我可以使用密码登录我的服务器,但不能使用我的公钥。我在 Rackspace.com 服务器上运行 CentOS 版本 6.3(最终版)
我将本地的 ~/.ssh/id_rsa.pub 添加到远程服务器的 ~/.ssh/authorized_keys 并且远程权限似乎没问题。
$ ll -d .
drwxr-x---. 15 fort apache 4096 Feb 22 16:07 .
$ ll -d .ssh
drwx------. 2 fort apache 4096 Feb 17 19:40 .ssh
$ ll -d .ssh/authorized_keys
-rw-------. 1 fort fort 2034 Feb 18 06:06 .ssh/authorized_keys
我检查服务器是否接受公钥认证:
$ ssh -o PreferredAuthentications=none fort@fort
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).
使用 -vvv 连接显示失败
$ ssh -vvv -o PreferredAuthentications=publickey fort@fort
OpenSSH_7.3p1, LibreSSL 2.4.1
debug1: Reading configuration data /Users/kim/.ssh/config
...
debug1: Connecting to cedar.greencitypartnerships.org [108.166.125.240] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/kim/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
...
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).
$
这是我在服务器上查看 /var/log/secure 时看到的全部内容
# tail -f /var/log/secure
...
Feb 24 06:12:16 fort sshd[3064]: Connection closed by 97.113.252.17
这是我登录另一台服务器时得到的结果
# tail -f /var/log/secure
...
Feb 23 22:14:12 cedar sshd[2187]: Accepted publickey for cedar from 192.168.56.1 port 53004 ssh2
Feb 23 22:14:12 cedar sshd[2187]: pam_unix(sshd:session): session opened for user cedar by (uid=0)
然后我尝试在服务器上创建一个公钥,并将其添加到服务器的 ~/.ssh/authorized_keys 中。我遇到了同样的失败
$ ssh -o PreferredAuthentications=publickey localhost
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).
和
# tail -f /var/log/secure
...
Feb 24 06:30:37 fort sshd[3841]: Connection closed by ::1
接下来,我尝试在另一个端口上以调试模式运行 sshd。这次我能够登录了。
# /usr/sbin/sshd -d -p 27
并且在同一台服务器上...
$ ssh -p 27 -o PreferredAuthentications=publickey localhost
Last login: Fri Feb 24 06:34:37 2017 from 97-113-252-17.tukw.qwest.net
Environment:
LANG=en_US.UTF-8
USER=fort
...
$
为了确认 sshd 是否因为我在调试模式下运行而没有开始工作,我正常启动了它。再次,我能够成功登录。
# /usr/sbin/sshd -p 27
#
和
$ ssh -p 27 -o PreferredAuthentications=publickey localhost
Last login: Fri Feb 24 06:39:30 2017 from localhost
[fort@fort ~]$
和
# tail -f /var/log/secure
...
Feb 24 06:46:58 fort sshd[4595]: Server listening on 0.0.0.0 port 27.
Feb 24 06:46:58 fort sshd[4595]: Server listening on :: port 27.
Feb 24 06:48:13 fort sshd[4629]: Accepted publickey for fort from ::1 port 51302 ssh2
Feb 24 06:48:13 fort sshd[4629]: pam_unix(sshd:session): session opened for user fort by (uid=0)
我将 LogLevel 更改为 DEBUG,并在端口 22 和 27 上重新启动 sshd。
以下是端口 22 连接失败的原因:
debug1: trying public key file /home/fort/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 502/502 (e=0/0)
debug1: trying public key file /home/fort/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for fort from ::1 port 44994 ssh2
这是 27 端口连接成功的情况
debug1: trying public key file /home/fort/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/fort/.ssh/authorized_keys, line 6
Found matching RSA key: 8f:87:0e:15:b5:88:49:04:b7:34:79:9d:7e:c2:8d:fa
什么原因允许我在端口 27 上使用公钥认证,但不允许在端口 22 上使用?/etc/init.d/sshd 是否可以使用其他设置?接下来我应该尝试什么才能使公钥认证在端口 22 上运行?
答案1
系统是否以强制模式运行 selinux,如果是,您是否已恢复 authorized_keys 文件上的上下文?
当 authorized_keys 文件被修改时,SELinux 可以阻止 sshd 读取该文件。
答案2
我的 ~/.ssh/authorized_keys SELinux 类型与 httpd_sys_content_t 配置不正确。这可能是因为 apache 内容直接从主目录提供。
$ ls -lZ .ssh/authorized_keys
-rw-------. fort fort unconfined_u:object_r:httpd_sys_content_t:s0 .ssh/authorized_keys
我能够让 ssh 在端口 27 上运行的原因是该进程的类型为“unconfined_t”,而不是“sshd_t”。
$ ps axZ | grep /usr/sbin/sshd | grep -v grep
unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 505 ? Ss 0:00 /usr/sbin/sshd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 942 ? Ss 0:00 /usr/sbin/sshd -p 27
这是修复方法。restorecon 将类型从 httpd_sys_content_t 更改回 ssh_home_t。
# restorecon -vR .ssh
restorecon reset /home/fort/.ssh context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fort/.ssh/authorized_keys context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fort/.ssh/known_hosts context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fort/.ssh/authorized_keys2 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fort/.ssh/id_rsa.pub context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fort/.ssh/id_rsa context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:ssh_home_t:s0
现在 ...
$ ssh -o PreferredAuthentications=publickey localhost 上次登录:2017 年 2 月 25 日星期六 16:13:45 来自 97-113-252-17.tukw.qwest.net [fort@fort ~]$