我在我们的企业网络中有下一个配置:
客户:([电子邮件保护])
在 /etc/ssh/ssh_config 中:
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
文件权限:
artur@lothlorien:~$ ls -la ~/.ssh | grep "authorized_keys"
-rw------- 1 artur artur 407 чер 4 10:11 authorized_keys
artur@lothlorien:~$ ls -la ~ | grep ".ssh"
drwx------ 2 artur artur 4096 чер 4 10:33 .ssh
更多的:
- 服务器已添加到
~/.ssh/known_hosts文件内容 ~/.ssh/id_rsa.pub附加到主目录 [电子邮件保护]用户
/proc/版本:
Linux version 3.5.0-32-generic (buildd@akateko) (gcc version 4.7.2 (Ubuntu/Linaro 4.7.2-2ubuntu1) ) #53-Ubuntu SMP Wed May 29 20:23:04 UTC 2013
服务器:([电子邮件保护])
/etc/ssh/ssh_config就像[电子邮件保护]- 文件权限600为了
~/.ssh/authorized_keys - 目录权限700为了
~/.ssh isd_programmer@server> cat ~/.ssh/authorized_keys拥有的公钥[电子邮件保护]
/proc/版本:
Linux version 2.6.38-16-server (buildd@batsu) (gcc version 4.5.2 (Ubuntu/Linaro 4.5.2-8ubuntu4) ) #67-Ubuntu SMP Thu Sep 6 18:15:24 UTC 2012
联系:
artur@lothlorien:~$ ssh [email protected] -v
OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server.isd [192.168.1.201] port 22.
debug1: Connection established.
debug1: identity file /home/artur/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/artur/.ssh/id_rsa-cert type -1
debug1: identity file /home/artur/.ssh/id_dsa type -1
debug1: identity file /home/artur/.ssh/id_dsa-cert type -1
debug1: identity file /home/artur/.ssh/id_ecdsa type -1
debug1: identity file /home/artur/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-1ubuntu3
debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA bf:55:f2:57:f1:8e:c9:cf:a1:3f:f8:d0:81:6b:d4:7d
debug1: Host 'server.isd' is known and matches the ECDSA host key.
debug1: Found key in /home/artur/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/artur/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/artur/.ssh/id_dsa
debug1: Trying private key: /home/artur/.ssh/id_ecdsa
debug1: Next authentication method: password
[email protected]'s password:
对我来说看起来所有配置都正确,但为什么我会提示输入密码?
更新(2013-06-07 07:05:12):在发现sudo less -500 /var/log/auth.log:
Authentication refused: bad ownership or modes for directory /var/www
/var/www是主目录[电子邮件保护]
答案1
我想到了一些原因:
- 服务器配置为不允许密钥认证
- 客户端主机不是在 hosts.allow 或是在 hosts.deny 中
- 客户端用户不是允许的 ssh 用户
- 权限阻止
authorized_keys读取(检查所有父目录) - 权限太宽泛
authorized_keys(文件和所有父目录都不能由除 root 之外的任何人写入,并且目标用户)。 - 密钥不匹配
还有更多原因,这些是我立即想到的。请记住,本网站旨在为每个人,而不是针对您的特定服务器。
答案2
我自己解决了这个问题。
/var/www拥有权利:
drwxrwxr-x 112 isd_programmer www-data 4096 2013-06-07 10:24 www
我无法更改权限,因为www-数据需要访问此文件夹的组。但是严格模式设置/etc/ssh/sshd_config为是的 (默认)。所以我把它改成了不并重新启动 sshd: sudo restart ssh。
答案3
您遗失了私钥。Client: ([email protected])
在 中[email protected],放置id_rsa以/home/artur/.ssh/使 SSH 可以运行。