我有一个 Debian 7 VPS 设置。我刚刚启用了 SSH 密钥身份验证并禁用了密码身份验证,但禁用不起作用。
当我尝试通过 SSH 连接到我的 VPS 时,它会提示我输入 SSH 密钥密码,然后工作正常,但如果我点击取消,它会给我“代理承认未能签名”错误,然后提示我输入当前用户帐户密码,我输入它并使用我的帐户密码登录,即使它已被禁用...有谁知道为什么它允许我使用密码访问登录?谢谢
我正在使用 4096 位密钥进行连接。
这是我的 sshd_config:
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
答案1
你只是禁用了ChallengeResponseAuthentication。以 开头的行#
是注释,不会解释为配置,它们供人类阅读。
要禁用所有使用密码登录的可能性,您必须设置
PasswordAuthentication no
和
ChallengeResponseAuthentication no
有一个可能的路径pam_unix可以使用密码登录。稍后将禁用此功能。
答案2
您应该仔细检查您的/etc/ssh/sshd_config文件是否有任何Include指令。如果是这样,请按照包含的文件检查PasswordAuthentication设置是否正确。
就我而言:Fedora33,我的sshd_config文件如下所示:
Include /etc/ssh/sshd_config.d/*.conf
...
PasswordAuthentication no
...
但文件:/etc/ssh/sshd_config.d/50-redhat.conf覆盖了该PasswordAuthentication选项。PasswordAuthentication=no更改后/etc/ssh/sshd_config.d/50-redhat.conf一切都按预期进行。
答案3
您可以将密码提示次数设置为零,如下所示,
-oNumberOfPasswordPrompts=0
聚苯乙烯
即使这与您的问题无关,您也可能会发现以下内容很有用(特别是当您尝试连接到随机 IP 时)。
-oStrictHostKeychecking=no
这将跳过密钥验证已知密钥目标机器中的文件。
我正在使用以下命令来检查给定用户帐户的无密码访问权限。
ssh -oStrictHostKeychecking=no -oNumberOfPasswordPrompts=0 <user>@<ip> exit
答案4
该选项BatchMode=yes也适用于我禁用密码身份验证。
[oracle@host OHOME1020 /tools/oracle]$ ssh remotehost
oracle@remotehost's password: [[ <Ctrl-C> pressed... ]]
[oracle@host OHOME1020 /tools/oracle]$ ssh -o BatchMode=yes remotehost
Permission denied (publickey,password).
[oracle@host OHOME1020 /tools/oracle]$ [[ prompt returned promptly ]]