我正在尝试为我在 DigitalOcean Ubuntu 12.04 服务器上使用 chef 创建的用户帐户设置 ssh 访问权限。我在 DigitalOcean 中设置了选项,以便在创建 droplet 时自动复制我的 mac 的 ssh 密钥。
我可以以 root 身份通过 ssh 访问,没有任何问题,但我的其他用户无法进行身份验证。这似乎是一个常见问题,我检查了其他一些答案,并找到了这个命令来获取更多信息:
ssh -vvv -i id_rsa user@serverIP
使用该命令的 root 用户(成功)的日志如下
调试
1: Offering RSA public key: /Users/evan/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp snip!
debug3: sign_and_send_pubkey: snip!
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
失败的用户:
调试
1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/evan/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/evan/.ssh/id_dsa
debug3: no such identity: /Users/evan/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
对我来说这意味着公钥不正确。但是,如果我以 root 用户身份登录并转到
home/otheraccount/.ssh/authorized_keys
然后我就可以看到我的 ssh 密钥了。我以为可能是出了错误,所以我这样做了:
cp .ssh/authorized_keys ~/home/otheraccout/.ssh/authorized_keys
但这没用。我不知道还能去哪里找。
我的etc/ssh/sshd_config:
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
"sshd_config" 88L, 2508C
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# GS
SAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no
Banner /etc/ssh_banner
编辑:
drwx------ 2 deploy deploy 4096 Apr 20 06:00 .ssh
-rw------- 1 deploy deploy 820 Apr 20 05:35 authorized_keys
编辑2:
正如评论中所建议的,/var/log/authlog包含:
Apr 21 04:59:30 localhost sshd[586]: User deploy not allowed because account is locked
Apr 21 04:59:30 localhost sshd[586]: input_userauth_request: invalid user deploy [preauth]
我尝试过这样做:
sudo usermod --expiredate -1 deploy
返回结果:
no changes
答案1
SSH 登录可能由于各种原因(目录/文件权限不正确、密钥不正确等)而失败,并且连接的客户端将只会出现
Permission denied或No more authentication methods to try一些一般错误。登录失败的具体原因将在 ssh 日志中提供
/var/log/auth.log或/var/log/secure取决于 syslog 配置。
答案2
我新安装的 CentOS7 也遇到同样的问题。
1.检查主目录权限和 ~/.ssh 和 ~/.ssh/authorized_keys 权限(正如@clement 所说)
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
2. 检查/etc/ssh/sshd_配置设置 && 服务 sshd 重启(每次编辑后)有用:在 sshd_config 中尝试“LogLevel VERBOSE”。
检查完所有一切正常后,我仍然收到密码提示。
使用 -vvv 日志运行 ssh 客户端:
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
服务器(/var/log/secure)日志:
Failed publickey for * from * port * ssh2: RSA *
ssh 服务器不会向客户端发送更多错误信息,因为这会带来安全风险。
如果我在不同端口上运行 sshd 'sshd -p 5555 -d'。密钥有效。无密码登录成功。WTF?
伤心 :-( 随后我禁用了 selinux(在 /etc/selinux/config 中设置 SELINUX=disabled)并重新启动。无密码登录便可正常工作。
我的当前工作的 sshd_config 设置:
[root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
因此,如果知道我们是否可以在 selinux 中做一些小改动,让无密码 ssh 登录正常工作,那就太好了。有人可以改进答案吗?