Centos
SSH 訪問要求在本地網路中輸入密碼但公開
ssh 到另一台伺服器時出現問題。我創建了 ssh-key 並將其複製到其他伺服器。
-bash-4.2$ whoami postgres -bash-4.2$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/var/lib/pgsql/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/lib/pgsql/.ssh/id_rsa. Your public key has been saved in /var/lib/pgsql/.ssh/id_rsa.pub. The key fingerprint is: 96:fd:e7:5b:d2:b0:ac:b3:3e:7b:55:fd:ad:4f:9f:c5 postgres@master.mydomain.com The key's randomart image is: +--[ RSA 2048]----+ | | | | | .| | o o| | S . . +| | . . . =+| | . =oE| | o+o++| | .=*o+o| +-----------------+ -bash-4.2$ ssh-copy-id 192.168.2.75 The authenticity of host '192.168.2.75 (192.168.2.75)' can't be established. ECDSA key fingerprint is 20:00:96:92:ff:a7:00:cb:a1:3a:30:fe:db:dd:55:c6. Are you sure you want to continue connecting (yes/no)? yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys postgres@192.168.2.75's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.2.75'" and check to make sure that only the key(s) you wanted were added.但是還是要密碼
-bash-4.2$ ssh 192.168.2.75 postgres@192.168.2.75's password: Last login: Thu Mar 31 10:09:45 2016 from 192.168.2.138 -bash-4.2$ whoami postgres -bash-4.2$連接的主機名:
-bash-4.2$ hostname slave.localdomain.tld連接器的主機名:
-bash-4.2$ hostname master.localdomain.tld但是我可以在沒有密碼的情況下訪問root 使用者。
-bash-4.2$ ssh-copy-id root@192.168.2.75 /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.2.75's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.2.75'" and check to make sure that only the key(s) you wanted were added. -bash-4.2$ ssh root@192.168.2.75 Last login: Thu Mar 31 10:10:20 2016 from 192.168.2.138 [root@slave ~]#我也可以在沒有密碼的情況下訪問遠端伺服器的postgres 使用者
-bash-4.2$ ssh-copy-id 108.61.199.64 -p 2222 /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys postgres@108.61.199.64's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh -p '2222' '108.61.199.64'" and check to make sure that only the key(s) you wanted were added. -bash-4.2$ ssh 108.61.199.64 -p 2222 Last login: Thu Mar 31 11:08:54 2016 from 78.189.14.197 -bash-4.2$ whoami postgres -bash-4.2$ hostname postgresql.MYDOMAIN.COM這是 ssh -vvv 輸出的最後幾行:
debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519 debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password誰能幫助我我做錯了什麼?
編輯:
這裡是root&postgres 使用者的權限。
[root@localhost pgsql]# ll /var/lib/pgsql/ total 12 dr-xr-x---. 4 postgres postgres 67 Mar 31 09:57 . drwxr-xr-x. 27 root root 4096 Mar 31 13:15 .. -rw-------. 1 postgres postgres 1350 Mar 31 13:02 .bash_history -rwx------. 1 postgres postgres 268 Mar 30 14:15 .bash_profile drwx------. 2 postgres postgres 76 Mar 31 10:46 .ssh drwx------. 4 postgres postgres 48 Mar 31 09:30 9.5 [root@localhost pgsql]# ll /root/ total 32 dr-xr-x---. 4 root root 4096 Mar 31 09:31 . dr-xr-xr-x. 17 root root 4096 Mar 31 09:37 .. -rw-------. 1 root root 3389 Mar 31 10:59 .bash_history -rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout -rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile -rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc -rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc drwxr-----. 3 root root 18 Mar 30 14:14 .pki drwx------. 2 root root 76 Mar 31 12:51 .ssh -rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc這是我想要 ssh 時的**/var/log/audit/audit.log 。**
[root@localhost pgsql]# cat /var/log/audit/audit.log type=CRYPTO_KEY_USER msg=audit(1459431065.262:1195): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=2b:3f:aa:b8:46:1d:b8:f9:d7:c2:16:96:67:68:f1:0d direction=? spid=3585 suid=74 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1459431065.262:1196): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=3585 suid=74 rport=56439 laddr=192.168.2.75 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=USER_ERR msg=audit(1459431065.263:1197): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=192.168.2.138 addr=192.168.2.138 terminal=ssh res=failed' type=CRYPTO_KEY_USER msg=audit(1459431065.264:1198): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ef:0b:31:91:b7:38:45:42:88:6d:d5:d7:c2:f7:ee:6a direction=? spid=3584 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1459431065.265:1199): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=20:00:96:92:ff:a7:00:cb:a1:3a:30:fe:db:dd:55:c6 direction=? spid=3584 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1459431065.265:1200): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=2b:3f:aa:b8:46:1d:b8:f9:d7:c2:16:96:67:68:f1:0d direction=? spid=3584 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=USER_LOGIN msg=audit(1459431065.265:1201): pid=3584 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="postgres" exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=ssh res=failed' type=CRYPTO_KEY_USER msg=audit(1459431066.776:1202): pid=3589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ef:0b:31:91:b7:38:45:42:88:6d:d5:d7:c2:f7:ee:6a direction=? spid=3589 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1459431066.776:1203): pid=3589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=20:00:96:92:ff:a7:00:cb:a1:3a:30:fe:db:dd:55:c6 direction=? spid=3589 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1459431066.776:1204): pid=3589 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=2b:3f:aa:b8:46:1d:b8:f9:d7:c2:16:96:67:68:f1:0d direction=? spid=3589 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1459431066.777:1205): pid=3588 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-md5-etm@openssh.com pfs=curve25519-sha256@libssh.org spid=3589 suid=74 rport=56440 laddr=192.168.2.75 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1459431066.777:1206): pid=3588 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5-etm@openssh.com pfs=curve25519-sha256@libssh.org spid=3589 suid=74 rport=56440 laddr=192.168.2.75 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=? res=success' type=AVC msg=audit(1459431066.945:1207): avc: denied { read } for pid=3588 comm="sshd" name="authorized_keys" dev="dm-0" ino=47671 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file type=SYSCALL msg=audit(1459431066.945:1207): arch=c000003e syscall=2 success=no exit=-13 a0=7f1e85e81ac0 a1=800 a2=1 a3=7f1e7fa5e2e0 items=0 ppid=3551 pid=3588 auid=4294967295 uid=0 gid=0 euid=26 suid=0 fsuid=26 egid=26 sgid=0 fsgid=26 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1459431066.945:1208): pid=3588 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="postgres" exe="/usr/sbin/sshd" hostname=? addr=192.168.2.138 terminal=ssh res=failed'注意:所有三台伺服器都在執行
Centos 7本地伺服器:
CentOS Linux release 7.1.1503 (Core)遠端伺服器:
CentOS Linux release 7.2.1511 (Core)
restorecon -r -vv /var/lib/pgsql/.ssh命令就足夠了。我認為問題是由於 SELinux 造成的。這是 restorecon 命令手冊。 http://linux.die.net/man/8/restorecon