好吧,我读了很多文章,也遵循了一些不同的教程,但我的 RSA 密钥无法在我的 centos 服务器上工作。这些服务器运行的是带有 FreePBX 的 centos 6.5,我试图在我的笔记本电脑上的 Ubuntu VM 上让它工作,这样我们就可以构建一个中央服务器来 ssh,这样我就可以运行脚本来更改所有服务器上的内容,工作量很少,因为到目前为止,我们有超过 70 台这样的服务器,而且数量还在迅速增加,但它不起作用。我已经查看了一些日志,但这些部分不需要在公共互联网上显示,但用户是 root 用户(不仅是 sudoer,而且是 root 用户)
mitch@ubuntu:~$ ssh -v ******@*******.com
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ********.com [***.***.***.***] port 22.
debug1: Connection established.
debug1: identity file /home/mitch/.ssh/id_rsa type 1
debug1: identity file /home/mitch/.ssh/id_rsa-cert type -1
debug1: identity file /home/mitch/.ssh/id_dsa type 2
debug1: identity file /home/mitch/.ssh/id_dsa-cert type -1
debug1: identity file /home/mitch/.ssh/id_ecdsa type -1
debug1: identity file /home/mitch/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mitch/.ssh/id_ed25519 type -1
debug1: identity file /home/mitch/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ************************************************
debug1: Host '*********.com' is known and matches the RSA host key.
debug1: Found key in /home/mitch/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mitch/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /home/mitch/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/mitch/.ssh/id_ecdsa
debug1: Trying private key: /home/mitch/.ssh/id_ed25519
debug1: Next authentication method: password
******@************.com's password:
答案1
请提前为我的英语感到抱歉,因为它不是我的母语:)
首先,挂载你的远程共享文件夹,例如,在/root/.ssh/
仍然在你的中央服务器上,创建你的密钥,如下所示:
ssh-keygen -t rsa -C “用户@远程主机”
它会询问您以下问题:
生成公钥/私钥 RSA 密钥对。输入要保存密钥的文件 (/home/username/.ssh/id_rsa):
输入类似以下内容:
/root/.ssh/SSH密钥文件名称
我强烈建议你选择一个强密码,每个密钥都不同。使用好的本地密码管理器。
为了使用 ssh 密钥登录,您需要在远程服务器上在此文件中添加您的公钥:
/root/.ssh/authorized_keys
公钥通常位于 ~/.ssh/ 文件夹中,文件扩展名是 .pub(如果您按照我的示例操作,则应该是 /root/.ssh/NameOfSSHKeyFile.pub)
然后,对文件进行 chmod :
chmod 400 ~/.ssh/*
如果仍然不起作用:
似乎您可能需要将密钥添加到您的 ssh 钱包中。它仅在这些文件中搜索您的 ssh 密钥
ebug1:身份文件 /home/mitch/.ssh/id_rsa 类型 1 debug1:身份文件 /home/mitch/.ssh/id_rsa-cert 类型 -1 debug1:身份文件 /home/mitch/.ssh/id_dsa 类型 2 debug1:身份文件 /home/mitch/.ssh/id_dsa-cert 类型 -1 debug1:身份文件 /home/mitch/.ssh/id_ecdsa 类型 -1 debug1:身份文件 /home/mitch/.ssh/id_ecdsa-cert 类型 -1 debug1:身份文件 /home/mitch/.ssh/id_ed25519 类型 -1 debug1:身份文件 /home/mitch/.ssh/id_ed25519-cert 类型 -1
...但是没有找到。
然后让我们将钥匙添加到钱包:
ssh-add .ssh/NameOfSSHKeyFile
瞧 :)
哦!为了更好的安全性:
ssh-add -D
...将从您的钱包中取出密钥。请使用它:
每次干预后最好都这样做。
并且不要忘记,一旦您创建了 .pub 文件,您就不再需要将其保存在中央服务器上: .pub 密钥文件只需要位于远程服务器上。
一旦它位于远程服务器上的authorized_keys文件中,就将其删除。
您还可以限制每个 IP 的 ssh 密钥。在远程服务器上,在 /root/.ssh/authorized_keys 中,您可以添加 from="" 以限制每个 IP 的密钥使用情况:
它会给出类似这样的结果:
from="CENTRA-SERVER-IP-ADDRESS" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHvpIcRLrfmdRb+cK48ooYYLNddaayE5hG5KmHsASKork/T1MvRB3WQJOvJetkM2v7H2G76w90Gr5QpbBhCAD2BqOpIeUKo+npmmUASn48QUs4YzhYbkyRwGWOfrYiKl8oBk2ZXcEV6cL1bHH96OMrozKjrMer6JddvJEAqEEJjny0lg5j/raaDpoEXvPE8YM/oQcs64RUJWp3LwmFR8VO/mSLFSFbuulVDALPWICoWZ/VxE7mR9QhNBlY9Afwe//LDtitPg3eG1hoNLBHbxHpjImBt1ZdaQE4w0y4Nh07Q6E8aepYqNJsdFMZJERL58qGOYvnGTweOLZhtYQa+xNF test