ssh秘钥对登录问题解决一则
【摘要】 [mspore@cloud-5467032f-43b6-435d-9ea9-868472015da0-78b5784f8-ndp7f work]$ ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/home/mspore/.ssh/id_rsa): /home/msp...
[mspore@cloud-5467032f-43b6-435d-9ea9-868472015da0-78b5784f8-ndp7f work]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mspore/.ssh/id_rsa):
/home/mspore/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mspore/.ssh/id_rsa
Your public key has been saved in /home/mspore/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:8L1iUqVoc/ApRxaJJL70wlNWXIJJ2s68yNW8iH9uO5o mspore@cloud-5467032f-43b6-435d-9ea9-868472015da0-78b5784f8-ndp7f
The key's randomart image is:
+---[RSA 3072]----+
| .oo=+o. |
| . ++.oo |
| + * o . |
| o O @ = |
| = @ S . |
| . B O . . |
| + + + . |
| . ++. |
| E=oo |
+----[SHA256]-----+
[mspore@cloud-5467032f-43b6-435d-9ea9-868472015da0-78b5784f8-ndp7f work]$ ssh-
ssh-add ssh-agent ssh-copy-id ssh-keygen ssh-keyscan
[mspore@cloud-5467032f-43b6-435d-9ea9-868472015da0-78b5784f8-ndp7f work]$ ssh-copy-id mspore@1.9.48.88
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mspore/.ssh/id_rsa.pub"
The authenticity of host '1.9.48.88 (1.9.48.88)' can't be established.
ED25519 key fingerprint is SHA256:yhBGE8ysv5mUuAo6ZawweIWJr80fVJGtpuMtzUZQM+I.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
mspore@1.9.48.88's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'mspore@1.9.48.88'"
and check to make sure that only the key(s) you wanted were added.
[mspore@cloud-5467032f-43b6-435d-9ea9-868472015da0-78b5784f8-ndp7f work]$ ssh 'mspore@1.9.48.88'
mspore@1.9.48.88's password:
为什么还是提醒我输入密码?一步步排查:
- 检查远程服务器的 SSH 配置:通过
# 检查 authorized_keys 文件权限(必须是600)
ls -la ~/.ssh/authorized_keys
# 正确权限应该是:
# -rw-------
# 检查 .ssh 目录权限(必须是700)
chmod 700 ~/.ssh
- 验证公钥是否正确添加:通过
# 在远程服务器查看公钥
cat ~/.ssh/authorized_keys
# 应该能看到类似这样的内容:
# ssh-rsa AAAAB3NzaC1yc2E... mspore@cloud-...
# 比较是否与你本机的公钥一致
cat ~/.ssh/id_rsa.pub
- 检查 SSH 服务配置:通过
# 在远程服务器检查
sudo cat /etc/ssh/sshd_config | grep -E "(PubkeyAuthentication|AuthorizedKeysFile|PasswordAuthentication)"
# 应该看到:
# PubkeyAuthentication yes
# AuthorizedKeysFile .ssh/authorized_keys
# PasswordAuthentication no # 如果只想用密钥登录
- 使用 SSH 调试模式
# 从本地机器连接时添加 -v 参数查看详细日志
ssh -v mspore@1.9.48.88
# 重点看这几行:
# debug1: Authentications that can continue: publickey,password
# debug1: Next authentication method: publickey
# debug1: Offering public key: /home/mspore/.ssh/id_rsa RSA SHA256:...
# debug1: Authentications that can continue: publickey
调试输出:
[mspore@cloud-5467032f-43b6-435d-9ea9-868472015da0-78b5784f8-ndp7f work]$ ssh -v 'mspore@1.9.48.88'
OpenSSH_8.8p1, OpenSSL 1.1.1wa 16 Nov 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /etc/ssh/ssh_config line 64: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /etc/ssh/ssh_config line 64: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 1.9.48.88 [1.9.48.88] port 22.
debug1: Connection established.
