我设置了自动 ssh 登录,无需输入服务器密码:
cd ~/.ssh
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub tim@server1
它在服务器上运行。
后来我在不同的服务器上做了同样的事情。
ssh-copy-id -i ~/.ssh/id_rsa.pub tim@server2
我立即ssh tim@server2
,但它仍然需要我的密码。我做错了什么吗?我没有在第二台服务器上成功设置的可能原因有哪些? (请注意,第二台服务器运行 kerberos 和 Andrew 文件系统)
$ ssh -v tim@server2
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server2 [...] port 22.
debug1: Connection established.
debug1: identity file /home/tim/.ssh/id_rsa type 1
debug1: identity file /home/tim/.ssh/id_rsa-cert type -1
debug1: identity file /home/tim/.ssh/id_dsa type -1
debug1: identity file /home/tim/.ssh/id_dsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ecdsa type -1
debug1: identity file /home/tim/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ed25519 type -1
debug1: identity file /home/tim/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA xxx
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /home/tim/.ssh/known_hosts:70
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/tim/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/tim/.ssh/id_dsa
debug1: Trying private key: /home/tim/.ssh/id_ecdsa
debug1: Trying private key: /home/tim/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
我尝试了 Anthon 的使用 Diffie-Hellman 密钥的方法,但它仍然要求我输入密码。
$ cd ~/.ssh
$ ssh-keygen -t dsa
$ ssh-copy-id -i ~/.ssh/id_dsa.pub tim@server2
$ ssh -v tim@server2
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server2 [...] port 22.
debug1: Connection established.
debug1: identity file /home/tim/.ssh/id_rsa type 1
debug1: identity file /home/tim/.ssh/id_rsa-cert type -1
debug1: identity file /home/tim/.ssh/id_dsa type 2
debug1: identity file /home/tim/.ssh/id_dsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ecdsa type -1
debug1: identity file /home/tim/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ed25519 type -1
debug1: identity file /home/tim/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ...
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /home/tim/.ssh/known_hosts:70
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/tim/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering RSA public key: /home/tim/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/tim/.ssh/id_ecdsa
debug1: Trying private key: /home/tim/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
答案1
您提到第二台服务器正在使用安德鲁文件系统(AFS)。
我还没有使用过,但据我了解,AFS 是一个受 Kerberos 保护的文件系统,需要 kerberos 票证才能工作。这意味着您需要登录到站点的 Kerberos 领域才能访问您的主目录。
如果您使用密码登录,server2
则可能已设置为通过 PAM 将您登录到 Kerberos 领域。但是,如果您使用 SSH 密钥,则将server2
无法获取执行此操作所需的信息,并且您将无法访问您的主目录。
幸运的是,从ssh -v
您问题的输出中,我们可以推断您的服务器已GSSAPI
启用身份验证。如果您拥有适用于您的领域的有效 kerberos 票证,这应该允许您执行无密码登录。请执行下列操作:
登录
server2
并运行该klist
程序。这将返回如下内容:Ticket cache: FILE:/tmp/krb5cc_2000 Default principal: [email protected] Valid starting Expires Service principal 28-05-15 15:01:31 29-05-15 01:01:31 krbtgt/[email protected] renew until 29-05-15 15:01:28 28-05-15 15:02:04 29-05-15 01:01:31 IMAP/[email protected] renew until 29-05-15 15:01:28
查找以 开头的行
Default principal:
。它告诉您您的 kerberos 主体是什么(在上面的示例中,它是[email protected]
)。把这个写下来。请注意,这不是电子邮件地址,并且区分大小写;即,主体以 结尾EXAMPLE.ORG
,而不是example.org
。- 在您的客户端计算机上,
kinit
使用您的主体名称运行(即,在上面的示例中,该名称为)。如果一切顺利,当您现在再次运行时,您将看到本地计算机上有票证缓存。kinit [email protected]
klist
- 如果您现在运行
ssh -K server2
,您应该能够登录,并且系统不应要求输入密码。
请注意,由于 Kerberos 的工作原理,票证缓存的有效性有限。不可能请求有效期长于领域管理员配置的票证缓存(通常约为 10 小时左右)。一旦您的票证过期,您将需要kinit
再次运行并再次输入密码。
答案2
您应该尝试使用以下命令连接到 server2:
ssh -v tim@server2
并将其与相同的服务器进行比较,连接到此服务器server1
将准确地告诉您两个服务器的不同之处。
/etc/ssh/sshd_config
两台机器上很可能存在差异。哪里server2
或您~/.ssh
有可访问性问题(限制不够)。
从-v
输出中您可以看到您提供了一个 RSA 私钥来验证(在/home/tim/.ssh/id_rsa
),但它看起来server2
只支持 Diffie-Hellman(并且尝试 /home/tim/.ssh/id_dsa
可能根本不存在)。
答案3
在您尝试使用 ssh 的客户端计算机中添加以下条目。
配置文件:/etc/ssh/ssh_config
GSSAPIAuthentication no
之后您将能够 ssh 到机器。
如果您没有该文件的编辑权限,您还可以添加
Host *
GSSAPIAuthentication no
to ~/.ssh/config
(如果该文件不存在则创建该文件)
答案4
有一个非常相似的问题并解决了。
当我继续并使用密码登录时,我仍然收到进一步的警告
Remote: Ignored authorized keys: bad ownership or modes for directory /home/myusername/.ssh
常见错误是忘记在客户端和服务器上更改为正确的权限
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_key
任何与 gssapi 有关的事情都是转移注意力的事情。
根本原因是尝试使用公钥连接时出现问题
公钥->gssapi-keyex,gssapi-with-mic->密码
由于 ssh 版本不同,您的调试文件看起来与我的不同,但查看以下行:-
debug1: Roaming not allowed by server
我会先尝试检查您对文件夹和文件的权限。