这是在这里和其他地方被问到和回答过很多次的问题之一,你简直不敢相信你还要再问一次。我会用我的配置来说明:
在遥控器上:
# getenforce
permissive
# echo ~git
/var/lib/git
# ls -la ~git
drwxr-x---. 1 git git 136 Jun 25 01:39 .
drwxr-xr-x. 1 root root 406 Jun 25 00:38 ..
drwx------. 1 git git 30 Jun 27 16:03 .ssh
# ls -la ~git/.ssh
total 4
drwx------. 1 git git 30 Jun 27 16:03 .
drwxr-x---. 1 git git 136 Jun 25 01:39 ..
-rw-------. 1 git git 694 Jun 27 16:01 authorized_keys
# cat ~git/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIId5JlesVpbIDm3bQoXDfrPkcCIoIwLdEp/Y0N0FDAHp Gentoo Laptop
# cat /etc/ssh/sshd_config
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
AllowUsers other_user git
在本地:
# cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIId5JlesVpbIDm3bQoXDfrPkcCIoIwLdEp/Y0N0FDAHp Gentoo Laptop
# ssh -i ~/.ssh/id_ed25519 git@[redacted]
git@[redacted]: Permission denied (publickey).
笔记:
- 我能够使用相同的密钥对以 other_user 身份登录。
- 我尝试过
~git
移至/home/git/
- sshd 已重新加载多次。
- 机器重新启动了(是的,我就是这么绝望!)
TLDR;
- .ssh 的模式是 700,
- authorized_keys 的模式是 600,
- sshd_config 中允许用户使用 'git',
- 公钥匹配,
- 同一密钥对适用于远程用户“other_user”,
- 并且 Selinux 是宽容的
感谢您的考虑。以下是详细 (-v) 输出:
OpenSSH_8.9p1, OpenSSL 1.1.1o 3 May 2022
debug1: Reading configuration data /home/local_user/.ssh/config
debug1: /home/local_user/.ssh/config line 1: Applying options for [redacted]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to [redacted] [redacted] port 22.
debug1: Connection established.
debug1: identity file /home/local_user/.ssh/id_ed25519 type 3
debug1: identity file /home/local_user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to [redacted]:22 as 'git'
debug1: load_hostkeys: fopen /home/local_user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:Fnf3Oy6WVHq6XGivLolPglHXpq9JY277TNM6YdVJBQc
debug1: load_hostkeys: fopen /home/local_user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[redacted]' is known and matches the ED25519 host key.
debug1: Found key in /home/local_user/.ssh/known_hosts:8
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/local_user/.ssh/id_ed25519 ED25519 SHA256:EZKglMrsrAKRUkrGoRRkEMFxiNj0kWALw926e0YIu1o explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp3>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/local_user/.ssh/id_ed25519 ED25519 SHA256:EZKglMrsrAKRUkrGoRRkEMFxiNj0kWALw926e0YIu1o explicit
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
git@[redacted]: Permission denied (publickey).
答案1
您可以增加客户通过添加更多-v
选项,但在这种情况下,我猜最好的解释将由服务器。
在您的中添加更详细的日志记录级别(默认值:INFO)sshd_config
:
LogLevel VERBOSE
重新启动 sshd 并尝试再次以该用户身份连接。然后阅读日志。
如果日志中提供的消息确实与您查看的 sshd_config 相冲突,请仔细检查您是否跳过了包含内容(例如/etc/ssh/sshd_config.d/*
)。