我在 ssh 到另一台服务器时遇到问题。我创建了 ssh-key 并将其复制到其他服务器。
-bash-4.2$ whoami
postgres
-bash-4.2$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/pgsql/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/lib/pgsql/.ssh/id_rsa.
Your public key has been saved in /var/lib/pgsql/.ssh/id_rsa.pub.
The key fingerprint is:
96:fd:e7:5b:d2:b0:ac:b3:3e:7b:55:fd:ad:4f:9f:c5 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| .|
| o o|
| S . . +|
| . . . =+|
| . =oE|
| o+o++|
| .=*o+o|
+-----------------+
-bash-4.2$ ssh-copy-id 192.168.2.75
The authenticity of host '192.168.2.75 (192.168.2.75)' can't be established.
ECDSA key fingerprint is 20:00:96:92:ff:a7:00:cb:a1:3a:30:fe:db:dd:55:c6.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.2.75'"
and check to make sure that only the key(s) you wanted were added.
但还是要求输入密码
-bash-4.2$ ssh 192.168.2.75
[email protected]'s password:
Last login: Thu Mar 31 10:09:45 2016 from 192.168.2.138
-bash-4.2$ whoami
postgres
-bash-4.2$
连接的主机名:
-bash-4.2$ hostname
slave.localdomain.tld
连接器的主机名:
-bash-4.2$ hostname
master.localdomain.tld
但我可以访问根用户没有密码。
-bash-4.2$ ssh-copy-id [email protected]
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
-bash-4.2$ ssh [email protected]
Last login: Thu Mar 31 10:10:20 2016 from 192.168.2.138
[root@slave ~]#
我也可以访问远程服务器postgres用户没有密码
-bash-4.2$ ssh-copy-id 108.61.199.64 -p 2222
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2222' '108.61.199.64'"
and check to make sure that only the key(s) you wanted were added.
-bash-4.2$ ssh 108.61.199.64 -p 2222
Last login: Thu Mar 31 11:08:54 2016 from 78.189.14.197
-bash-4.2$ whoami
postgres
-bash-4.2$ hostname
postgresql.MYDOMAIN.COM
这是最后几行 ssh-vvv 输出:
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519
debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
谁能帮助我我做错了什么?
编辑:
以下是权限root&postgres 用户。
[root@localhost pgsql]# ll /var/lib/pgsql/
total 12
dr-xr-x---. 4 postgres postgres 67 Mar 31 09:57 .
drwxr-xr-x. 27 root root 4096 Mar 31 13:15 ..
-rw-------. 1 postgres postgres 1350 Mar 31 13:02 .bash_history
-rwx------. 1 postgres postgres 268 Mar 30 14:15 .bash_profile
drwx------. 2 postgres postgres 76 Mar 31 10:46 .ssh
drwx------. 4 postgres postgres 48 Mar 31 09:30 9.5
[root@localhost pgsql]# ll /root/
total 32
dr-xr-x---. 4 root root 4096 Mar 31 09:31 .
dr-xr-xr-x. 17 root root 4096 Mar 31 09:37 ..
-rw-------. 1 root root 3389 Mar 31 10:59 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
drwxr-----. 3 root root 18 Mar 30 14:14 .pki
drwx------. 2 root root 76 Mar 31 12:51 .ssh
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
这里是/var/log/audit/audit.log当我想要 ssh 时。
[root@localhost pgsql]# cat /var/log/audit/audit.log
type=CRYPTO_KEY_USER msg=audit(1459431065.262:1195): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=2b:3f:aa:b8:46:1d:b8:f9:d7:c2:16:96:67:68:f1:0d direction=? spid=3585 suid=74 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1459431065.262:1196): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=3585 suid=74 rport=56439 laddr=192.168.2.75 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=USER_ERR msg=audit(1459431065.263:1197): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=192.168.2.138 addr=192.168.2.138 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1459431065.264:1198): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ef:0b:31:91:b7:38:45:42:88:6d:d5:d7:c2:f7:ee:6a direction=? spid=3584 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1459431065.265:1199): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=20:00:96:92:ff:a7:00:cb:a1:3a:30:fe:db:dd:55:c6 direction=? spid=3584 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1459431065.265:1200): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=2b:3f:aa:b8:46:1d:b8:f9:d7:c2:16:96:67:68:f1:0d direction=? spid=3584 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=USER_LOGIN msg=audit(1459431065.265:1201): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="postgres" exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1459431066.776:1202): pid=3589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ef:0b:31:91:b7:38:45:42:88:6d:d5:d7:c2:f7:ee:6a direction=? spid=3589 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1459431066.776:1203): pid=3589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=20:00:96:92:ff:a7:00:cb:a1:3a:30:fe:db:dd:55:c6 direction=? spid=3589 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1459431066.776:1204): pid=3589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=2b:3f:aa:b8:46:1d:b8:f9:d7:c2:16:96:67:68:f1:0d direction=? spid=3589 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1459431066.777:1205): pid=3588 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 [email protected] [email protected] spid=3589 suid=74 rport=56440 laddr=192.168.2.75 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1459431066.777:1206): pid=3588 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 [email protected] [email protected] spid=3589 suid=74 rport=56440 laddr=192.168.2.75 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success'
type=AVC msg=audit(1459431066.945:1207): avc: denied { read } for pid=3588 comm="sshd" name="authorized_keys" dev="dm-0" ino=47671 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file
type=SYSCALL msg=audit(1459431066.945:1207): arch=c000003e syscall=2 success=no exit=-13 a0=7f1e85e81ac0 a1=800 a2=1 a3=7f1e7fa5e2e0 items=0 ppid=3551 pid=3588 auid=4294967295 uid=0 gid=0 euid=26 suid=0 fsuid=26 egid=26 sgid=0 fsgid=26 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1459431066.945:1208): pid=3588 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="postgres" exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=ssh res=failed'
笔记:所有三台服务器均在运行Centos 7
本地服务器:CentOS Linux release 7.1.1503 (Core)
远程服务器:CentOS Linux release 7.2.1511 (Core)
答案1
我找到了解决方案https://serverfault.com/questions/321534/public-key-authentication-fails-only-when-sshd-is-daemon
restorecon -r -vv /var/lib/pgsql/.ssh
命令就足够了。我认为问题是由 SELinux 引起的。这是restorecon命令手册。 http://linux.die.net/man/8/restorecon