/更新:问题已细化为:无法打开授权密钥。 /
我在Virtualbox中有一个Ubuntu服务器,我尝试ssh in,但每次询问登录密码时,pubkey都无法正常工作。
梗概: Ubuntu服务器12.04.2 LTS在Vbox中。仅主机网络配置。静态IP 192.168.56.10 标准的OpenSSH服务器。主机id_rsa.pub已添加到客户端authorized_keys文件中。
g2ra@host:~$ cat .ssh/id_rsa.pub | ssh -p 22 g2ra@192.168.56.10 'cat >> .ssh/authorized_keys'
〜/ .ssh权限是chmod正确的。
g2ra@host:~$ ll .ssh/
total 68
drwx------ 2 g2ra g2ra 4096 Apr 24 00:31 ./
drwx------ 81 g2ra g2ra 28672 Apr 24 09:37 ../
-rw------- 1 g2ra g2ra 1766 Mar 27 10:12 id_rsa
-rw------- 1 g2ra g2ra 397 Mar 27 10:12 id_rsa.pub
-rw------- 1 g2ra g2ra 1110 Apr 24 11:23 known_hosts
这是调试消息:
~$ ssh -v -l g2ra -p 22 192.168.56.10
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.56.10 [192.168.56.10] port 22.
debug1: Connection established.
debug1: identity file /home/g2ra/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/g2ra/.ssh/id_rsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_dsa type -1
debug1: identity file /home/g2ra/.ssh/id_dsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 00:00:00:87:00:0a:3d:e1:aa:78:ac:05:00:00:0e:00
debug1: Host '192.168.56.10' is known and matches the ECDSA host key.
debug1: Found key in /home/g2ra/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/g2ra/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/g2ra/.ssh/id_dsa
debug1: Trying private key: /home/g2ra/.ssh/id_ecdsa
debug1: Next authentication method: password
这是我的sshd配置,在Vbox中的Ubuntu服务器上:
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
更新。在sshd配置中,详细级别增加到DEBUG。在Ubuntu Server Vbox上。
grep 'ssh'/var/log/auth.log
Apr 24 13:57:03 host sshd[19731]: debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
Apr 24 13:57:03 host sshd[19731]: debug1: Enabling compatibility mode for protocol 2.0
Apr 24 13:57:03 host sshd[19731]: debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: permanently_set_uid: 105/65534 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: KEX done [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 0 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: initializing for "g2ra"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_RHOST to "192.168.56.1"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method publickey [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 1 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Apr 24 13:57:03 host sshd[19731]: debug1: trying public key file /home/g2ra/.ssh/authorized_keys
Apr 24 13:57:03 host sshd[19731]: debug1: Could not open authorized keys '/home/g2ra/.ssh/authorized_keys': No such file or directory
Apr 24 13:57:03 host sshd[19731]: debug1: restore_uid: 0/0
Apr 24 13:57:03 host sshd[19731]: Failed publickey for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:07 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method password [preauth]
Apr 24 13:57:07 host sshd[19731]: debug1: attempt 2 failures 1 [preauth]
Apr 24 13:57:07 host sshd[19733]: pam_ecryptfs: Passphrase file wrapped
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: password authentication accepted for g2ra
Apr 24 13:57:08 host sshd[19731]: debug1: do_pam_account: called
Apr 24 13:57:08 host sshd[19731]: Accepted password for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_read_log: child log fd closed
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_child_preauth: g2ra has been authenticated by privileged process
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: establishing credentials
Apr 24 13:57:08 host sshd[19731]: pam_unix(sshd:session): session opened for user g2ra by (uid=0)
Apr 24 13:57:09 host sshd[19731]: User child is on pid 19871
Apr 24 13:57:09 host sshd[19871]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: PAM: establishing credentials
Apr 24 13:57:09 host sshd[19871]: debug1: permanently_set_uid: 1000/1000
Apr 24 13:57:09 host sshd[19871]: debug1: Entering interactive session for SSH2.
Apr 24 13:57:09 host sshd[19871]: debug1: server_init_dispatch_20
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
Apr 24 13:57:09 host sshd[19871]: debug1: input_session_request
Apr 24 13:57:09 host sshd[19871]: debug1: channel 0: new [server-session]
Apr 24 13:57:09 host sshd[19871]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: session 0: link with channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: confirm session
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req pty-req
Apr 24 13:57:09 host sshd[19871]: debug1: Allocating pty.
Apr 24 13:57:09 host sshd[19731]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19731]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: session_pty_req: session 0 alloc /dev/pts/0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request shell reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req shell
Apr 24 13:57:09 host sshd[19872]: debug1: Setting controlling tty using TIOCSCTTY.
调试日志说。无法打开授权密钥'/home/g2ra/.ssh/authorized_keys':没有这样的文件或目录。 为什么呢?
答案 0 :(得分:5)
@ g1ra 的评论可以解决此问题。 在此处添加它以获得更好的可见性。
如果您有加密的主目录,则SSH无法访问您的authorized_keys
文件,因为它位于您的加密主目录中,并且在您通过身份验证后才能使用。因此,SSH将默认为密码验证。
要解决此问题,请在家外创建一个名为/etc/ssh/<username>
的文件夹(用您的实际用户名替换<username>
)。此目录应具有 755 权限,并且由用户拥有。将authorized_keys
文件移入其中。 authorized_keys
文件应具有 644 权限,并由用户拥有。
然后编辑/ etc / ssh / sshd_config并添加:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
最后,使用以下命令重新启动ssh:
sudo service ssh restart
下次使用SSH连接时,您无需输入密码。
答案 1 :(得分:-1)
通常,您应该使用ssh-copy-id
而不是手动构建它。
您是否检查过目标计算机上的.ssh文件夹和authorized_keys的权限?也许(由手动猫引起)文件/文件夹是使用标准的umask创建的,这对于SSH来说太“开放”了。
答案 2 :(得分:-1)
您可以尝试在两台计算机上使用ssh-add
续订ssh记录。