我在 SSH 公钥方面遇到了一个奇怪的问题。服务器上有一个帐户,我已将公钥上传到该帐户,.ssh/authorized_keys并且它按预期工作(我可以不用密码登录)。然后在同一台服务器上有一个帐户,我已对其进行了同样的操作(已经进行了几次),但它仍然要求我输入密码才能登录。
与这些帐户匹配的设置如下:
- 目录权限正确。ssh 目录的所有者和组是用户。权限设置为 0700
- .ssh/authorized_keys 将用户和组设置为正确的用户,权限为 0600
- 我尝试比较这些文件,发现它们完全相同。尝试了几次。
scp ~/.ssh/id_rsa.pub [email protected]:.ssh/authorized_keys
如果我尝试将 -v 添加到 ssh 连接,我会得到以下有关不起作用的信息:
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /Users/pacis/.ssh/config
debug1: Reading configuration data /opt/local/etc/ssh/ssh_config
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /Users/pacis/.ssh/identity type -1
debug1: identity file /Users/pacis/.ssh/id_rsa type 1
debug1: identity file /Users/pacis/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /Users/pacis/.ssh/known_hosts:40
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/pacis/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/pacis/.ssh/identity
debug1: Trying private key: /Users/pacis/.ssh/id_dsa
debug1: Next authentication method: password
以下是与预期工作相同的内容:
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /Users/pacis/.ssh/config
debug1: Reading configuration data /opt/local/etc/ssh/ssh_config
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /Users/pacis/.ssh/identity type -1
debug1: identity file /Users/pacis/.ssh/id_rsa type 1
debug1: identity file /Users/pacis/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /Users/pacis/.ssh/known_hosts:40
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/pacis/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session
以下是/etc/ssh/sshd_config:
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
我能想到的最后一个信息是ls -la与两个帐户主目录和 .ssh 目录相关的。
工作一:
total 40
drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 .
drwxr-x--x 6 root www-data 4096 2009-10-27 23:09 ..
....
drwx------ 2 user1 user1 4096 2009-10-23 07:20 .ssh
total 12
drwx------ 2 user1 user1 4096 2009-10-23 07:20 .
drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 ..
-rw------- 1 user1 user1 413 2009-10-23 07:20 authorized_keys
不工作:
total 68
drwxrwxr-- 6 user2 www-data 4096 2009-11-07 12:13 .
drwxr-x--x 5 root root 4096 2009-10-09 14:29 ..
....
drwx------ 2 user2 user2 4096 2009-11-07 15:52 .ssh
total 12
drwx------ 2 user2 user2 4096 2009-11-08 20:32 .
drwxrwxr-- 6 user2 www-data 4096 2009-11-07 12:13 ..
-rw------- 1 user2 user2 412 2009-11-07 09:55 authorized_keys
我完全不知道它为什么不起作用,我已经检查了好几遍了。我遗漏了什么?
感谢您的时间。
答案1
尝试删除无法正常工作的帐户上 user2 主目录的组写入权限...如果除帐户用户之外的其他人具有写入权限,则 SSH 会发出警告。如果您查看发布的目录列表,则正常工作的目录具有:
drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 ..
非工作帐户有:
drwxrwxr-- 6 user2 www-data 4096 2009-11-07 12:13 ..
正如我在之前对原始问题的评论中所说,十有八九这是一个权限/所有权问题。一旦提供信息,这一点就显而易见了。
查看我自己的一个帐户,我得到以下信息:
$ ls -lnd .
drwxr-xr-x 14 97037 97037 4096 Nov 8 09:31 .
$ ls -lnd .ssh
drwx------ 2 97037 97037 4096 Jun 16 11:30 .ssh
$ ls -lnd .ssh/authorized_keys
-rw------- 1 97037 97037 388 Jun 16 11:30 .ssh/authorized_keys
我只能想象 www-data 的组成员身份是一种限制对主目录的访问的错误方式,同时允许 Apache 在用户目录内提供网页。
此外,cawer 的建议被立即驳回,因为他建议~/.ssh目录上的权限都是正确和相同的,但提供的证据表明并非如此。
因为事实胜于雄辩...这是我的帐户的 ssh 连接日志:
$ ssh -v example.com
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/jbouse/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to example.com [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/jbouse/.ssh/keys.d/id_rsa.example type -1
debug1: identity file /home/jbouse/.ssh/keys.d/id_dsa.example type -1
debug1: identity file /home/jbouse/.ssh/keys.d/jbouse@example type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'example.com' is known and matches the RSA host key.
debug1: Found key in /home/jbouse/.ssh/known_hosts:85
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_rsa.example
debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_dsa.example
debug1: Trying private key: /home/jbouse/.ssh/keys.d/jbouse@example
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
如果我运行以下命令将我的主目录权限设置为与您的 user2 帐户相同:
$ ls -lnd .
drwxr-xr-x 14 97037 97037 4096 Nov 8 09:31 .
$ chmod g+w .
$ ls -lnd .
drwxrwxr-x 14 97037 97037 4096 Nov 8 09:31 .
最后尝试再次连接并收到以下 ssh 日志:
$ ssh -v example.com
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/jbouse/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to example.com [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/jbouse/.ssh/keys.d/id_rsa.example type -1
debug1: identity file /home/jbouse/.ssh/keys.d/id_dsa.example type -1
debug1: identity file /home/jbouse/.ssh/keys.d/jbouse@example type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'example.com' is known and matches the RSA host key.
debug1: Found key in /home/jbouse/.ssh/known_hosts:85
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_rsa.example
debug1: Trying private key: /home/jbouse/.ssh/keys.d/id_dsa.example
debug1: Trying private key: /home/jbouse/.ssh/keys.d/jbouse@example
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
当我通过删除组写权限将权限改回来时,我可以再次登录该帐户。
答案2
检查您尝试登录的服务器上文件夹 .ssh 的权限。运行chmod -R 600 .ssh。当涉及到损坏的权限和公钥时,Ssh 会很挑剔。
答案3
您已经检查了密钥认证失败的所有常见候选因素;接下来我要做的是提高服务器上的日志记录级别,并检查/var/log/auth.log两次登录的报告有何不同。
另一件值得澄清的事情是——在要求输入密码的帐户上,如果您输入密码,它是否会起作用并允许您登录?如果 PAM 限制拒绝特定帐户登录(并且您已将 SSH 配置为使用 PAM),您可能会得到这种结果,因为对于密码验证,只有在您输入密码后才会检查其他 PAM 限制。
答案4
这是 Debian 系统吗?如果是,无法工作的用户可能密钥较弱。
查看Debian 维基如何测试你的钥匙。
如果您获得的密钥较弱,则您必须升级客户端系统上的 ssh 包并为出现问题的用户重新生成密钥。