我必须在两台 Linux 服务器上进行基于公钥的身份验证。
机器2(192.168.3.132)
- 用户名:vfx_30
- 主目录:
/home/vfx_30 - ssh 密钥:
/home/vfx_30/.ssh/id_rsa/home/vfx_30/.ssh/id_rsa.pub
计算机 1(192.168.3.131)
vfx_30用户的公钥文件位置是
/root/keys/vfx_30.pub(machine2/home/vfx_30/.ssh/id_rsa.pub复制到这里)
无法使用以下命令从机器 1 使用公钥登录到机器 2:
ssh -v -i /root/keys/vfx_30.pub [email protected]
请注意:
- 机器 1 上没有名为 vfx_30 的用户 /
authorized_keys此处未使用 - 使用
-i参数传递公钥。 - 在机器 1 上以 root 用户身份运行此命令
/etc/ssh/sshd_config:RSAAuthentication yes PubkeyAuthentication yes
机器 1 上的详细登录
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.3.132 [192.168.3.132] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/keys/vfx_30.pub type 1
debug1: identity file /root/keys/vfx_30.pub-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.3.132' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Offering public key: /root/keys/vfx_30.pub
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
[email protected]'s password:
机器 2 上的审计日志(/var/log/audit/audit.log)
type=CRYPTO_KEY_USER msg=audit(1407837882.656:3259): user pid=27704 uid=0 auid=0 ses=171 msg='op=destroy kind=server fp=e9:69:4f:ad:06:d9:cc:7e:bb:0a:7e:57:03:ea:24:a1 direction=? spid=27704 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1407837882.656:3260): user pid=27704 uid=0 auid=0 ses=171 msg='op=destroy kind=server fp=56:f6:8d:7e:f3:33:c3:6c:f1:52:49:57:3a:9b:ed:d7 direction=? spid=27704 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1407837882.656:3261): user pid=27703 uid=0 auid=0 ses=171 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=27704 suid=74 rport=59764 laddr=192.168.3.132 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1407837882.656:3262): user pid=27703 uid=0 auid=0 ses=171 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=27704 suid=74 rport=59764 laddr=192.168.3.132 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=? res=success'
type=USER_AUTH msg=audit(1407837882.704:3263): user pid=27703 uid=0 auid=0 ses=171 msg='op=pubkey acct="vfx_30" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.131 terminal=ssh res=failed'
答案1
您无法使用公钥连接。
公钥(id_rsa.pub)应位于服务器端,私钥(id_rsa)应位于客户端。
要在机器 2 上安装密钥:
cat id_rsa.pub >> /home/vfx_30/.ssh/authorized_keys # sometimes this file is called authorized_keys2
从机器 1 连接:
ssh -i id_rsa [email protected]
答案2
您正在尝试反向使用密钥。您创建了一个密钥对,可用于从机器 2 建立 ssh 连接。
接下来,您将尝试从根本没有密钥对的机器 1 建立连接。
为了使其工作,首先在机器 1 上创建一个密钥对。您可以使用 创建它ssh-keygen,就像在机器 2 上一样。
可选择编辑~/.ssh/id_rsa.pub并在行末的注释中添加日期。我发现在那里添加日期很有用,这样无论我将公钥放在哪里,我都可以看到它是哪个版本,以防我以后需要轮换它。
~/.ssh/id_rsa.pub接下来从机器 1 中获取内容并将其附加到~/.ssh/authorized_keys机器 2 上。(authorized_keys如果文件尚不存在,则在此过程中创建该文件)。
答案3
简而言之,ssh -i 选项应该指向私钥文件(通常是“id_rsa”)。
人SSH
... -i 身份文件 选择一个文件,从中读取 RSA 或 DSA 身份验证的身份(私钥)。对于协议版本 1,默认值为 ~/.ssh/identity,对于协议版本 2,默认值为 ~/.ssh/id_rsa 和 ~/.ssh/id_dsa。还可以在配置文件中按主机指定身份文件。可以使用多个 -i 选项(并在配置文件中指定多个身份)。ssh 还将尝试从通过将 -cert.pub 附加到身份文件名而获得的文件名中加载证书信息。