新闻资讯
Ubuntu14.04 普通用户无法通过 sshkey 登陆
- 0次
- 2021-07-01 12:54:02
- idczone
如题。目前的基本情况是:
本地:
- OS:OS X 10.11.6
- 用户名:fourstring
服务器:
- OS:Ubuntu14.04 x64 LTS
- 用户名:git(想要建立 git 远程仓库)
我新建了 git 用户,然后在/home/git下建立.ssh目录,设置权限为git:git 0700,并在.ssh目录下运行ssh-keygen,生成公私钥,将公钥命名为authorized_keys,设置权限git:git 0600。将私钥复制回本地,本地建立 ssh 配置,并且授予私钥权限 0600 。
之后,尝试使用 ssh 命令连接服务器,连接被拒绝。
我做的几点排查:
- auth.log 没有任何验证失败信息
/etc/ssh/sshd_config中已经设置了
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
- 确认各个文件权限完全正确
- git 用户没有加入 /sbin/nologin(测试用)
- 由于是 ubuntu 不存在 selinux
- root 用户可以正常登陆
运行ssh hexo(配置中的 Host 名) -vvv信息如下:
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/fourstring/.ssh/config
debug1: /Users/fourstring/.ssh/config line 1: Applying options for hexo
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx port xxx.
debug1: Connection established.
debug1: identity file /Users/fourstring/.ssh/hexo type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/fourstring/.ssh/hexo-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx as 'git'
debug3: put_host_port: xxx
debug3: hostkeys_foreach: reading file "/Users/fourstring/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/fourstring/.ssh/known_hosts:22
debug3: load_hostkeys: loaded 1 keys from xxx
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client [email protected] none
debug1: kex: client->server [email protected] none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:jGsXPrH3Cl2EWrBRzd4rr72jDeWKugYGPySGAMFL1mU
debug3: put_host_port: xxx
debug3: put_host_port: xxx
debug3: hostkeys_foreach: reading file "/Users/fourstring/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/fourstring/.ssh/known_hosts:22
debug3: load_hostkeys: loaded 1 keys from xxx
debug3: hostkeys_foreach: reading file "/Users/fourstring/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/fourstring/.ssh/known_hosts:22
debug3: load_hostkeys: loaded 1 keys from xxx
debug1: Host 'xxx' is known and matches the ECDSA host key.
debug1: Found key in /Users/fourstring/.ssh/known_hosts:22
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/fourstring/.ssh/hexo (0x7f9f3b013d70), explicit
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/fourstring/.ssh/hexo
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
最离奇的是以我自己的了解,我竟然没有从中看出任何连接被拒绝的信息。。。
另外,查找资料说本地用户名须和远程要登陆的用户名一致,但我的实际体验中并非如此。我的root用户就是本地生成sshkey上传到服务器,可以正常登陆。而且从我描述的流程中,可以看出我是在服务器上生成的key然后下载到本地的。
还望各位大神不吝赐教,感谢!
看看 /var/log/auth.log 输出了什么信息给你,根据那个错误信息来检查排错一下呗。
不知道。围观下,坐等其他人的回答。
我觉得是露珠描述不清楚。
private key 没加载好?正常是启个 agent ,然后 ssh-add 吧
1. 远程 sshd 改完配置重启了吗?
2. 本地私钥是这个 /Users/fourstring/.ssh/hexo 对吗?
对 $HOME 目录的权限也有要求,验了么?
之前搞 docker 把 /root 目录共享了一下,也是 ssh 方面出了一大堆问题
auth.log 没有任何错误……而且我还运行过 tail -f /var/run/auth.log ,在连接失败时该日志没有任何变化
您觉得是哪里描述不清楚呢?请指出
.ssh 目录不需要手动建立,还有,确认你生成 key 的方式是否正确。这是最基本功能,也不可能会出问题!
