ssh 从不要求输入密码

ssh 从不要求输入密码

不知何故,我的 SSH 从不要求我输入密码。

因此,我在世界上某个随机服务器上设置了一个 VPS,并且想要使用 ssh 连接到它。

我可以设置一个密钥,但是当我这样做时:

ssh -l some-user IP

我收到错误:

Received disconnect from ##.##.##.##: 2: Too many authentication failures for some-user

当我查看详细信息时,我可以看到密码是其中一个选项:

debug1: Offering RSA public key: some-user@computer
debug1: Authentications that can continue: publickey,password

但 SSH 从未要求我输入密码。它尝试了 5 次,我怀疑是使用公钥方法,然后失败了。为什么 ssh 不尝试输入密码?!

为了以防万一,我的 ssh_config 文件包含:

PasswordAuthentication yes

完整日志

ssh -v -l root ##.##.##.##
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/someuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ##.##.##.## [##.##.##.##] port 22.
debug1: Connection established.
debug1: identity file /home/someuser/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/someuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_dsa type -1
debug1: identity file /home/someuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6
debug1: match: OpenSSH_6.2p2 Ubuntu-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA XX:XX:...:XX:XX
debug1: Host '##.##.##.##' is known and matches the ECDSA host key.
debug1: Found key in /home/someuser/.ssh/known_hosts:38
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/someuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
Received disconnect from ##.##.##.##: 2: Too many authentication failures for root

答案1

尝试在禁用公钥认证的情况下登录,使用

ssh -o PubkeyAuthentication=no root@newserver

答案2

identityfile您的文件中很可能有多行内容.ssh/config

即使您identityfile进行了host配置,它也将全局应用。这意味着ssh在服务器要求输入密码之前,会在每个主机上尝试每个身份文件(即公钥)。

您可以通过以下方式修复此问题

  1. 删除除一行之外的所有identityfile行,或者
  2. 添加PubkeyAuthentication no.ssh/config,或
  3. 执行带-o PubkeyAuthentication=no参数的 ssh。

man 5 ssh_config

PubkeyAuthentication
    Specifies whether to try public key authentication.  The argument to this
    keyword must be “yes” or “no”.  The default is “yes”.  This option applies 
    to protocol version 2 only.

IdentityFile
    ...
    It is possible to have multiple identity files specified in configuration
    files; all these identities will be tried in sequence.  Multiple 
    IdentityFile directives will add to the list of identities tried (this 
    behaviour differs from that of other configuration directives).

使用公钥的一些一般说明:

  1. 一般情况下,每个客户端(工作站)应该只有一个私钥,并将匹配的公钥放在客户端应该可以访问的所有服务器上。换句话说,在服务器之间共享公钥,并且永远不要在多个设备上使用相同的私钥。
  2. 始终在您的设备上生成密钥对,并且仅传输公钥。这样,即使服务器受到攻击,您的私钥仍然安全可靠。这可能以令人惊讶的方式发生 - 例如,通过备份。
  3. 如果其他人管理服务器,应该为他们提供公钥;他们应该不是生成密钥对并将私钥发送给您。这样,他们就无法用您的密钥冒充您(当然,通常他们可以为所欲为)。此外,使用公钥时,只需保护完整性(即没有人更改公钥);使用私钥时,必须保护机密性(即没有其他人获得密钥),并且不可能绝对确保它没有被泄露。
  4. 危害一台服务器并不会危害其他服务器,即使您使用相同的私钥连接多台服务器(除非您将该私钥传输到服务器。永远不要这样做。)
  5. 不管怎样,入侵您的工作站都会暴露您的私钥。拥有多个私钥对此没有帮助(除非您拥有不同的强密码,并且并非所有密码都可以被攻击者获取)。

有一些例外,但不是很多。

答案3

您的本地 ssh 不应该要求您输入密码,另一端的 ssh 服务器应该要求您输入密码。服务器可能设置为不接受密码验证。我的服务器也不会要求您输入密码。

答案4

我找到了另一个原因。我有:

Host *
   PreferredAuthentications publickey

(从另一个用户那里~/.ssh/config复制,以为是“偏好”)。实际上PreferredAuthentications指定了“允许”的方法和顺序。

删除该PreferredAuthentications行或者添加password

Host *
   PreferredAuthentications publickey,password

注意:逗号后没有空格!

相关内容