我正在尝试创建一个“无密码”设置,以便远程服务器在没有密码的情况下更安全+我可以自动执行登录过程。
我已经使用 ssh-keygen 创建了一个新的 ssh 密钥,并将公共文件复制到 ./ssh/authorized_keys 中的远程服务器,但是仍然提示我输入密码。
服务器运行在 CentOS 6.8 上
这是我的步骤
在我的本地机器上(OS X)
ssh-keygen(并留下空的密码)
pbcopy < ~/.ssh/remote_server.pub(在 Mac 上,这将复制公共文件的内容)
在远程服务器上(CentOS 6.8)
$ cd /root/.ssh
$触摸授权密钥
$纳米授权密钥(然后粘贴公钥内容并保存文件)
$ chmod 600 授权密钥
$ 服务 sshd 重启
然后,当我尝试通过 SSH 服务访问(即 ssh remove-server.com)时,我仍然会收到正常的密码提示。
文件所有权/权限是否存在问题?
更新
这是远程 /etc/ssh/sshd_config 文件的内容
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
ssh -v 的输出
...
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/m/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering RSA public key: /Users/m/.ssh/centos_server
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/m/.ssh/id_dsa
debug1: Trying private key: /Users/m/.ssh/id_ecdsa
debug1: Trying private key: /Users/m/.ssh/id_ed25519
debug1: Next authentication method: password
另外,还设置了权限以修复 SELinux 的一个错误
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
restorecon -R -v /root/.ssh
答案1
首先,您不应该以 root 身份进入远程服务器!即使使用密钥身份验证。更安全的做法是创建另一个普通用户并将其添加到 sudoers(使用命令visudo)。然后使用以下命令禁用以 root 身份登录sudo passwd -l root
然后你需要编辑/etc/ssh/sshd_config文件以启用公钥认证。找到以下行PasswordAuthentication并将其设置为no(如果你想为所有用户禁用密码挑战)
确保RSAAuthentication和PubkeyAuthentication设置为是。
另外,通过设置禁用 root 登录PermitRootLogin no
如果 PermitRootLogin 不能按您的要求工作,请尝试添加此替代方法
DenyUsers root
答案2
连接ssh -v user@host,您将获得更多信息。通常,.ssh 文件夹和 authorized_keys 权限会导致这些设置出现问题。
我使用 ssh-copy-id 来授权远程主机中的密钥。
答案3
我遇到过这个问题。在您的 sshd_config 文件中,将:更改
#PermitRootLogin yes
为
PermitRootLogin without-password
我同意允许 root 无需密码登录是愚蠢的,然而
我们有一个“根信任节点”。只有该机器才有权以 root 身份登录,无需密码,在我们的所有服务器上。这样,我们可以在必要时自动执行任务。
为此,请将此短语添加到您的 authorized_key 行的末尾:(
root@mytrustednode注意 root 之前的空格)
其中我的受信任节点是“根受信任节点”的主机名。这样,只有根用户我的受信任节点无需密码即可登录机器。