我通过以下方式设置了自动 ssh 登录,而无需向服务器输入密码:
cd ~/.ssh
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub tim@server1
它在服务器上工作。
后来我在不同的服务器上做了同样的事情。
ssh-copy-id -i ~/.ssh/id_rsa.pub tim@server2
立即 I ssh tim@server2,但它仍然需要我的密码。我做错了什么吗?我没有在第二台服务器上成功设置的一些可能原因是什么?(注意第二台服务器运行 kerberos 和 Andrew 文件系统)
$ ssh -v tim@server2
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server2 [...] port 22.
debug1: Connection established.
debug1: identity file /home/tim/.ssh/id_rsa type 1
debug1: identity file /home/tim/.ssh/id_rsa-cert type -1
debug1: identity file /home/tim/.ssh/id_dsa type -1
debug1: identity file /home/tim/.ssh/id_dsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ecdsa type -1
debug1: identity file /home/tim/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ed25519 type -1
debug1: identity file /home/tim/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA xxx
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /home/tim/.ssh/known_hosts:70
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/tim/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/tim/.ssh/id_dsa
debug1: Trying private key: /home/tim/.ssh/id_ecdsa
debug1: Trying private key: /home/tim/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
我尝试了 Anthon 使用 Diffie-Hellman 密钥的方法,但它仍然要求我输入密码。
$ cd ~/.ssh
$ ssh-keygen -t dsa
$ ssh-copy-id -i ~/.ssh/id_dsa.pub tim@server2
$ ssh -v tim@server2
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server2 [...] port 22.
debug1: Connection established.
debug1: identity file /home/tim/.ssh/id_rsa type 1
debug1: identity file /home/tim/.ssh/id_rsa-cert type -1
debug1: identity file /home/tim/.ssh/id_dsa type 2
debug1: identity file /home/tim/.ssh/id_dsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ecdsa type -1
debug1: identity file /home/tim/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tim/.ssh/id_ed25519 type -1
debug1: identity file /home/tim/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ...
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /home/tim/.ssh/known_hosts:70
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/tim/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering RSA public key: /home/tim/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/tim/.ssh/id_ecdsa
debug1: Trying private key: /home/tim/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
Wou*_*lst 10
您提到第二台服务器正在使用安德鲁文件系统 (AFS)。
我没有使用过它,但据我所知,AFS 是一个 Kerberos 保护的文件系统,它需要一张 kerberos 票才能工作。这意味着您需要登录到您站点的 Kerberos 领域才能访问您的主目录。
如果您使用密码登录,server2很可能设置为通过 PAM 将您登录到您的 Kerberos 领域。但是,如果您使用 SSH 密钥,server2则将无法获得执行此操作所需的信息,并且您将无法访问您的主目录。
幸运的是,从ssh -v您问题的输出中,我们可以推断您的服务器已GSSAPI启用身份验证。这应该允许您执行无密码登录,前提是您拥有适用于您的领域的有效 kerberos 票证。请执行下列操作:
登录server2,然后运行该klist程序。这将返回以下内容:
Ticket cache: FILE:/tmp/krb5cc_2000
Default principal: wouter@EXAMPLE.ORG
Valid starting Expires Service principal
28-05-15 15:01:31 29-05-15 01:01:31 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
renew until 29-05-15 15:01:28
28-05-15 15:02:04 29-05-15 01:01:31 IMAP/example.org@EXAMPLE.ORG
renew until 29-05-15 15:01:28
查找以Default principal:.开头的行。它告诉您您的 kerberos 主体是什么(在上面的示例中,它是wouter@EXAMPLE.ORG)。把这个写下来。请注意,它不是电子邮件地址,并且区分大小写;即,主体以EXAMPLE.ORG, 不是结尾example.org。
kinit使用您的主体名称运行(即,在上面的示例中,就是kinit wouter@EXAMPLE.ORG)。如果一切顺利,当您klist现在再次运行时,您将看到您的本地机器上有一个票证缓存。ssh -K server2,您应该能够登录,并且系统应该不会要求输入密码。请注意,由于 Kerberos 的工作方式,票证缓存的有效性有限。不可能要求有效期长于领域管理员配置的票证缓存(通常大约为 10 小时左右)。一旦您的票过期,您将需要kinit再次运行,并再次输入您的密码。
您应该尝试使用以下命令连接到 server2:
ssh -v tim@server2
并将其与相同的进行比较,连接server1到此将告诉您两台服务器的不同之处。
/etc/ssh/sshd_config两台机器上很可能存在差异。哪里server2或您~/.ssh有可访问性问题(限制不够)。
从-v输出中您可以看到您提供了一个 RSA 私钥来验证(in /home/tim/.ssh/id_rsa),但它看起来server2只支持 Diffie-Hellman(并尝试 /home/tim/.ssh/id_dsa可能甚至不存在)。
| 归档时间: |
|
| 查看次数: |
24248 次 |
| 最近记录: |