4

/更新:问题细化为:无法打开授权密钥。/

我在 Virtualbox 中有一个 Ubuntu 服务器,我尝试通过 ssh 登录,但每次询问登录密码时,pubkey 都不起作用。

概要:Vbox 中的 Ubuntu 服务器 12.04.2 LTS。仅主机网络配置。静态 ip 192.168.56.10 标准 OpenSSH 服务器。主机 id_rsa.pub 被添加到客户端 authorized_keys 文件中。

g2ra@host:~$ cat .ssh/id_rsa.pub | ssh -p 22 g2ra@192.168.56.10 'cat >> .ssh/authorized_keys'

~/.ssh 权限是正确的 chmod。

g2ra@host:~$ ll .ssh/
total 68
drwx------  2 g2ra g2ra  4096 Apr 24 00:31 ./
drwx------ 81 g2ra g2ra 28672 Apr 24 09:37 ../
-rw-------  1 g2ra g2ra  1766 Mar 27 10:12 id_rsa
-rw-------  1 g2ra g2ra   397 Mar 27 10:12 id_rsa.pub
-rw-------  1 g2ra g2ra  1110 Apr 24 11:23 known_hosts

这是调试消息:

~$ ssh -v -l g2ra -p 22 192.168.56.10
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.56.10 [192.168.56.10] port 22.
debug1: Connection established.
debug1: identity file /home/g2ra/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/g2ra/.ssh/id_rsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_dsa type -1
debug1: identity file /home/g2ra/.ssh/id_dsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 00:00:00:87:00:0a:3d:e1:aa:78:ac:05:00:00:0e:00
debug1: Host '192.168.56.10' is known and matches the ECDSA host key.
debug1: Found key in /home/g2ra/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/g2ra/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/g2ra/.ssh/id_dsa
debug1: Trying private key: /home/g2ra/.ssh/id_ecdsa
debug1: Next authentication method: password

这是我在 Vbox 中的 Ubuntu 服务器上的 sshd 配置:

Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

更新。详细级别在 sshd 配置中增加到 DEBUG。在 Ubuntu 服务器 Vbox 上。

grep 'ssh'/var/log/auth.log 


Apr 24 13:57:03 host sshd[19731]: debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
Apr 24 13:57:03 host sshd[19731]: debug1: Enabling compatibility mode for protocol 2.0
Apr 24 13:57:03 host sshd[19731]: debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: permanently_set_uid: 105/65534 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: KEX done [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 0 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: initializing for "g2ra"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_RHOST to "192.168.56.1"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method publickey [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 1 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Apr 24 13:57:03 host sshd[19731]: debug1: trying public key file /home/g2ra/.ssh/authorized_keys
Apr 24 13:57:03 host sshd[19731]: debug1: Could not open authorized keys '/home/g2ra/.ssh/authorized_keys': No such file or directory
Apr 24 13:57:03 host sshd[19731]: debug1: restore_uid: 0/0
Apr 24 13:57:03 host sshd[19731]: Failed publickey for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:07 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method password [preauth]
Apr 24 13:57:07 host sshd[19731]: debug1: attempt 2 failures 1 [preauth]
Apr 24 13:57:07 host sshd[19733]: pam_ecryptfs: Passphrase file wrapped
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: password authentication accepted for g2ra
Apr 24 13:57:08 host sshd[19731]: debug1: do_pam_account: called
Apr 24 13:57:08 host sshd[19731]: Accepted password for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_read_log: child log fd closed
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_child_preauth: g2ra has been authenticated by privileged process
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: establishing credentials
Apr 24 13:57:08 host sshd[19731]: pam_unix(sshd:session): session opened for user g2ra by (uid=0)
Apr 24 13:57:09 host sshd[19731]: User child is on pid 19871
Apr 24 13:57:09 host sshd[19871]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: PAM: establishing credentials
Apr 24 13:57:09 host sshd[19871]: debug1: permanently_set_uid: 1000/1000
Apr 24 13:57:09 host sshd[19871]: debug1: Entering interactive session for SSH2.
Apr 24 13:57:09 host sshd[19871]: debug1: server_init_dispatch_20
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
Apr 24 13:57:09 host sshd[19871]: debug1: input_session_request
Apr 24 13:57:09 host sshd[19871]: debug1: channel 0: new [server-session]
Apr 24 13:57:09 host sshd[19871]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: session 0: link with channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: confirm session
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req pty-req
Apr 24 13:57:09 host sshd[19871]: debug1: Allocating pty.
Apr 24 13:57:09 host sshd[19731]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19731]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: session_pty_req: session 0 alloc /dev/pts/0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request shell reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req shell
Apr 24 13:57:09 host sshd[19872]: debug1: Setting controlling tty using TIOCSCTTY.

调试日志说。无法打开授权密钥“/home/g2ra/.ssh/authorized_keys”:没有这样的文件或目录。为什么?

4

3 回答 3

5

如果您有一个加密的主文件夹,@g1ra的评论可以解决这个问题。在这里添加它以获得更好的可见性。

如果您有一个加密的主目录,则 SSH 无法访问您的authorized_keys文件,因为它位于您的加密主目录中,并且在您通过身份验证之前不可用。因此,SSH 将默认使用密码验证。

要解决此问题,请在您的家外创建一个名为/etc/ssh/<username>(替换<username>为您的实际用户名)的文件夹。此目录应具有755权限并归用户所有。将authorized_keys文件移入其中。该authorized_keys文件应具有644权限并归用户所有。

然后编辑您的 /etc/ssh/sshd_config 并添加:

AuthorizedKeysFile    /etc/ssh/%u/authorized_keys

最后,使用以下命令重新启动 ssh:

sudo service ssh restart

下次您使用 SSH 连接时,您不必输入密码。

来源:Ubuntu - SSH/OpenSSH/Keys

于 2014-10-03T09:01:00.060 回答
-1

您可以尝试ssh-add在两台机器上使用更新 ssh 记录。

于 2013-08-26T06:58:38.323 回答
-1

通常,您应该使用ssh-copy-id而不是手动构建它。

您是否检查过目标机器上 .ssh 文件夹和 authorized_keys 的权限?也许(由于手动 cat)文件/文件夹是使用标准 umask 创建的,这对于 SSH 来说太“开放”了。

于 2013-04-24T11:00:38.397 回答