Cuu*_*ous 36 ssh ssh-agent openssh
我也尝试设置无密码的 ssh b/w AtoB和Bto A。ssh-keygen -trsa在两台机器上使用生成公钥和私钥。使用的ssh-copy-id实用程序将公共密钥从复制A到B以及B到A。
该密码的ssh从工作A到B,但是not从B到A。我检查了 ~/ssh/ 文件夹的权限,似乎是正常的。
A's .ssh 文件夹权限:
-rw------- 1 root root 13530 2011-07-26 23:00 known_hosts
-rw------- 1 root root 403 2011-07-27 00:35 id_rsa.pub
-rw------- 1 root root 1675 2011-07-27 00:35 id_rsa
-rw------- 1 root root 799 2011-07-27 00:37 authorized_keys
drwxrwx--- 70 root root 4096 2011-07-27 00:37 ..
drwx------ 2 root root 4096 2011-07-27 00:38 .
B's .ssh 文件夹权限:
-rw------- 1 root root 884 2011-07-07 13:15 known_hosts
-rw-r--r-- 1 root root 396 2011-07-27 00:15 id_rsa.pub
-rw------- 1 root root 1675 2011-07-27 00:15 id_rsa
-rw------- 1 root root 2545 2011-07-27 00:36 authorized_keys
drwxr-xr-x 8 root root 4096 2011-07-06 19:44 ..
drwx------ 2 root root 4096 2011-07-27 00:15 .
A是 ubuntu 10.04 (OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009)B是 debian 机器 (OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 2007 年 10 月 19 日)
来自A:
#ssh B
工作正常。
来自B:
#ssh -vvv A
...
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x7f1581f23a50)
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1495
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@192.168.122.1's password:
这实质上意味着它没有使用文件进行身份验证/root/id_rsa。我ssh-add也在两台机器上运行了命令。
/etc/ssh/sshd_config文件的认证部分是
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
我的想法不多了。任何帮助,将不胜感激。
Max*_* R. 45
后设置密码的SSH,我还在问我的用户密码。在/var/log/auth.log远程机器上查看指出了问题:
sshd[4215]: Authentication refused: bad ownership or modes for directory /home/<user>
因此,请确保正确:
chmod o-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
虽然禁止其他用户覆盖您的.ssh文件夹是显而易见的,但对您的主文件夹具有相同的要求则比较棘手。
此外,请检查/etc/ssh/ssd_config以确保RSAAuthentication和PubkeyAuthentication选项未被禁用。默认是yes这样,这应该不是问题。
ane*_*hep 24
只需确保您已遵循以下程序:
在机器 A 上
打开终端并输入如下命令:
root@aneesh-pc:~# id
只是为了确保我们是root。
如果上面的命令输出类似于下面的内容,我们是 root 否则使用su命令切换到 root
uid=0(root) gid=0(root) groups=0(root)
1) 创建密钥。
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
49:7d:30:7d:67:db:58:51:42:75:78:9c:06:e1:0c:8d root@aneesh-pc
The key's randomart image is:
+--[ RSA 2048]----+
| ooo+==B|
| . E=.o+B|
| . . .+.*o|
| . . . ...|
| S |
| |
| |
| |
| |
+-----------------+
我没有使用任何密码。如果你需要一个,你可以使用它。
2)将公钥复制到机器B的.ssh/authorized_keys文件中
root@aneesh-pc:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@mylap
root@mylap's password:
现在尝试登录机器,使用ssh 'root@mylap',并签入:
~/.ssh/authorized_keys
以确保我们没有添加您不期望的额外密钥。
将 mylap 替换为您要登录的机器(即机器 B)的主机名或 ip
3) 不用密码登录B
root@aneesh-pc:~# ssh root@mylap
Warning: Permanently added 'mylap,192.168.1.200' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Wed Jul 27 15:23:58 2011 from streaming-desktop.local
aneesh@mylap:~$
在机器 B 上
4)创建登录回机器A的密钥
root@mylap:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
35:9f:e7:81:ed:02:f9:fd:ad:ef:08:c6:4e:19:76:b1 root@streaming-desktop
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| o . |
| . + + o |
| S o * E |
| = O . |
| O + |
| + o o.|
| . o+=|
+-----------------+
5)将公钥复制到机器A的.ssh/authorized_keys文件中
root@mylap:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
root@aneesh-pc's password:
现在尝试登录机器,使用ssh 'root@aneesh-pc',并签入:
.ssh/authorized_keys
以确保我们没有添加您不期望的额外密钥。
6) 不用密码登录A
ssh root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Tue Jul 26 18:52:55 2011 from 192.168.1.116
如果您能够完成这些步骤,您就完成了。现在您有两台启用了 ssh-key(公钥)登录的机器。
小智 14
可能只是更高级别的权限问题。您需要从组和其他人中删除对您的主目录和 .ssh 目录的写权限。 要修复这些权限,请运行chmod 755 ~ ~/.ssh或chmod go-w ~ ~/.ssh。
如果您仍然遇到问题,请在您的日志中发出以下 grep:
sudo egrep -i 'ssh.*LOCAL_USER_NAME' /var/log/secure
(替换LOCAL_USER_NAME为您的本地用户名...)
假设 sshd 身份验证信息被记录到安全日志中,这应该是默认情况下,这有望告诉您更多有关您的问题的信息。如果您看到如下所示的错误:
DATE HOSTNAME sshd[1317]:身份验证被拒绝:目录 /path/to/some/directory 的所有权或模式不正确
这是上面描述的问题,您需要找到有问题的目录并从组和其他人中删除写入权限。
至于您需要限制对您的主目录的写权限的原因(即使权限已经限制在您的 .ssh 和后续目录上),它将允许其他用户重命名您的 .ssh 目录并创建一个新目录 - 尽管那样将无法使用(由于错误的权限)大多数用户的修复程序可能是更改权限而不是检查目录的内容......
TLDNR:允许组和/或其他人对您的主目录的写访问权限将使 ssh 强制密码登录。