logo标签列表

无法通过公钥ssh进行认证,但id_rsa.pub已在authorized_keys中。

sshvirtualbox
4

/更新:问题精简为:无法打开授权密钥。/

我在Virtualbox中运行一个Ubuntu服务器,尝试通过ssh登录,但每次都要求输入登录密码,公钥无法使用。

简介: Ubuntu服务器12.04.2 LTS在Vbox中。仅主机网络配置。静态IP 192.168.56.10 标准的OpenSSH服务器。将主机id_rsa.pub添加到客户端authorized_keys文件中。

g2ra@host:~$ cat .ssh/id_rsa.pub | ssh -p 22 g2ra@192.168.56.10 'cat >> .ssh/authorized_keys'

~/.ssh权限已正确设置为chmod。

g2ra@host:~$ ll .ssh/
total 68
drwx------  2 g2ra g2ra  4096 Apr 24 00:31 ./
drwx------ 81 g2ra g2ra 28672 Apr 24 09:37 ../
-rw-------  1 g2ra g2ra  1766 Mar 27 10:12 id_rsa
-rw-------  1 g2ra g2ra   397 Mar 27 10:12 id_rsa.pub
-rw-------  1 g2ra g2ra  1110 Apr 24 11:23 known_hosts

以下是调试信息:

~$ ssh -v -l g2ra -p 22 192.168.56.10
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.56.10 [192.168.56.10] port 22.
debug1: Connection established.
debug1: identity file /home/g2ra/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/g2ra/.ssh/id_rsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_dsa type -1
debug1: identity file /home/g2ra/.ssh/id_dsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 00:00:00:87:00:0a:3d:e1:aa:78:ac:05:00:00:0e:00
debug1: Host '192.168.56.10' is known and matches the ECDSA host key.
debug1: Found key in /home/g2ra/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/g2ra/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/g2ra/.ssh/id_dsa
debug1: Trying private key: /home/g2ra/.ssh/id_ecdsa
debug1: Next authentication method: password

以下是我在Vbox中Ubuntu服务器上的sshd配置:

Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

更新。在Ubuntu Server Vbox中,sshd配置的详细级别已增加为DEBUG。

grep 'ssh'/var/log/auth.log 


Apr 24 13:57:03 host sshd[19731]: debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
Apr 24 13:57:03 host sshd[19731]: debug1: Enabling compatibility mode for protocol 2.0
Apr 24 13:57:03 host sshd[19731]: debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: permanently_set_uid: 105/65534 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: KEX done [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 0 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: initializing for "g2ra"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_RHOST to "192.168.56.1"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method publickey [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 1 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Apr 24 13:57:03 host sshd[19731]: debug1: trying public key file /home/g2ra/.ssh/authorized_keys
Apr 24 13:57:03 host sshd[19731]: debug1: Could not open authorized keys '/home/g2ra/.ssh/authorized_keys': No such file or directory
Apr 24 13:57:03 host sshd[19731]: debug1: restore_uid: 0/0
Apr 24 13:57:03 host sshd[19731]: Failed publickey for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:07 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method password [preauth]
Apr 24 13:57:07 host sshd[19731]: debug1: attempt 2 failures 1 [preauth]
Apr 24 13:57:07 host sshd[19733]: pam_ecryptfs: Passphrase file wrapped
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: password authentication accepted for g2ra
Apr 24 13:57:08 host sshd[19731]: debug1: do_pam_account: called
Apr 24 13:57:08 host sshd[19731]: Accepted password for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_read_log: child log fd closed
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_child_preauth: g2ra has been authenticated by privileged process
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: establishing credentials
Apr 24 13:57:08 host sshd[19731]: pam_unix(sshd:session): session opened for user g2ra by (uid=0)
Apr 24 13:57:09 host sshd[19731]: User child is on pid 19871
Apr 24 13:57:09 host sshd[19871]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: PAM: establishing credentials
Apr 24 13:57:09 host sshd[19871]: debug1: permanently_set_uid: 1000/1000
Apr 24 13:57:09 host sshd[19871]: debug1: Entering interactive session for SSH2.
Apr 24 13:57:09 host sshd[19871]: debug1: server_init_dispatch_20
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
Apr 24 13:57:09 host sshd[19871]: debug1: input_session_request
Apr 24 13:57:09 host sshd[19871]: debug1: channel 0: new [server-session]
Apr 24 13:57:09 host sshd[19871]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: session 0: link with channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: confirm session
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req pty-req
Apr 24 13:57:09 host sshd[19871]: debug1: Allocating pty.
Apr 24 13:57:09 host sshd[19731]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19731]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: session_pty_req: session 0 alloc /dev/pts/0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request shell reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req shell
Apr 24 13:57:09 host sshd[19872]: debug1: Setting controlling tty using TIOCSCTTY.

调试日志显示:“无法打开授权密钥'/home/g2ra/.ssh/authorized_keys':没有这样的文件或目录。”为什么会出现这种情况?

3
我找到了解决方法:SSH无法访问您的authorized_keys文件,因为它位于加密的主目录内,在您进行身份验证之后才会可用。 - g1ra
哦,是的,我真的忘了问。加密的主目录是最常见的故障来源之一 ;) - Emii Khaos
@g1ra,你应该把它变成一个正式的解决方案,因为我差点在评论中错过了它(而且它确实成功了)! - Bertrand Caron
3个回答
5

@g1ra的留言为此问题提供了解决方案,如果您的主目录被加密了。在此将其添加以更好地展示。

如果您的主目录被加密,则SSH无法访问您的 authorized_keys 文件,因为它位于您的加密主目录中,在经过身份验证之前不可用。因此,SSH将默认使用密码身份验证。

要解决这个问题,请在您的主目录外创建一个名为/etc/ssh/<username>的文件夹(将<username>替换为您的实际用户名)。该文件夹应具有755权限并由用户拥有。将 authorized_keys 文件移动到其中。 authorized_keys 文件应具有644权限并由用户拥有。

然后编辑您的 /etc/ssh/sshd_config 并添加:

AuthorizedKeysFile    /etc/ssh/%u/authorized_keys

最后,使用以下命令重新启动ssh:

sudo service ssh restart

下次连接SSH时,您不需要输入密码。
来源:Ubuntu - SSH/OpenSSH/Keys
-1

通常情况下,您应该使用ssh-copy-id而不是手动构建。

您是否检查了目标机器上的.ssh文件夹和authorized_keys的权限?也许(由于手动cat)文件/文件夹是用标准umask创建的,这对SSH来说太“开放”了。

目标机器上的 .ssh 文件夹权限为 700,authorized_keys 文件权限为 600。我尝试删除后再使用 ssh-copy-id 命令,但没有任何改变。 - g1ra
可能是sshd配置出了问题?但我没有更改过。我编辑了原始问题并包含了sshd配置。 - g1ra
-1
您可以尝试在两台机器上使用ssh-add来更新ssh记录。
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接