不知何故,我的 SSH 从不要求我输入密码。
因此,我在世界上某个随机服务器上设置了一个 VPS,并且想要使用 ssh 连接到它。
我可以设置一个密钥,但是当我这样做时:
ssh -l some-user IP
我收到错误:
Received disconnect from ##.##.##.##: 2: Too many authentication failures for some-user
当我查看详细信息时,我可以看到密码是其中一个选项:
debug1: Offering RSA public key: some-user@computer
debug1: Authentications that can continue: publickey,password
但 SSH 从未要求我输入密码。它尝试了 5 次,我怀疑是使用公钥方法,然后失败了。为什么 ssh 不尝试输入密码?!
为了以防万一,我的 ssh_config 文件包含:
PasswordAuthentication yes
完整日志
ssh -v -l root ##.##.##.##
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/someuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ##.##.##.## [##.##.##.##] port 22.
debug1: Connection established.
debug1: identity file /home/someuser/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/someuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_dsa type -1
debug1: identity file /home/someuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6
debug1: match: OpenSSH_6.2p2 Ubuntu-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA XX:XX:...:XX:XX
debug1: Host '##.##.##.##' is known and matches the ECDSA host key.
debug1: Found key in /home/someuser/.ssh/known_hosts:38
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/someuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
Received disconnect from ##.##.##.##: 2: Too many authentication failures for root
答案1
尝试在禁用公钥认证的情况下登录,使用
ssh -o PubkeyAuthentication=no root@newserver
答案2
identityfile
您的文件中很可能有多行内容.ssh/config
。
即使您identityfile
进行了host
配置,它也将全局应用。这意味着ssh
在服务器要求输入密码之前,会在每个主机上尝试每个身份文件(即公钥)。
您可以通过以下方式修复此问题
- 删除除一行之外的所有
identityfile
行,或者 - 添加
PubkeyAuthentication no
到.ssh/config
,或 - 执行带
-o PubkeyAuthentication=no
参数的 ssh。
从man 5 ssh_config
:
PubkeyAuthentication
Specifies whether to try public key authentication. The argument to this
keyword must be “yes” or “no”. The default is “yes”. This option applies
to protocol version 2 only.
IdentityFile
...
It is possible to have multiple identity files specified in configuration
files; all these identities will be tried in sequence. Multiple
IdentityFile directives will add to the list of identities tried (this
behaviour differs from that of other configuration directives).
使用公钥的一些一般说明:
- 一般情况下,每个客户端(工作站)应该只有一个私钥,并将匹配的公钥放在客户端应该可以访问的所有服务器上。换句话说,在服务器之间共享公钥,并且永远不要在多个设备上使用相同的私钥。
- 始终在您的设备上生成密钥对,并且仅传输公钥。这样,即使服务器受到攻击,您的私钥仍然安全可靠。这可能以令人惊讶的方式发生 - 例如,通过备份。
- 如果其他人管理服务器,你应该为他们提供公钥;他们应该不是生成密钥对并将私钥发送给您。这样,他们就无法用您的密钥冒充您(当然,通常他们可以为所欲为)。此外,使用公钥时,只需保护完整性(即没有人更改公钥);使用私钥时,必须保护机密性(即没有其他人获得密钥),并且不可能绝对确保它没有被泄露。
- 危害一台服务器并不会危害其他服务器,即使您使用相同的私钥连接多台服务器(除非您将该私钥传输到服务器。永远不要这样做。)
- 不管怎样,入侵您的工作站都会暴露您的私钥。拥有多个私钥对此没有帮助(除非您拥有不同的强密码,并且并非所有密码都可以被攻击者获取)。
有一些例外,但不是很多。
答案3
您的本地 ssh 不应该要求您输入密码,另一端的 ssh 服务器应该要求您输入密码。服务器可能设置为不接受密码验证。我的服务器也不会要求您输入密码。
答案4
我找到了另一个原因。我有:
Host *
PreferredAuthentications publickey
(从另一个用户那里~/.ssh/config
复制,以为是“偏好”)。实际上PreferredAuthentications
指定了“允许”的方法和顺序。
删除该PreferredAuthentications
行或者添加password
Host *
PreferredAuthentications publickey,password
注意:逗号后没有空格!