我尝试使用公钥连接到运行centos7的远程服务器。
我生成了一个密钥
ssh-keygen
然后将密钥复制到服务器
ssh-copy-id [email protected]
在远程计算机上创建authorized_keys
,但 ssh 登录仍然需要密码。
我尝试使用三重详细选项登录
ssh -v [email protected]
它给了我类似的东西:
OpenSSH_7.6p1 Ubuntu-4ubuntu0.7, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to chip02.phy.ncu.edu.tw [140.115.32.12] port 22.
debug1: Connection established.
debug1: identity file /home/longhoa/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/longhoa/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/longhoa/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/longhoa/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/longhoa/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/longhoa/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/longhoa/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/longhoa/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to chip02.phy.ncu.edu.tw:22 as 'hoa'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ALKc8EF9HMXaCSs/aN4wsfpFN8Bh1W9twUxOTueP5Kk
debug1: Host 'chip02.phy.ncu.edu.tw' is known and matches the ECDSA host key.
debug1: Found key in /home/longhoa/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:S79m96anBkvF16Rjihe80MYbcU1fZlfPxE5686k/vn4 /home/longhoa/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/longhoa/.ssh/id_dsa
debug1: Trying private key: /home/longhoa/.ssh/id_ecdsa
debug1: Trying private key: /home/longhoa/.ssh/id_ed25519
debug1: Next authentication method: password
[email protected] password:
debug1: Authentication succeeded (password)
我在谷歌上搜索,有些提到设置正确的权限,我按照说明操作,最终在我的计算机上找到了密钥:
-rw------- 1 longhoa longhoa 1.7K 23-01-08|14:14:40 id_rsa
-rw-r--r-- 1 longhoa longhoa 399 23-01-08|14:14:40 id_rsa.pub
远程服务器上的权限:
drwx------. 2 hoa zh 4.0K 23-01-08|15:10 /home/hoa/.ssh
-rw-------. 1 hoa zh 399 23-01-08|14:23 /home/hoa/.ssh/authorized_keys
dr-xr-xr-x. 29 root root 4096 22-12-27|17:26 /
drwxrwxrwx. 41 root root 4096 22-11-24|18:38 /home
drwx------. 58 hoa zh 12288 23-01-11|00:47 /home/hoa/
还有其他答案提到 SELinux 和从服务器进行调试,但我没有该服务器的 root 访问权限,所以我不能不做任何事情。
那么我该如何让它发挥作用呢?非常感谢。
更新1
我尝试了@roaima的建议。
ssh -nvv -o NumberOfPasswordPrompts=0 [email protected] 2>&1 | grep "debug2: host key"
返回:
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
我也尝试过 id_dsa 和 id_ed25519,但似乎都不起作用。
更新2 @roaima 和 @telcoM 指出远程主机设置不正确。与管理员交谈后,我将更新状态。
答案1
我认为服务器管理员很可能已正确且明智地禁用了默认ssh-rsa
主机密钥算法。这意味着默认使用ssh-keygen
将产生一个被忽略的密钥对。
您可以通过在客户端上运行以下命令来检查这一点:
ssh -nvv -o NumberOfPasswordPrompts=0 [email protected] 2>&1 | grep 'debug2: host key'
它将列出客户端和服务器都支持的可接受的主机密钥算法。您应该发现ssh-rsa
出于(非常好的)安全原因,它已在服务器上被禁用,因此未在此命令的第二行输出中列出。
例如,以下是我在本地系统上运行此命令的输出。您可以看到,虽然ssh-rsa
在第一行(客户端)中列出,但在第二行(服务器)中没有列出。主机密钥算法必须在两行中列出才能可用:
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
在这种情况下,您需要使用ssh-keygen
客户端和服务器上都存在的密钥类型的特定变体。下面的密钥对将生成 ED25519 密钥对,而不是默认的 RSA 密钥对。
ssh-keygen -t ed25519
参考
答案2
drwxrwxrwx. 41 root root 4096 22-11-24|18:38 /home
在远程主机上,每个人都具有写入权限/home
,允许任何人重命名或删除其他人的主目录。这是不正确的,它将导致不信任该子树中的sshd
任何文件。authorized_keys
结果,SSH公钥认证不管用对于任何拥有其主目录/home
且其他地方没有自定义authorized_keys
文件的用户。这会影响所有密钥类型,而不仅仅是 RSA。
普通用户应该不需要写入/home
:如果有某种集中式用户帐户管理(AD、LDAP、NIS 或类似),但每个系统都有独立的用户主目录,那么远程主机的管理员可能需要安装并配置pam_mkhomedir.so
为在首次登录时自动创建具有正确权限的主目录。
远程主机的系统管理员应该执行以下操作sudo chmod 755 /home
或等效操作尽快地将权限设置/home
为标准drwxr-xr-x
。任何人都可/home
写将允许用户使用许多古老的、众所周知的技巧互相攻击。通过完全删除另一个用户的主目录进行破坏只是最简单的可能性。