如何知道我是否可以使用 ssh 密钥对?

如何知道我是否可以使用 ssh 密钥对?

成功运行后,我的构建脚本尝试使用命令将最终的二进制文件复制到我的 FTP 服务器上scp。由于构建需要一段时间,我不想每次都提示输入密码,因此我尝试设置 SSH 密钥对。

[wbarlow@build-machine]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wbarlow/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wbarlow/.ssh/id_rsa.
Your public key has been saved in /home/wbarlow/.ssh/id_rsa.pub.
The key fingerprint is:
7f:b9:c7:a8:1b:77:ce:f8:b6:2a:e3:da:30:68:72:b7 wbarlow@build-machine

[wbarlow@build-machine]$ ssh-copy-id wbarlow@ftp-server
wbarlow@ftp-server's password: 
Now try logging into the machine, with "ssh 'wbarlow@ftp-server'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

然后我尝试登录我的 ftp 服务器,但仍然提示我输入密码。我确认新创建的密钥存在。

[wbarlow@build-machine]$ ssh wbarlow@ftp-server
wbarlow@ftp-server's password: 

[wbarlow@ftp-server]$ cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGUbr4vUeiY7D6sSrsHm469QAqCClchL
7h/HZ7TAc+1F2KsTTF078OSINqzz8NpKJqhlEusLn644PzYn9LmGTIc7IsMG9s+B2n4bZX
9Ypb0VqLSqTgfE2I0j84+SfAQ6MvGJQ0NupIXxXbaMLDlNq1cetnR8NeN+9JeBq4sI8p/a
ijFVARQ7/XSKwQQN30Nl6flTEM1CTDECJs5YsPOu3P54mF6PG2mBdFra6+VQfAZ6fboq9O
d24VNHLYVtUdK5RpWgx8agUalov0xq/3m2VeC5arrYpCVH1rGx6EMxoQS25kk7t9mzBUCj
ulXGWQX2DPR/Em0OIfvVfe/l4xtFfH wbarlow@build-machine

我能够使用公钥向其他机器(即我的 Git 存储库主机)进行身份验证,因此我认为问题不在于客户端。

那么 — 我如何检查 FTP 服务器是否配置为接受授权密钥,以及它配置为接受什么类型的密钥?如何检查密钥是否存储在预期位置(ftp 服务器上的主目录是/var/ftp/wbarlow/,但我也尝试将.ssh文件夹从那里复制到/home/wbarlow/。)?


我的.ssh目录是模式 700,我的authorized_keys文件是模式 600。我也尝试过使用 755 作为.ssh目录。


/etc/ssh/sshd_config在 ftp 服务器上找到了我的文件。我不会发布整个内容,但它确实有以下几行:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

据我所知文档,我认为这些行设置正确,适合我想要做的事情(s/key 与 ssh 密钥对无关,对吧?)。


下面是连接时的详细输出。

[wbarlow@build-machine]:~$ ssh -v wbarlow@ftp-server
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ftp-server [(ip hidden)] port 22.
debug1: Connection established.
debug1: identity file /home/wbarlow/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/wbarlow/.ssh/id_rsa-cert type -1
debug1: identity file /home/wbarlow/.ssh/id_dsa type -1
debug1: identity file /home/wbarlow/.ssh/id_dsa-cert type -1
debug1: identity file /home/wbarlow/.ssh/id_ecdsa type -1
debug1: identity file /home/wbarlow/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA [SNIP]
debug1: Host 'ftp-server' is known and matches the RSA host key.
debug1: Found key in /home/wbarlow/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/wbarlow/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /home/wbarlow/.ssh/id_dsa
debug1: Trying private key: /home/wbarlow/.ssh/id_ecdsa
debug1: Next authentication method: password
wbarlow@ftp-server's password: 

答案1

SSH 服务器的配置设置通常都在,/etc/ssh/sshd_config但我首先要检查的是位置和权限公钥的及其父目录您复制到服务器的。请注意,远程
的正确权限 是authorized_keys批判的为了 ssh 工作 - 这就是为什么我们使用ssh-copy-id公钥而不是简单地将公钥复制到远程。
为了理解这一点,分解它的ssh-copy-id作用可能会很有用。

它所做的第一件事就是安全复制id_rsa.pub到目标服务器,即

scp -P port $HOME/.ssh/id_rsa.pub username@ipaddress:destination_path

并放置在~/.ssh/远程机器上。

它还将改名 id_rsa.pub所以authorized_keys你最终会得到

$ ~/.ssh/authorized_keys

在远程机器上。
它还设置了权限批判的ieauthorized_keys文件的安全性不得低于

-rw------- 1 wbarlow wbarlow  802 Nov 25 13:54 authorized_keys

并且.ssh目录的安全性不能低于755例如

drwx------ 2 wbarlow wbarlow  4096 Jul 29 00:30 .ssh

我倾向于使用命令

ssh-copy-id -i ~/.ssh/id_rsa.pub remote_user@remoteIP

这样我想要的特定密钥就会到达远程,但我不认为这会是你的问题,因为我怀疑 ssh 在尝试建立连接时会检查本地计算机上的所有可用私钥。

另外,与往常一样,请确保检查包含文件夹 ($HOME) 的基本权限,以便其他用户/程序具有适当的文件权限。

答案2

SSH 服务器的配置设置通常位于 /etc/ssh/sshd_config 中,但我首先要检查的是公钥及其复制到服务器的父目录的位置和权限。

/etc/ssh/sshd_config 应该是这样的。 sshd服务需要停止并重新启动

PermitRootLogin yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

相关内容