步骤1(客户端)

步骤1(客户端)

我在谷歌中进行了大量搜索以创建公钥并使用访问服务器后发布了这个问题public key,我仍然无法解决这个问题,因为我遇到了以下错误。

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "192.168.12.2" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.12.2 [192.168.12.2] port 22.
debug1: Connection established.
debug1: identity file .ssh/authorized_keys type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/authorized_keys-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.12.2:22 as 'ansible'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YTd6SSDMsb3Qhn8EoF/otK+TY6DSAsahYvZxFErZJnQ
debug1: Host '192.168.12.2' is known and matches the ECDSA host key.
debug1: Found key in /home/ansible/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: .ssh/authorized_keys (0x560667b2de80), explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
This system is for the use of authorised users only.
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1003)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1003)

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/authorized_keys
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

server side - 192.168.12.2 - user:ansible

 chmod 700 .ssh/
 chmod 600 .ssh/*
 ssh-keygen
 ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
 /sbin/restorecon -r .ssh/

client side - 192.168.12.10 - user:ansible

chmod 700 .ssh/
chmod 600 .ssh/*
/sbin/restorecon -r .ssh/
/sbin/restorecon -r .ssh
ssh -vv -i .ssh/authorized_keys -o PasswordAuthentication=no [email protected]

在 sshd_config 文件中,PubkeyAuthentication yes在客户端和服务器端都设置。

生成密钥时已验证服务器的用户凭据,并且使用密码短语和不使用密码短语进行了多次尝试..但没有运气。

发现的大多数问题都是user ownership..我已确保双方用户的 .ssh/ 目录及其文件都具有用户所有权,.ssh/ 目录为 700,.ssh/ 文件为 600。

restorecon尝试过但没有运气。

按照建议,我已经在服务器端验证了审核日志,发现了这一点。

type=USER_AUTH msg=audit(1593508901.404:87844): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="ansible" exe="/usr/sbin/sshd" hostname=? addr=192.168.12.10 terminal=ssh res=failed'

type=USER_ERR msg=audit(1593508901.408:87847): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=localhost addr=192.168.12.10 terminal=ssh res=failed'

type=USER_LOGIN msg=audit(1593508901.409:87851): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="ansible" exe="/usr/sbin/sshd" hostname=? addr=192.168.12.10 terminal=ssh res=failed'

journalctl _COMM=sshd在服务器上显示如下。

Jun 30 10:21:41 localhost sshd[26089]: Connection closed by 192.168.12.10 port 47944 [preauth]

答案1

有一个混乱

ssh -vv -i .ssh/authorized_keys -o PasswordAuthentication=no [email protected]

authorized_keys是您允许连接的公钥列表。

该文件应该在服务器端设置。

您必须使用您的私钥进行连接,可能

ssh -i .ssh/id_rsa [email protected]

步骤1(客户端)

使用用户 ansible 连接到 192.168.12.10 并输入:

mkdir .ssh ; chmod go-rwx .ssh ; cd .ssh
ssh-keygen -t rsa

接受默认选项,不设置密码。

仅执行此操作,如果已经有一对密钥,则不要执行此操作。

如果知道 ansible 的密码,请使用复制文件 id_rsa.pub

scp id_rsa.pub [email protected]:.ssh/id_rsa_ansible.pub

第一次从 192.168.12.10 到 192.168.12.2 进行 ssh 或 scp 时,您将看到一个确认对话框。

[email protected]:hosts.ansible
The authenticity of host '192.168.12.10' can't be established.
RSA key fingerprint is 89:dc:fe:d6:4a:40:28:e5:e9:d0:bd:09:28:01:93:23.
Are you sure you want to continue connecting (yes/no)? y

如果密码未知或未设置,请使用 putty 缓冲区从 id_rsa.pub 复制该行

步骤2(服务器)

使用用户 ansible 连接到 192.168.12.2

mkdir .ssh ; chmod go-rwx .ssh ; cd .ssh

创建授权文件

cat id_rsa_ansible.pub >> authorized_keys

或从 ansible 复制/粘贴 id_rsa.pub 文件的内容

授权密钥必须:

  • 属于 ansible (或 root)

    chown ansible authorized_keys
    
  • ansible 必须是唯一的编写者 (rw-r--r--)

    chmod 644 authorized_keys
    

确认

使用用户 ansible 连接到 192.168.12.10

ssh [email protected]

您应该无需输入密码即可连接


我已经有一个网页详细说明了这些步骤(法语和英语),您可以输入用户名和主机名。 ssh 设置的详细信息

相关内容