使用 id_dsa.pub 或 id_rsa.pub 或identity.pub 的无密码 ssh 不起作用

使用 id_dsa.pub 或 id_rsa.pub 或identity.pub 的无密码 ssh 不起作用

我有一台 Solaris 8 机器,我正在尝试在 Solaris 11 上通过不使用密码的方式对用户 George 进行身份验证。

ssh 的版本:

  • solaris8:OpenSSH_3.4p1,SSH 协议 1.5/2.0,OpenSSL 0x0090607f
  • solaris11:Sun_SSH_2.0、SSH 协议 1.5/2.0、OpenSSL 0x100000af

我尝试使用所有类型的 ssh-keygen。并多次检查我的配置是否正确(创建本地公钥/私钥,将私钥添加到 ssh-add 并将公钥复制到 authorized_keys 下的服务器。授予 ~/.ssh 权限 600 和 700)

当我尝试使用旧版本的 ssh (identity.pub) 时,我使用 -1 参数,连接仍然提示我输入密码

这是输出:

george@solaris11:~$ ssh -v george@solaris8 ls /  
Sun_SSH_2.0, SSH protocols 1.5/2.0, OpenSSL 0x100000af  
debug1: Reading configuration data /etc/ssh/ssh_config  
debug1: Rhosts Authentication disabled, originating port will not be trusted.  
debug1: ssh_connect: needpriv 0  
debug1: Connecting to alphasun [10.162.1.27] port 22.  
debug1: Connection established.  
debug1: ssh_kmf_check_uri: /export/home/george/.ssh/identity  
debug1: Identity file/URI '/export/home/george/.ssh/identity' pubkey type ssh-unknown  
debug1: ssh_kmf_check_uri: /export/home/george/.ssh/id_rsa  
debug1: ssh_kmf_key_from_blob: blob length is 277.  
debug1: Identity file/URI '/export/home/george/.ssh/id_rsa' pubkey type ssh-rsa  
debug1: ssh_kmf_check_uri: /export/home/george/.ssh/id_dsa  
debug1: ssh_kmf_key_from_blob: blob length is 433.  
debug1: Identity file/URI '/export/home/george/.ssh/id_dsa' pubkey type ssh-dss  
debug1: Logging to host: solaris8  
debug1: Local user: george Remote user: george  
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1  
debug1: match: OpenSSH_3.4p1 pat OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-Sun_SSH_2.0  
debug1: use_engine is 'yes'  
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric   ciphers
debug1: pkcs11 engine initialization complete  
debug1: Creating a global KMF session.  
debug1: My KEX proposal before adding the GSS KEX algorithm:  
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were   supplied, or the credentials were unavailable or inaccessible
)  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug1: My KEX proposal I sent to the peer:    
debug1: KEX proposal I received from the peer:  
debug1: kex: server->client arcfour hmac-sha1 none  
debug1: kex: client->server arcfour hmac-sha1 none  
debug1: Host key algorithm 'ssh-rsa' chosen for the KEX.  
debug1: Peer sent proposed langtags, ctos:  
debug1: Peer sent proposed langtags, stoc:  
debug1: We proposed langtags, ctos: el-GR  
debug1: We proposed langtags, stoc: el-GR  
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP  
debug1: dh_gen_key: priv key bits set: 144/320  
debug1: bits set: 1565/3191  
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY  
debug1: ssh_kmf_key_from_blob: blob length is 149.  
debug1: ssh_kmf_key_from_blob: blob length is 149.  
debug1: ssh_kmf_key_from_blob: blob length is 149.  
debug1: Host 'solaris' is known and matches the RSA host key.  
debug1: Found key in /export/home/george/.ssh/known_hosts:1  
debug1: bits set: 1550/3191  
debug1: ssh_rsa_verify: signature correct  
debug1: set_newkeys: setting new keys for 'out' mode  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug1: set_newkeys: setting new keys for 'in' mode  
debug1: SSH2_MSG_NEWKEYS received  
debug1: done: ssh_kex2.  
debug1: send SSH2_MSG_SERVICE_REQUEST  
debug1: got SSH2_MSG_SERVICE_ACCEPT  
debug1: Authentications that can continue: publickey,password,keyboard-interactive  
debug1: Next authentication method: publickey  
debug1: Trying public key: /export/home/george/.ssh/id_rsa  
debug1: Authentications that can continue: publickey,password,keyboard-interactive  
debug1: Trying public key: /export/home/george/.ssh/id_dsa  
debug1: Authentications that can continue: publickey,password,keyboard-interactive  
debug1: Next authentication method: keyboard-interactive  
debug1: Authentications that can continue: publickey,password,keyboard-interactive  
debug1: Next authentication method: password  
george@solaris8's password:  

但是我无法在远程服务器上找到 authlog 文件(/var/log/ 或任何其他 ssh 目录下均无)我已尝试使用相同的 solaris 11 进行客户端-服务器连接,并且成功了!所以这可能是 ssh 版本之间的兼容性问题。这就是为什么我也尝试使用 -1 进行连接。

有人能帮助我解决这个问题吗?谢谢!

答案1

我有一种挥之不去的感觉,十年前我在 Sun 220R 上遇到过同样的问题。我几乎可以肯定它与 pam 有关/etc/pam.conf。检查/var/adm/日志文件,有时dmesg

我记不太清楚了。这个帖子似乎有点熟悉。我认为你最好打开 Sol8 的 OpenSSH 上的调试功能。

顺便说一句,如果您不解决这个问题 - 该版本的 OpenSSH 有相当多的已知远程漏洞 - 您也许可以使用其中之一。:)

答案2

我看到了很多关于如何实现这一点的评论。没有人提到选择严格模式与身份验证有关

但显然,这仅在 OpenSSH_3.4p1 中存在,因为我尝试在 Solaris11 到 Solaris11 上启用/禁用“ssh nopassword 身份验证”选项,但没有任何区别。

但在我的例子中,sshd_conf 参数发生了变化 StrictModes 没有这招很管用!!!

谢谢凯文,我不能投票支持你的问题,因为我在这个网站上的声誉还没有超过 15。

相关内容