我已经阅读了该问题的许多解决方案,但似乎没有一个适用于我所看到的。大多数关注于目录权限,但在本例中这些似乎是正确的。 TL;DR:两台具有相同主目录的 Centos7 服务器;sshd即使已启用,也不允许公钥身份验证。
我有两台centos7服务器,我们称它们为centos-a和centos-b。主目录是通过 NFS 挂载的,因此.ssh两者之间的目录是相同的(下面对此进行确认)。我可以 ssh from centos-ato centos-a,但不能 ssh to centos-b。我可以通过 ssh 往返centos-b于centos-a和centos-b。
| ssh 能力 | centos-a |
centos-b |
|---|---|---|
centos-a |
是的 | 不 |
centos-b |
是的 | 是的 |
[myuser@centos-a ~]$ ls -la ~/.ssh
total 16
drwx------. 1 myuser domain users 0 Jul 6 11:45 .
drwx------. 1 myuser domain users 0 Jul 7 13:44 ..
-rw-------. 1 myuser domain users 1212 Jul 6 12:02 authorized_keys
-rw-------. 1 myuser domain users 1675 Jul 6 11:45 id_rsa
-rw-r--r--. 1 myuser domain users 402 Jul 6 11:45 id_rsa.pub
-rw-r--r--. 1 myuser domain users 1119 Jul 6 17:49 known_hosts
[myuser@centos-a ~]$ md5sum ~/.ssh/*
65b4fdf2d59cee3ae45b8480454453ec /home/myuser/.ssh/authorized_keys
fa3e9fc5a8ff08787ff2ba8f979da24e /home/myuser/.ssh/id_rsa
dca36ab3ec342423c5eca588f2ad5678 /home/myuser/.ssh/id_rsa.pub
f67bc94bc7a30b9876e3027b24f893d8 /home/myuser/.ssh/known_hosts
[myuser@centos-a ~]$ ssh centos-a hostname
centos-a
[myuser@centos-a ~]$ ssh centos-b hostname
myuser@centos-b's password:
[myuser@centos-b ~]$ ls -la ~/.ssh
total 16
drwx------. 1 myser domain users 0 Jul 6 11:45 .
drwx------. 1 myser domain users 0 Jul 7 13:44 ..
-rw-------. 1 myser domain users 1212 Jul 6 12:02 authorized_keys
-rw-------. 1 myser domain users 1675 Jul 6 11:45 id_rsa
-rw-r--r--. 1 myser domain users 402 Jul 6 11:45 id_rsa.pub
-rw-r--r--. 1 myser domain users 1119 Jul 6 17:49 known_hosts
[myuser@centos-b ~]$ md5sum ~/.ssh/*
65b4fdf2d59cee3ae45b8480454453ec /home/myuser/.ssh/authorized_keys
fa3e9fc5a8ff08787ff2ba8f979da24e /home/myuser/.ssh/id_rsa
dca36ab3ec342423c5eca588f2ad5678 /home/myuser/.ssh/id_rsa.pub
f67bc94bc7a30b9876e3027b24f893d8 /home/myuser/.ssh/known_hosts
[myuser@centos-b ~]$ ssh centos-b hostname
centos-b
[myuser@centos-b ~]$ ssh centos-a hostname
centos-a
如上所示,.ssh 目录的权限似乎是正确的(并且无论如何,两台计算机之间的权限都是相同的)。
ssh -vvv失败的 ssh 显示:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
...
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
...
debug1: Host 'centos-b' is known and matches the ECDSA host key.
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1211402155)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1211402155)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug3: no such identity: /home/myuser/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/myuser/.ssh/id_ecdsa
debug3: no such identity: /home/myuser/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/myuser/.ssh/id_ed25519
debug3: no such identity: /home/myuser/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
myuser@centos-b's password:
将此与我所看到的从 到 进行对比centos-b,centos-a它有效:
...
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:nAO5pVOzqUQzEUSEBN37WKp6ADs9Sk4rfTRGmk0FHEY
debug3: sign_and_send_pubkey: RSA SHA256:nAO5pVOzqUQzEUSEBN37WKp6ADs9Sk4rfTRGmk0FHEY
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
我已启用 sshd 日志消息/etc/ssh/sshd_config并重新启动服务
# Logging
SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
/var/log/secure但或中都没有其他有用的消息/var/log/messages。
有趣的是centos-b从到 的sshcentos-b使用 gssapi 身份验证。如果我强制它使用公钥,它会失败:
[myuser@centos-b ~]$ ssh -vvv -o PreferredAuthentications=publickey centos-b hostname
...
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
...
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
我看到/var/log/messages:
Jul 7 13:52:10 centos-b sshd[23266]: Connection closed by 192.168.1.100 port 48064 [preauth]
公钥已启用:
[root@centos-b ssh]# sshd -T | grep -i pub
pubkeyauthentication yes
pubkeyacceptedkeytypes [email protected],ecdsa-sha...
这sshd_config是一个库存的 Centos7 ,并且和sshd_config之间是相同的(通过在两台机器上通过管道传输以下命令来验证centos-acentos-bmd5sum
[root@centos-b ssh]# grep -v -e '^#' -e '^$' /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
对我所缺少的有什么建议吗?
答案1
.ssh该问题可能与 ID目录上的 SELinux 上下文(也许更多)有关。查看上下文 (in .ssh) 是否具有 类型ssh_home_t。
这与 SSH 用户文件所需的权限类似(rwx组/其他不需要)。我没有检查过,但两端可能都需要(源用户和目标用户的.ssh目录都需要相同的上下文)。
这是“正确”上下文的示例:
[account@hostname .ssh]# ls -alZ
drwx------. account account unconfined_u:object_r:ssh_home_t:s0 .
drwx------. account account unconfined_u:object_r:user_home_dir_t:s0 ..
-rw-------. account account unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. account account unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-------. account account unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub
-rw-r--r--. account account unconfined_u:object_r:ssh_home_t:s0 known_hosts
答案2
一些额外的谷歌搜索告诉我,问题是在我配置的新系统上启用了 SELinux。就我而言,将其设置为宽容解决了我的问题。
# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive
对于在其环境中需要 SELinux 的人们来说,这可能不是正确的解决方案。永久更改涉及更新/etc/selinux/config。
答案3
好吧,我刚刚花了 5 个小时用新建的 Debian 12 服务器来解决这个问题;做同样的事情:
- 检查 .ssh 文件/文件夹的权限
- 将 /etc/ssh/sshd_config 文件与工作主机进行比较
sshd -T将输出与工作主机进行比较- 比较输出
ssh -vvv root@host 2>ssh.log - 很多网络研究
事实证明,我仍然不太确定为什么这个特定主机会发生这种情况 - 我每个月在数十台虚拟机上执行此操作,但是当我执行时scp-copy-id root@host,它安装了一个备用公钥,我用于其他目的,而不是我想象的那样默认值〜/.ssh/id_rsa.pub。
因此,如果您已到达此处但尚未这样做,请将目标上的 ~/.ssh/authorized_keys 与客户端上的 ~/.ssh/id_rsa.pub 进行比较。
如果这些不相同,那么您需要从目标主机上的authorized_keys中删除不正确的条目(或者如果只有一个文件,则删除该文件),然后获取显式:
ssh-copy-id -i ~/.ssh/id_rsa.pub root@host
我修改了我的构建程序,现在我将喝几杯大马提尼酒......