正确的,但主文件夹本身的权限为 770。将其更改为 700 解决了该问题。