Home Articles

不能接受publickey ssh但id_rsa.pub在authorized_keys中

Asked
Viewed 1200 times
4

/更新:问题被细化为:无法打开授权密钥 . /

我在Virtualbox中有一个Ubuntu服务器,我尝试ssh in,但每次询问登录密码时,pubkey都无法正常工作 .

概要:Vbox中的Ubuntu服务器12.04.2 LTS . 仅主机网络配置 . 静态IP 192.168.56.10标准OpenSSH服务器 . 主机id_rsa.pub已添加到客户端authorized_keys文件中 .

g2ra@host:~$ cat .ssh/id_rsa.pub | ssh -p 22 g2ra@192.168.56.10 'cat >> .ssh/authorized_keys'

〜/ .ssh权限是chmod正确的 .

g2ra@host:~$ ll .ssh/
total 68
drwx------  2 g2ra g2ra  4096 Apr 24 00:31 ./
drwx------ 81 g2ra g2ra 28672 Apr 24 09:37 ../
-rw-------  1 g2ra g2ra  1766 Mar 27 10:12 id_rsa
-rw-------  1 g2ra g2ra   397 Mar 27 10:12 id_rsa.pub
-rw-------  1 g2ra g2ra  1110 Apr 24 11:23 known_hosts

这是调试消息:

~$ ssh -v -l g2ra -p 22 192.168.56.10
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.56.10 [192.168.56.10] port 22.
debug1: Connection established.
debug1: identity file /home/g2ra/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/g2ra/.ssh/id_rsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_dsa type -1
debug1: identity file /home/g2ra/.ssh/id_dsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 00:00:00:87:00:0a:3d:e1:aa:78:ac:05:00:00:0e:00
debug1: Host '192.168.56.10' is known and matches the ECDSA host key.
debug1: Found key in /home/g2ra/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/g2ra/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/g2ra/.ssh/id_dsa
debug1: Trying private key: /home/g2ra/.ssh/id_ecdsa
debug1: Next authentication method: password

这是我的sshd配置,在Vbox中的Ubuntu服务器上:

Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

更新 . 在sshd配置中,详细级别增加到DEBUG . 在Ubuntu Server Vbox上 .

grep 'ssh'/var/log/auth.log 


Apr 24 13:57:03 host sshd[19731]: debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
Apr 24 13:57:03 host sshd[19731]: debug1: Enabling compatibility mode for protocol 2.0
Apr 24 13:57:03 host sshd[19731]: debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: permanently_set_uid: 105/65534 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: KEX done [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 0 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: initializing for "g2ra"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_RHOST to "192.168.56.1"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method publickey [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 1 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Apr 24 13:57:03 host sshd[19731]: debug1: trying public key file /home/g2ra/.ssh/authorized_keys
Apr 24 13:57:03 host sshd[19731]: debug1: Could not open authorized keys '/home/g2ra/.ssh/authorized_keys': No such file or directory
Apr 24 13:57:03 host sshd[19731]: debug1: restore_uid: 0/0
Apr 24 13:57:03 host sshd[19731]: Failed publickey for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:07 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method password [preauth]
Apr 24 13:57:07 host sshd[19731]: debug1: attempt 2 failures 1 [preauth]
Apr 24 13:57:07 host sshd[19733]: pam_ecryptfs: Passphrase file wrapped
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: password authentication accepted for g2ra
Apr 24 13:57:08 host sshd[19731]: debug1: do_pam_account: called
Apr 24 13:57:08 host sshd[19731]: Accepted password for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_read_log: child log fd closed
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_child_preauth: g2ra has been authenticated by privileged process
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: establishing credentials
Apr 24 13:57:08 host sshd[19731]: pam_unix(sshd:session): session opened for user g2ra by (uid=0)
Apr 24 13:57:09 host sshd[19731]: User child is on pid 19871
Apr 24 13:57:09 host sshd[19871]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: PAM: establishing credentials
Apr 24 13:57:09 host sshd[19871]: debug1: permanently_set_uid: 1000/1000
Apr 24 13:57:09 host sshd[19871]: debug1: Entering interactive session for SSH2.
Apr 24 13:57:09 host sshd[19871]: debug1: server_init_dispatch_20
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
Apr 24 13:57:09 host sshd[19871]: debug1: input_session_request
Apr 24 13:57:09 host sshd[19871]: debug1: channel 0: new [server-session]
Apr 24 13:57:09 host sshd[19871]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: session 0: link with channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: confirm session
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req pty-req
Apr 24 13:57:09 host sshd[19871]: debug1: Allocating pty.
Apr 24 13:57:09 host sshd[19731]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19731]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: session_pty_req: session 0 alloc /dev/pts/0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request shell reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req shell
Apr 24 13:57:09 host sshd[19872]: debug1: Setting controlling tty using TIOCSCTTY.

调试日志说 . 无法打开授权密钥'/home/g2ra/.ssh/authorized_keys':没有这样的文件或目录 . 为什么?

3 Answers

  • 5

    如果你有一个加密的主文件夹, @g1ra 的评论解决了这个问题 . 在此添加它以获得更好的可视性

    如果您有加密的主目录,则SSH无法访问您的 authorized_keys 文件,因为它位于加密的主目录中,并且在您通过身份验证后才可用 . 因此,SSH将默认为密码身份验证 .

    要解决此问题,请在家外创建一个名为 /etc/ssh/<username> 的文件夹(将 <username> 替换为您的实际用户名) . 此目录应具有 755 权限并由用户拥有 . 将 authorized_keys 文件移入其中 . authorized_keys 文件应具有 644 权限并由用户拥有 .

    然后编辑/ etc / ssh / sshd_config并添加:

    AuthorizedKeysFile    /etc/ssh/%u/authorized_keys
    

    最后,重启ssh:

    sudo service ssh restart
    

    下次使用SSH连接时,您不必输入密码 .

    资料来源:Ubuntu - SSH/OpenSSH/Keys

  • -1

    通常,您应该使用 ssh-copy-id 而不是手动构建它 .

    您是否检查了目标计算机上.ssh文件夹和authorized_keys的权限?也许(由手动猫引起)文件/文件夹是用标准的umask创建的,这对于SSH来说太“开放”了 .

  • -1

    您可以尝试在两台计算机上使用 ssh-add 续订ssh记录 .

Related