我当时运行的是 Ubuntu 14.04 服务器,启用了 SSH,关闭了密码登录。我不小心弄乱了目录的权限~/.ssh,导致我被锁定。
我设法使用 LiveUSB 挂载驱动器并启用密码登录并修复权限,但现在它总是提示输入密码,即使我安装了更新的 SSH 密钥也是如此。为什么会这样,我该如何防止这种情况?我不想尝试关闭密码登录,因为担心再次把自己锁在外面。
我尝试运行ssh -i mykey.pem -vvv user@remote_server.com,并得到输出:
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:cAx828kYj3SWm8lMubqqvq1w9xLh9lxUN/vpCZ7gdk
debug3: hostkeys_foreach: reading file "/home/chris/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/chris/.ssh/known_hosts:375
debug3: load_hostkeys: loaded 1 keys from remote_server.com
debug3: hostkeys_foreach: reading file "/home/chris/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/chris/.ssh/known_hosts:376
debug3: load_hostkeys: loaded 1 keys from 75.101.158.254
debug1: Host 'remote_server.com' is known and matches the ECDSA host key.
debug1: Found key in /home/chris/.ssh/known_hosts:375
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: chris@localhost (0x557a0dc45410), agent
debug2: key: roles/qa/qa-ubuntu.pem ((nil)), explicit
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: chris@localhost
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: roles/qa/qa-ubuntu.pem
debug3: sign_and_send_pubkey: RSA SHA256:Np4f4uwDmx/HgP7m2mIc1pZWeHlrmjreuj2cuLybRhg
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
但是,其中大部分对我来说都毫无意义。我没有看到任何明确的错误消息说明它为什么拒绝我的密钥。为什么它仍然需要密码?
答案1
检查包含您的私钥的父目录(在本例中为roles/qa)是否具有0750权限。
在服务器端,检查是否有任何内容登录到内部/var/log/auth.log,/var/log/secure
答案2
我没有看到任何明确的错误消息说明为什么它拒绝了我的密钥。为什么它仍然需要密码?
你不需要。原因记录在服务器日志中。你不想向潜在攻击者提供任何超出需要的信息(密钥被拒绝)。而且由于你和服务器仍然允许密码验证,所以没有错误,并且会提示你输入密码。你可以PasswordAuthentication=no在你的 中设置来阻止这种行为ssh_config。它会在密钥被拒绝后立即使你的连接失败(如果你想)。或者只是
ssh -i mykey.pem -oPasswordAuthentication=no user@remote_server.com