.ssh 目录下 config 文件是用 IdentifyFile 选项加载 privatekey 么?如果是的话我应该没有配置错。
另外和能正常登陆的 root 用户的-vvv 比较了一下,好像就只有 debug 信息的最后几行,正常的是
debug2: we sent a publickey packet, wait for reply
之后就收到 auth succeed 的回复然后进入 shell
实际上我没有改过配置,那个配置是默认就有的。我也尝试过重启 sshd ,没有效果。私钥是这个,没有出错。
我用的是 adduser 命令添加用户,自动建立了主目录,刚刚又去检查了一下,$HOME 的权限是正确的
请问.ssh 目录不手动建立该如何建立呢?另外生成 key 的方式是不是运行 ssh-keygen 命令?
http://blog.sina.com.cn/s/blog_a0e5bf2c01010h1x.html 参考吧!
普通用户能用密码登录吗?普通用户的 Home 加密了?如果普通用户 home 目录加密,本机没有登录的情况下, Home 目录没有挂载,只能密码登录。而 root 用户的 home 目录不在加密的目录里。
远端 server 的 authorized_keys 权限设置为 644 试试看呢?
密码可以登录。我用 adduser 命令添加的用户,应该不会自动加密吧? root 是可以正常访问 git 用户的$home 目录的
这个刚刚尝试了一下,貌似并没有什么用。。。/var/run/auth.log 里也没有报权限错误
加密 home 是安装 ubuntu 系统时选的,你看看 /etc/fstab 有没有 encryptfs 的载点, root 可以正常访问时用 ssh 还是服务器本地,当时服务器本地有没有普通用户登录?
对,安装 ubuntu 的时候确实会送这个。问题是我是 VPS 啊。。。 root 用 ssh 可以正常访问的。我都进不去服务器本地- -
有些供应商会在虚拟机的控制台上模拟本地终端,你用普通用户登录后用`w`命令看看有没有 tty 的 session
没有啊- -都是 pts ?
贴一下本地的.ssh/config 和 服务器的 sshd_config
实在不知道是什么问题 这个时候就要 sudo apt remove openssh-server --purge && rm -rf ~/.ssh/,祭出此文,重装。 https://help.ubuntu.com/community/SSH/OpenSSH/Keys
客户端本地生成密匙, ssh-copy-id(不知道 macOS 有没有)上传 publickey ,再改本地.ssh/config ,再改服务器 sshd_config 关闭密码登录和禁止 root 登录,最后装上 fail2ban 。
sshd_config:
Package generated configuration file
See the sshd_config(5) manpage for details
What ports, IPs and protocols we listen for
Port 63842
Use these options to restrict which interfaces/protocols sshd will bind to
::
0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Separation is turned on for security
UsePrivilegeSeparation yes
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Kerberos options
no
no
yes
yes
GSSAPI options
no
yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
no
10:30:60
/etc/issue.net
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM yes
ssh config :
Host hexo
HostName xxx
Port 63842
User git
IdentityFile ~/.ssh/hexo
另外由客户端生成密钥和服务端生成密钥都试过,均失败
试一下 ssh localhost ?
为什么要这么用。。。?是在服务器上么?
不是服务器 要登陆 root 的机器 有些服务器可能有限制
看错了 是服务器
印象中是在本地生产密钥,再将公钥拷贝到服务端
UserPAM 之后放 subsystem ,而且 subsystem 在配置最后,没有其他配置。应该是这个的问题,另外 sftp 组里有哪些用户?
我刚刚用 VNC 连接,开启 sshd -d 看了一下 debug 信息,还请您看一下?(只有图片,没法复制出来- -)
另外按您说的那样改了,也没有用= =
ヾ(。`Д´。)!被这个问题坑了一下午,我有点想爆粗口了。。。
我在服务端又重新生成了一对密钥,然后把私钥下载回本地,一开始仍然失败。
当我把私钥名字从 hexo 改掉之后……连上了!连上了!神 TM 连上了……
呵呵 上面的当我没说
同学,我也是一样的问题,私钥名改掉是什么意思?