logo标签列表

SSH 权限被拒绝(公钥)

linuxubuntusshdebianrsa
11

我正在尝试从Ubuntu SSH到Debian。我已经有一把RSA密钥;它和我用于Git的密钥相同。

我使用以下命令将密钥从Ubuntu复制到Debian:

ssh-copy-id -i ~/.ssh/id_rsa.pub root@ip-address

然后我在Debian上修改了sshd_config文件,加入以下内容:

RSAAuthentication yes

PubkeyAuthentication yes

PasswordAuthentication no

之后我重新启动了SSH服务。现在我尝试使用Ubuntu SSH登录。

ssh -v root@ip-addr

但我得到了以下内容:

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.0.1.64 [10.0.1.64] port 22.
debug1: Connection established.
debug1: identity file /home/koushatalebian/.ssh/id_rsa.pub type 1
debug1: identity file /home/koushatalebian/.ssh/id_rsa.pub-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e2:af:83:f8:df:e2:15:db:77:30:e1:6b:e7:dc:77:99
debug1: Host '10.0.1.64' is known and matches the ECDSA host key.
debug1: Found key in /home/koushatalebian/.ssh/known_hosts:10
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/koushatalebian/.ssh/id_rsa.pub
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

我想强制SSH只能通过公钥身份验证进行。

我已经阅读了与此主题相关的所有其他帖子,但它们都对我无效。这就是为什么我将其作为单独的帖子创建的原因。

编辑

sshd_config中将 StrictModesyes更改为no 可以解决问题。这样做是否安全?

编辑2

以下是服务器上SSH的日志:

May  5 18:23:55 lemaker sshd[2591]: Connection from 10.0.1.37 port 42748
May  5 18:23:55 lemaker sshd[2591]: debug1: PAM: setting PAM_RHOST to "10.0.1.37"
May  5 18:23:55 lemaker sshd[2591]: Failed publickey for root from 10.0.1.37 port 42748 ssh2
May  5 18:23:55 lemaker sshd[2591]: Connection closed by 10.0.1.37 [preauth]
你正在尝试使用你的公钥进行身份验证。你需要使用你的私钥 - 通常是没有扩展名的那个。 - Boris the Spider
这个设置是什么意思?“PermitRootLogin yes” - Hankster
禁用StrictModes可能不是一个好主意,因为这意味着您有一个ssh认为权限保护不足以被信任的密钥文件。您可以选择仍然信任它,但这样做可能会带来风险。最好找到它不喜欢的文件并修复它们的权限。 - Eric Renouf
2个回答
11

您不希望将您的.pub作为您的凭据提供。您想在您的端上使用您的私钥,因此您应该考虑执行以下操作:

ssh -v -i ~/.ssh/id_rsa root@ip-addr

默认情况下使用的是 -i 标志,因此您可以完全省略该标志。

另外,请确保您已经设置了 PermitRootLogin yes,如果您要通过ssh登录为root用户。

1
你应该仔细检查一下你的密钥权限,私钥需要设置为600,公钥需要设置为644。在服务器上,authorized_keys文件需要设置为644,而每个.ssh目录则需要设置为700。 - Eric Renouf
你尝试查看/var/log/secure(对于Fedora/RHEL类型的系统)或者我认为对于Ubuntu来说是/var/log/auth.log,以查看服务器不喜欢什么了吗? - Eric Renouf
在我想要登录的电脑上,它显示“连接被10.0.1.37 [preauth]关闭”。 - Kousha
尝试在您的 sshd_config 中添加 LogLevel DEBUG,然后再次尝试登录,您应该会看到一行类似于 Authentication refused: bad ownership or modes for directory /home/<user>/.ssh 的内容,或者是有关实际文件的不满意信息。 - Eric Renouf
我没有得到那个回复。我会在我的问题中发布我所得到的内容。 - Kousha
显示剩余8条评论
0

我将创建一对新的密钥并使用它代替原先的密钥。这只是在本地进行测试,但是可以将 .ssh 目录打成 tar 包并放到远程服务器上,以便实现双向 ssh 连接,如果只需要单向连接,则不要在 authorized_keys 文件中都添加公钥:

$ pwd
/home/testuser
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/testuser/.ssh/id_rsa):[ENTER]
Created directory '/home/testuser/.ssh'.
Enter passphrase (empty for no passphrase):[ENTER]
Enter same passphrase again:[ENTER]
Your identification has been saved in /home/testuser/.ssh/id_rsa.
Your public key has been saved in /home/testuser/.ssh/id_rsa.pub.
[...]
$ cd .ssh
$ ls -l
total 8
-rw------- 1 testuser testuser 1679 May 5 13:49 id_rsa
-rw-r--r-- 1 testuser testuser 401 May 5 13:49 id_rsa.pub
$ cat id_rsa.pub >> authorized_keys
$ ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is 0f:dd:ed:e3:bf:a1:c8:3f:fd:b2:0d:e8:1f:ee:29:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-36-generic x86_64)
[...]
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

$ exit
Connection to 127.0.0.1 closed.
“简单地打包 .ssh 目录并将其放在远程服务器上”是一个糟糕的解决方案。私钥通常不应离开它们生成的机器。需要传播的是密钥的公共部分(.../.ssh/*.pub)。 - indivisible
没错,这就是为什么我说的第一件事情是“我会生成一个新的密钥对并使用它来代替。”不过还是谢谢你。 - John Rigler
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接