![SSH 密钥验证失败,出现错误“从 [CLIENT IP] 端口 [PORT] ssh2 为 [USERNAME] 提供的公钥失败”](https://linux22.com/image/1670145/SSH%20%E5%AF%86%E9%92%A5%E9%AA%8C%E8%AF%81%E5%A4%B1%E8%B4%A5%EF%BC%8C%E5%87%BA%E7%8E%B0%E9%94%99%E8%AF%AF%E2%80%9C%E4%BB%8E%20%5BCLIENT%20IP%5D%20%E7%AB%AF%E5%8F%A3%20%5BPORT%5D%20ssh2%20%E4%B8%BA%20%5BUSERNAME%5D%20%E6%8F%90%E4%BE%9B%E7%9A%84%E5%85%AC%E9%92%A5%E5%A4%B1%E8%B4%A5%E2%80%9D.png)
注意:我已将所有出现的服务器 IP 地址替换为 [服务器 IP],并将所有出现的客户端 IP 替换为 [客户端 IP]。
我正在尝试在我的 Ubuntu 20.04 计算机(本地)和 RedHat 计算机(服务器)之间建立基于密钥的 ssh 连接。除其他事项外,我还做了以下事情:
- 将我的公钥上传到服务器(在 ~/.ssh/authorized_keys 中)
- 设置authorized_keys和我的私钥的权限
- 修改了我的配置文件(如下所示)
- 多次重启 sshd
我可以通过密码验证成功连接,但我希望基于密钥的验证能够正常工作。
我的配置文件中与该服务器相关的部分是:
Host [HOSTNAME]
Hostname [SERVER IP]
User [USER]
PubKeyAuthentication yes
IdentityFile ~/.ssh/id_rsa_[HOSTNAME]_2
日志文件很长,因此我挑选了最相关的部分:
debug1: trying public key file /root/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 501/503 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: restore_uid: 0/0
Failed publickey for [USER] from [CLIENT IP] port [PORT] ssh2
debug3: mm_answer_keyallowed: key 0x7ff2143198f0 is not allowed
debug3: mm_request_send entering: type 22
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 40 bytes for a total of 2309
Connection closed by [CLIENT IP]
但我绝不是网络方面的专家,所以文件中的内容可能太晚了,看不到任何内容。完整的日志可以根据要求提供。
以下是我的 sshd_config 文件:
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile ~/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords yes
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
答案1
几周后,对于那些在搜索类似问题时偶然发现此问题的人来说,我们会进行更新。
我忘了不久前 openSSH 已弃用 RSA 密钥。我使用的密钥是 RSA。将密钥类型更改为 ecdsa 解决了该问题。
答案2
将日志级别更改为 DEBUG3 (最大),在我的情形下我发现:
sshd[3478]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
我只是在“ssh root@localhost”中使用了错误的用户名(用root代替masteruser)。