PubKey SSH Auth在CentOS上失败,但适用于Ubuntu

时间:2017-04-25 17:36:06

标签: linux ssh centos

我正在浏览所有虚拟机并添加一个nagios用户。

当我在Ubuntu上完成我的步骤(如下所述)时,事情按预期工作。不过在CentOS 6.2上做同样的事情,我不能通过pubkey auth ssh,只能使用密码验证。

我已经确认:

  • /home/nagios目录具有正确的所有者和权限
  • authorized_keys文件存在且已正确填充

我应该检查哪些其他内容?不同版本的SSH可能会导致问题?

连接到CentOS 6.2远程计算机时记录:

nagios@redacted:/home/redacted$ ssh -v nagios@remote.machine -i /var/lib/nagios/keys/id_rsa
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to remote.machine [192.168.redacted.redacted] port 22.
debug1: Connection established.
debug1: identity file /var/lib/nagios/keys/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/nagios/keys/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to remote.machine:22 as 'nagios'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:redacted
debug1: Host 'remote.machine' is known and matches the RSA host key.
debug1: Found key in /var/lib/nagios/.ssh/known_hosts:7
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/nagios/keys/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

详细说明:

以下是我要完成的步骤。

  1. [远程计算机]添加nagios用户:
    • [Ubuntu] sudo adduser nagios --system --group --shell /bin/bash
    • [CentOS] sudo adduser nagios --system --shell /bin/bash --home /home/nagios
  2. [远程计算机] sudo passwd nagios
  3. [远程计算机]将nagios用户添加到/etc/ssh/sshd_config
    4. 中允许的用户列表中
  4. [远程计算机]重新启动ssh(d)服务。
  5. [Nagios Host] ssh-copy-id -i /var/lib/nagios/keys/id_rsa remote.machine

  6. [远程计算机]强制nagios只能通过将其添加到/etc/ssh/sshd_config来通过pubkey登录:

    Match user nagios
PasswordAuthentication no

  7. [远程计算机]重新启动ssh(d)服务。

  8. [Nagios Host] ssh -i /var/lib/nagios/keys/id_rsa nagios@remote.machine

    • 在Ubuntu上,这一切都很精彩
    • 在CentOS(6.2)上,除非我允许用户nagios使用密码验证,否则我无法登录。

1 个答案:

答案 0 :(得分:0)

我问过这个问题的同事提到了StrictModes中的sshd_config

如果启用StrictModes,则CentOS上所需的权限为:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa

source

当我检查~/.ssh~/.ssh/authorized_keys的权限时,我将它们与 Ubuntu / OpenSSH 7.2 要求进行比较,而不是 CentOS / OpenSSH 5.3 < / strong>要求。

Ubuntu / OpenSSH 7.2即使~/.ssh启用StrictModes也允许775(但~/.ssh/authorized_keys仍然需要600)。

相关问题
最新问题