我有两台 Redhat 7.3 机器。我想从 machine1 以无密码方式 ssh 访问 machine2。以下是我所做的。在 machine1 上,我sudo su -以 root 身份执行 sudo ( ),并使用命令生成 rsa 公钥和私钥,ssh-keygen所有设置均采用默认设置。这些密钥位于/root/.ssh/名为 的目录中id_rsa, id_rsa.pub
。.ssh 的权限如下
drwx------ 2 root root 54 Jan 17 05:08 .
drwxr-x---. 7 root root 4.0K Jan 17 04:08 ..
-rw------- 1 root root 1.7K Jan 17 06:18 id_rsa
-rw-r--r-- 1 root root 414 Jan 17 06:18 id_rsa.pub
-rw-r--r-- 1 root root 4.0K Jan 17 07:37 known_hosts
我将 machine2 上的内容复制到我自己以 root 身份创建的id_rsa.pub文件authorized_keys中/root/.ssh。machine2 上 .ssh 目录的权限如下
drwxr-xr-x 2 root root 28 Jan 17 06:32 .
dr-xr-x---. 6 root root 4.0K Jan 17 03:28 ..
-rw-r--r-- 1 root root 414 Jan 17 06:32 authorized_keys
现在我尝试使用以下命令从 machine1 ssh(详细)到 machine2。但它仍然要求输入密码才能连接。我希望无需输入密码即可建立连接。
我尝试按照以下建议将 machine2 上的 .ssh 和 authorized_keys 的权限更改为 700 和 600 即使安装了公钥,SSH 仍要求输入密码 但问题仍然存在。
我给出了 ssh 命令的调试输出。它按预期工作,直到服务器接受公钥。之后我注意到 debug1: key_parse_private2: missing begin marker 可能导致此问题。有人能建议我解决这个问题的方法吗?
[root@machine1 ~]# ssh -v machine2
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to machine2 [x.x.x.x] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=16 dh_need=16
debug1: kex: [email protected] need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA X:X:X:X:....
debug1: Host 'machine2' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
========================================================
| The system is to be used only by authorized users. |
| |
| By continuing to use the system, the user represents |
| that he/she is an authorized user. |
| |
| Use of the system constitutes consent to monitoring |
| and review. |
| |
| I have received, read and understand the Company's |
| Acceptable Use Policy and agree to abide by the |
| policy and its terms and conditions. |
| |
========================================================
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
root@machine2's password:
答案1
“缺少开始标记”实际上并不是一个问题,您在成功进行无密码公钥登录后就会收到该消息。
您有横幅,因此您可能已经做了一些强化。确保您的用户可以使用以下选项。您可以在 sshd_config 文件末尾的“匹配用户”行后添加它们:
Match User root,user1
RSAAuthentication yes
PubkeyAuthentication yes
PermitRootLogin yes
PermitEmptyPasswords yes
只有当您使用 root 时才需要 PermitRootLogin。我不确定是否需要 PermitEmptyPasswords,但它对我来说是有效的。
另一件(小)事,不要sudo su -,做sudo -i。