debug1: identity file /home/mspore/.ssh/id_rsa type 0
debug1: identity file /home/mspore/.ssh/id_rsa-cert type -1
debug1: identity file /home/mspore/.ssh/id_dsa type -1
debug1: identity file /home/mspore/.ssh/id_dsa-cert type -1
debug1: identity file /home/mspore/.ssh/id_ecdsa type -1
debug1: identity file /home/mspore/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mspore/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/mspore/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/mspore/.ssh/id_ed25519 type -1
debug1: identity file /home/mspore/.ssh/id_ed25519-cert type -1
debug1: identity file /home/mspore/.ssh/id_ed25519_sk type -1
debug1: identity file /home/mspore/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/mspore/.ssh/id_xmss type -1
debug1: identity file /home/mspore/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: compat_banner: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 1.9.48.88:22 as 'mspore'
debug1: load_hostkeys: fopen /home/mspore/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:yhBGE8ysv5mUuAo6ZawweIWJr80fVJGtpuMtzUZQM+I
debug1: load_hostkeys: fopen /home/mspore/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '1.9.48.88' is known and matches the ED25519 host key.
debug1: Found key in /home/mspore/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/mspore/.ssh/id_rsa RSA SHA256:8L1iUqVoc/ApRxaJJL70wlNWXIJJ2s68yNW8iH9uO5o
debug1: Will attempt key: /home/mspore/.ssh/id_dsa
debug1: Will attempt key: /home/mspore/.ssh/id_ecdsa
debug1: Will attempt key: /home/mspore/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/mspore/.ssh/id_ed25519
debug1: Will attempt key: /home/mspore/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/mspore/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KEYRING:persistent:1000)
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KEYRING:persistent:1000)
debug1: Next authentication method: publickey
debug1: Offering public key: /home/mspore/.ssh/id_rsa RSA SHA256:8L1iUqVoc/ApRxaJJL70wlNWXIJJ2s68yNW8iH9uO5o
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/mspore/.ssh/id_dsa
debug1: Trying private key: /home/mspore/.ssh/id_ecdsa
debug1: Trying private key: /home/mspore/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/mspore/.ssh/id_ed25519
debug1: Trying private key: /home/mspore/.ssh/id_ed25519_sk
debug1: Trying private key: /home/mspore/.ssh/id_xmss
debug1: Next authentication method: password
mspore@1.9.48.88's password:
从调试日志可以看到: SSH客户端已经尝试了公钥认证,但服务器拒绝了。看这两行关键信息:
debug1: Offering public key: /home/mspore/.ssh/id_rsa RSA SHA256:8L1iUqVoc/ApRxaJJL70wlNWXIJJ2s68yNW8iH9uO5o
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
服务器接受了公钥,但认为认证不成功,所以回到了密码认证。
- 验证远程服务器上的公钥是否正确: 通过
# 在本地获取你的公钥指纹
ssh-keygen -lf ~/.ssh/id_rsa.pub
# 应该输出:SHA256:8L1iUqVoc/ApRxaJJL70wlNWXIJJ2s68yNW8iH9uO5o
# 登录远程服务器
cat ~/.ssh/authorized_keys
# 计算远程公钥的指纹
ssh-keygen -lf ~/.ssh/authorized_keys
- 检查远程服务器日志
# 在远程服务器上查看SSH认证日志
sudo tail -f /var/log/secure # CentOS/RHEL
# 或
sudo tail -f /var/log/auth.log # Ubuntu/Debian
# 然后从本地尝试连接,看日志输出
常见日志信息可能包括:
Authentication refused: bad ownership or modes for directoryFailed publickey for mspore from ...User mspore not allowed because account is locked
- SELinux 问题(常见于CentOS):通过
# 在远程服务器检查
sudo getenforce
# 如果是 Enforcing,尝试临时关闭测试
sudo setenforce 0
# 如果关闭后能连接,需要修复SELinux上下文
sudo restorecon -R -v /home/mspore/.ssh
服务器日志:
Dec 31 12:46:41 iecs sshd[82464]: Authentication refused: bad ownership or modes for directory /home/mspore
这个错误很明确:/home/mspore 目录的权限有问题。
SSH对目录权限要求非常严格,这是安全措施。 修复目录权限(在远程服务器上执行)
# 检查当前权限
ls -ld /home/mindspore
# 输出可能类似:drwxrwxr-x 或 drwxr-xr-x 实际是775
# 修复权限(必须是 755 或 700)
sudo chmod 755 /home/mindspore
SSH要求的正确权限结构:
/home/mindspore/ # 必须是 755 或 700,不能有组/其他用户写权限
└── .ssh/ # 必须是 700
└── authorized_keys # 必须是 600 或 644
回想一下,可能是从其他机器使用root用户rsync一堆文件和目录到/home/mspore下面时保留了原始权限导致,或者是意外修改了导致(其他机器上/home/mspore目录的权限是正常的700)。
【声明】本内容来自华为云开发者社区博主,不代表华为云及华为云开发者社区的观点和立场。转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息,否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)