SSH 权限被拒绝(公钥)
SSH Permission denied (publickey)
我正在尝试通过 SSH 从 Ubuntu 进入 Debian。我已经有一个 RSA 密钥;它与我使用的密钥相同 Git.
我使用以下方法将密钥从 Ubuntu 复制到 Debian:
ssh-copy-id -i ~/.ssh/id_rsa.pub root@ip-address
然后我在 Debian 上修改了 sshd_config 以包含以下内容:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
然后我重新启动了 SSH 服务。现在我尝试使用
从 Ubuntu SSH 进入
ssh -v root@ip-addr
但我得到以下信息:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.0.1.64 [10.0.1.64] port 22.
debug1: Connection established.
debug1: identity file /home/koushatalebian/.ssh/id_rsa.pub type 1
debug1: identity file /home/koushatalebian/.ssh/id_rsa.pub-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e2:af:83:f8:df:e2:15:db:77:30:e1:6b:e7:dc:77:99
debug1: Host '10.0.1.64' is known and matches the ECDSA host key.
debug1: Found key in /home/koushatalebian/.ssh/known_hosts:10
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/koushatalebian/.ssh/id_rsa.pub
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
我基本上想强制 SSH 仅通过公钥身份验证发生。
我已经阅读了与此主题相关的所有其他 post,其中 none 对我有用。这就是为什么我将其创建为单独的 post.
编辑
将 StrictModes 从 yes 更改为 sshd_config 中的 no 解决了问题。这样做安全吗?
编辑 2
这是服务器上 SSH 的日志:
May 5 18:23:55 lemaker sshd[2591]: Connection from 10.0.1.37 port 42748
May 5 18:23:55 lemaker sshd[2591]: debug1: PAM: setting PAM_RHOST to "10.0.1.37"
May 5 18:23:55 lemaker sshd[2591]: Failed publickey for root from 10.0.1.37 port 42748 ssh2
May 5 18:23:55 lemaker sshd[2591]: Connection closed by 10.0.1.37 [preauth]
您不想提供您的 .pub 作为您的凭据。你想在你这边使用你的私钥,所以你应该做
ssh -v -i ~/.ssh/id_rsa root@ip-addr
这是要使用的默认密钥,因此您可以完全不使用 -i 标志
此外,如果您要通过 ssh 以 root 身份登录,请确保您有 PermitRootLogin yes
我会制作一个新的密钥对并使用它。这只是在本地测试东西,但只需 tar 向上 .ssh 目录并将其放在远程服务器上以使双向 ssh 成为可能,如果您只想要单向,则不要 public 在两个 authorized_keys 文件中键入:
$ pwd
/home/testuser
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/testuser/.ssh/id_rsa):[ENTER]
Created directory '/home/testuser/.ssh'.
Enter passphrase (empty for no passphrase):[ENTER]
Enter same passphrase again:[ENTER]
Your identification has been saved in /home/testuser/.ssh/id_rsa.
Your public key has been saved in /home/testuser/.ssh/id_rsa.pub.
[...]
$ cd .ssh
$ ls -l
total 8
-rw------- 1 testuser testuser 1679 May 5 13:49 id_rsa
-rw-r--r-- 1 testuser testuser 401 May 5 13:49 id_rsa.pub
$ cat id_rsa.pub >> authorized_keys
$ ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is 0f:dd:ed:e3:bf:a1:c8:3f:fd:b2:0d:e8:1f:ee:29:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-36-generic x86_64)
[...]
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ exit
Connection to 127.0.0.1 closed.
我正在尝试通过 SSH 从 Ubuntu 进入 Debian。我已经有一个 RSA 密钥;它与我使用的密钥相同 Git.
我使用以下方法将密钥从 Ubuntu 复制到 Debian:
ssh-copy-id -i ~/.ssh/id_rsa.pub root@ip-address
然后我在 Debian 上修改了 sshd_config 以包含以下内容:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
然后我重新启动了 SSH 服务。现在我尝试使用
从 Ubuntu SSH 进入ssh -v root@ip-addr
但我得到以下信息:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.0.1.64 [10.0.1.64] port 22.
debug1: Connection established.
debug1: identity file /home/koushatalebian/.ssh/id_rsa.pub type 1
debug1: identity file /home/koushatalebian/.ssh/id_rsa.pub-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e2:af:83:f8:df:e2:15:db:77:30:e1:6b:e7:dc:77:99
debug1: Host '10.0.1.64' is known and matches the ECDSA host key.
debug1: Found key in /home/koushatalebian/.ssh/known_hosts:10
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/koushatalebian/.ssh/id_rsa.pub
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
我基本上想强制 SSH 仅通过公钥身份验证发生。
我已经阅读了与此主题相关的所有其他 post,其中 none 对我有用。这就是为什么我将其创建为单独的 post.
编辑
将 StrictModes 从 yes 更改为 sshd_config 中的 no 解决了问题。这样做安全吗?
编辑 2 这是服务器上 SSH 的日志:
May 5 18:23:55 lemaker sshd[2591]: Connection from 10.0.1.37 port 42748
May 5 18:23:55 lemaker sshd[2591]: debug1: PAM: setting PAM_RHOST to "10.0.1.37"
May 5 18:23:55 lemaker sshd[2591]: Failed publickey for root from 10.0.1.37 port 42748 ssh2
May 5 18:23:55 lemaker sshd[2591]: Connection closed by 10.0.1.37 [preauth]
您不想提供您的 .pub 作为您的凭据。你想在你这边使用你的私钥,所以你应该做
ssh -v -i ~/.ssh/id_rsa root@ip-addr
这是要使用的默认密钥,因此您可以完全不使用 -i 标志
此外,如果您要通过 ssh 以 root 身份登录,请确保您有 PermitRootLogin yes
我会制作一个新的密钥对并使用它。这只是在本地测试东西,但只需 tar 向上 .ssh 目录并将其放在远程服务器上以使双向 ssh 成为可能,如果您只想要单向,则不要 public 在两个 authorized_keys 文件中键入:
$ pwd
/home/testuser
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/testuser/.ssh/id_rsa):[ENTER]
Created directory '/home/testuser/.ssh'.
Enter passphrase (empty for no passphrase):[ENTER]
Enter same passphrase again:[ENTER]
Your identification has been saved in /home/testuser/.ssh/id_rsa.
Your public key has been saved in /home/testuser/.ssh/id_rsa.pub.
[...]
$ cd .ssh
$ ls -l
total 8
-rw------- 1 testuser testuser 1679 May 5 13:49 id_rsa
-rw-r--r-- 1 testuser testuser 401 May 5 13:49 id_rsa.pub
$ cat id_rsa.pub >> authorized_keys
$ ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is 0f:dd:ed:e3:bf:a1:c8:3f:fd:b2:0d:e8:1f:ee:29:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-36-generic x86_64)
[...]
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ exit
Connection to 127.0.0.1 closed.