上下文:从某处使用密钥(即不是密码)通过 ssh 连接到我的 ssh 服务器,有时它不起作用。
服务器:Ubuntu 16.04 LTS,已完全修补。OpenSSH 服务器。密码和 root 登录已禁用。
客户端:尝试使用 OSX OpenSSH 客户端和 Ubuntu 17.10 OpenSSH 客户端。
失败时的尾随输出ssh -vvv "server"
(来自 OSX):
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:xxxx/E /Users/xxx/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51 <-- HERE, diff from success
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
成功时的尾随输出ssh -vvv "server"
(来自 OSX,这个比上面失败时晚几分钟):
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:xxx/E /Users/xxx/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60 <-- HERE, success, diff from fail
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:xxx/E
debug3: sign_and_send_pubkey: RSA SHA256:xxx/E
Enter passphrase for key '/Users/xxx/.ssh/id_rsa':
debug1: identity added to agent: /Users/xxx/.ssh/id_rsa
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to yyy.zzz ([123.456.789.012]:22).
它们非常相似,不同之处在于这一行:
debug3: receive packet: type 51 (when failing)
debug3: receive packet: type 60 (when succeeding)
这让我相信这是一个服务器端问题。/var/log/auth.log
我找到了以下条目:
Feb 7 09:30:59 server-name sshd[48527]: Connection closed by (client public IP) port 64050 [preauth] (the only mention of this connection attempt)
Feb 7 09:34:17 server-name sshd[48725]: Accepted publickey for yyy from (client public IP) port 64134 ssh2\: RSA SHA256:xxx/E (the succeeding attempt)
所以确实发生了一些事情,但现在我被难住了?有什么办法可以解决这个问题吗?
可能是相关信息:ssh 服务器有一个公共 IP,每分钟大约有十 (10) 次错误的 ssh 连接尝试(只有端口 22 是开放的)。似乎在我本地登录服务器几分钟后,总是可以通过 ssh 进行远程登录。服务器位于物理防火墙后面,端口 22 已转发,并且行为与我的本地子网相同。
答案1
经过一番折腾之后,我发现问题与加密的主目录有关(由于我通过脚本设置了 10 多个虚拟机,所以在设置过程中我完全忽略了这一点)。
仍然令人困惑的是,服务器没有记录无法访问/home/userdir/.ssh/authorized_keys
,而只显示:
Feb 7 09:30:59 server-name sshd[48527]: Connection closed by (client public IP) port 64050 [preauth] (the only mention of this connection attempt)
一般来说有两种解决方案:
- 解密主目录(这很麻烦,我不建议这样做)。使用 Google 查找说明。
ecryptfs permanent decrypt
获得不错的结果。 - 移动
authorized_keys
加密主文件夹的外部,以便可以访问。
由于 1) 比较混乱,因此我推荐 2)。
移动authorized_keys
我建议在/etc/ssh/
类似目录下创建一个目录结构/etc/ssh/keys/%user/authorized_keys
,并更改 AuthorizedKeyFile 行以/etc/ssh/sshd_config
使其匹配。例如:
#original (%h expands to /home/userdir, which is encrypted)
AuthorizedKeysFile %h/.ssh/authorized_keys
#new (%u expands to username)
AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys
登录后,您应该处于一个没有任何内容的简约主文件夹中,运行ecryptfs-mount-private
以解密主文件夹(您需要输入密码,默认情况下是您的密码)。解决此问题的最简单方法是.profile
在您的简约主文件夹中添加一个,它会解密并发送到您的真实主文件夹。
# place in minimalistic .profile
ecryptfs-mount-private
# if below doesn't work, replace with static cd /home/userdir
cd $HOME