如何使用公钥 ssh 身份验证

如何使用公钥 ssh 身份验证

我有 2 台 ubuntu 12.04 (beta) 服务器(node1 和 node2),想在它们之间建立无密码 root 访问权限。其他用户不应有权访问其他机器。另请注意,ssh 默认端口已更改为 220。

这是我所做的:

sudo -i
cd /root/.ssh
ssh-keygen -t rsa # with default name and empty password
cat id_rsa.pub > authorized_keys

然后将 id_rsa 和 id_rsa.pub 复制到 node2,并将 id_rsa.pub 添加到 authorized_keys。两个主机都有相同的 /root/.ssh/config 文件:

Host node1
Hostname 1.2.3.4
Port 220
IdentityFile /root/.ssh/id_rsa

Host node2
Hostname 5.6.7.8
Port 220
IdentityFile /root/.ssh/id_rsa

现在的问题是,当我输入密码时,ssh node2系统会要求我输入密码。可能是什么问题?

更新:

客户端上的调试信息:

debug1: Server host key: RSA ***
debug1: Host '[*.*.*.*]:220' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

服务器上的调试信息:

debug1: userauth-request for user root service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "*.*.*.*"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Found matching RSA key: ****
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x7f0647b0c1b0 is allowed
debug3: mm_request_send entering: type 22
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
Postponed publickey for root from *.*.*.* port 38887 ssh2 [preauth]

权限:

drwx------ 2 root root   4096 Mar 26 15:34 .ssh

-rw------- 1 root root  840 Mar 26 14:50 authorized_keys
-rw-r--r-- 1 root root  225 Mar 26 15:34 config
-rw------- 1 root root 1679 Mar 26 14:47 id_rsa
-rw-r--r-- 1 root root 2652 Mar 26 14:39 known_hosts

配置文件中的一些行:

PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys
UsePAM no # also tried yes

答案1

root 的主目录是否加密了(可能通过 ecryptfs 加密)?

我遇到了类似的问题,除非用户已经有一个活动会话,否则公钥身份验证将不起作用。阅读这个问题,我意识到通过选择加密用户的主目录,我阻止了 sshd 读取 ~/.ssh/authorized_keys,除非用户已经登录另一个会话(然后会自动解密主目录)。

我通过切换到未加密的主目录解决了这个问题,之后公钥认证开始起作用。

答案2

ssh 附带一个将公钥复制到远程服务器的命令ssh-copy-id。它负责处理任何必要的权限和其他各种“问题”。

例子:

ssh-copy-id -i $HOME/.ssh/id_dsa [email protected]

复制后,ssh-copy-id您不再需要输入密码ssh

答案3

一些建议:

  • 检查 /root/.ssh 的权限(及其内容
  • 检查 ssh 是否允许 root 登录和/或公钥认证(/etc/ssh/sshd_config iirc)
  • 使用 ssh -v -v 查看更多调试输出

答案4

我遇到这种情况是因为我的系统上有一个加密用户。这导致 sshd 假设每个用户目录都已加密,并且 authorized_keys 文件位于/etc/ssh/username/authorized_keys

对我来说,在我将授权密钥移至 之后,它就起作用了/etc/ssh/username/chown -R username:username /etc/ssh/username/有趣的是,我必须为每个用户执行此操作,即使是未加密的用户!

相关内容