当我尝试使用 SSH 连接到远程服务器时,遇到了一个非常奇怪的问题。
我通过命令行执行此操作,私钥和公钥都位于我当前的目录中。它们分别名为 id_rsa 和 id_rsa.pub。我已通过指纹验证它们是匹配的公钥和私钥。
当我发出以下命令时:
ssh -vT -i ./id_rsa 用户@远程主机
我收到以下错误:权限被拒绝(公钥)。
但是,如果我将 id_rsa.pub 重命名为其他名称,它就可以正常工作。这可能是什么原因造成的?可能是远程服务器上的设置导致了这种情况?
当我在同一目录中有 id_rsa.pub 时,-vT 的输出是(并且失败了):
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 50: Applying options for *
debug1: Connecting to remotehost port 22.
debug1: Connection established.
debug1: identity file ./id_rsa type 1
debug1: identity file ./id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <removed>
debug1: Host remotehost is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Ubuntu 10.04.4 LTS
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ./id_rsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
当我重命名 id_rsa.pub 时的调试输出是:
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 50: Applying options for *
debug1: Connecting to remotehost port 22.
debug1: Connection established.
debug1: identity file ./id_rsa type -1
debug1: identity file ./id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_53p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <removed>
debug1: Host remotehost is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Ubuntu 10.04.4 LTS
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ./id_rsa
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key './id_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to reoteserver:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
答案1
我能够使用不匹配的公钥和私钥重现您的症状。即使两个密钥都经过 authorized_keys 允许,当公钥和私钥不匹配时,登录也会失败。
据我所知,发生了以下情况。
- 客户端注意到私钥已加密
- 客户端读取公钥文件
- 客户端向服务器提供此密钥
- 服务器接受公钥
- 客户端提示输入密码
- 用户输入密码
- 客户端使用不匹配的私钥继续进行身份验证
当您删除公钥时,客户端会要求输入密码,但不知道服务器是否会接受该密钥。这意味着您最终可能会被要求输入私钥的密码,但最终却发现服务器无论如何都不会接受它。
答案2
这可能是 OpenSSH 的一个错误,或者服务器中的密钥authorized_keys
和你的私钥根本不匹配。当身份验证成功时,你会得到
debug1: identity file ./id_rsa type -1
这意味着 OpenSSH 无法在那个阶段加载身份文件(我认为是公钥)。在密钥加载部分的源代码中有以下代码片段(authfile.c
):
/* try ssh2 public key */
pub = key_new(KEY_UNSPEC);
if (key_try_load_public(pub, filename, commentp) == 1)
return pub;
if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
(strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
(key_try_load_public(pub, file, commentp) == 1))
return pub;
这意味着 OpenSSH 将尝试加载-i
参数 +“.pub”中给出的内容作为公钥,并成功(如日志中所示)。如果当前目录中没有后缀为“.pub”的公钥,则此操作将失败。稍后,在进行身份验证时(sshconnect2.c
):
/*
* send a test message if we have the public key. for
* encrypted keys we cannot do this and have to load the
* private key instead
*/
if (id->key && id->key->type != KEY_RSA1) {
debug("Offering %s public key: %s", key_type(id->key),
id->filename);
sent = send_pubkey_test(authctxt, id);
} else if (id->key == NULL) {
debug("Trying private key: %s", id->filename);
id->key = load_identity_file(id->filename);
if (id->key != NULL) {
id->isprivate = 1;
sent = sign_and_send_pubkey(authctxt, id);
key_free(id->key);
id->key = NULL;
}
}
如果公钥存在,OpenSSH 会将其作为测试消息发送(?),但由于某种原因,该消息会失败。如果没有预加载的公钥,它将尝试私钥并成功。
我不知道为什么会出现公钥失败的情况(如果有时间,我会尝试找出更多原因)。可能.ssh/
与其他路径相比,处理的文件存在一些不匹配的情况,或者毕竟您的密钥存在一些不匹配的情况。
答案3
我几乎可以肯定这是权限问题。检查文件夹权限以确保不存在770
但740
或类似问题。如果您没有使用该.ssh
目录,则很容易导致您遇到的问题。
要更正,请使用chmod o-w /root
。我高度建议为这些密钥使用专用文件夹,因为主文件夹的权限设置很棘手。