Linux
如何使用 RSA 密鑰設置無密碼 ssh
我正在嘗試在兩台機器之間設置無密碼 SSH 配置,但遇到了問題。那裡有很多我遵循的方法,但都沒有成功。這是我採取的步驟
- 在客戶端上生成身份驗證密鑰。(當提示輸入密碼時按輸入鍵)
[root@box1:.ssh/$] ssh-keygen -t rsa- 將公鑰複製到伺服器。
[root@box1:.ssh/$] scp id_rsa.pub root@box2:.ssh/authorized_keys- 驗證已在伺服器上成功創建授權密鑰
- 執行了以下命令:
[root@box1:.ssh/$] ssh root@box2 ls我仍然被提示輸入密碼。我閱讀了一篇關於“取決於正在執行的 SSH 版本…”的說明(儘管它沒有指定哪些版本需要這個),它可能需要:
- .ssh/authorized_keys2 中的公鑰
- .ssh 到 700 的權限
- .ssh/authorized_keys2 的權限為 640
我也遵循了這些步驟,但沒有成功。我已驗證 home、root 和 .ssh 目錄不可按組寫入(根據https://unix.stackexchange.com/tags/ssh/info)。
有人知道我缺少什麼嗎?
謝謝
編輯:我還使用 ssh-copy-id 命令將公鑰複製到第二個框並生成
.ssh/authorized_keys文件。
[root@box1:.ssh/$] ssh-copy-id -i id_rsa.pub root@box2EDIT2:包括版本資訊
// box1(生成系統密鑰)
- Linux 2.6.34
- OpenSSH_5.5p1 Debian-6,OpenSSL 0.9.8o 2010 年 6 月 1 日
// 盒子2
- Linux 2.6.33
- Dropbear客戶端 v0.52
EDIT3:調試輸出
[root@box1:.ssh/$] ssh -vvv root@box2 ls OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to box2 [box2] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /root/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version dropbear_0.52 debug1: no match: dropbear_0.52 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysatoe debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysatoe debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac- sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac- sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish- cbc,twofish128-cbc,blowfish-cbc debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish- cbc,twofish128-cbc,blowfish-cbc debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: zlib,zlib@openssh.com,none debug2: kex_parse_kexinit: zlib,zlib@openssh.com,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 515/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: check_host_in_hostfile: host 192.168.20.10 filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: host 192.168.20.10 filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug1: Host 'box2' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:3 debug2: bits set: 522/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x54b1c340) debug2: key: /root/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: passwordEDIT4:另一個有趣的發展。我沒有在box1(執行OpenSSH)上生成密鑰並將它們複製到box2(執行dropbear),而是反向執行:
[root@box2:.ssh/$] dropbearkey -t rsa -f id_rsa[root@box2:.ssh/$] dropbearkey -y -f id_rsa | grep "^ssh-rsa" >> authorized_keys[root@box2:.ssh/$] scp authorized_keys root@box1:.ssh/只有當我指定 ID 文件時,我才能成功地從 box2 到 box1 發出無密碼命令:
[root@box2:.ssh/$] ssh -i id_rsa root@box1 ls仍然無法從 box1 (OpenSSH) 向 box2 (dropbear) 發出命令。
我找到了問題的根源。
/var/log/messages關於奇怪的所有權,有一條模糊的資訊告訴了我。/root所以我檢查了,/root/.ssh和的權限/root/.ssh/*都是正確的(700),但所有權是default.default。我不確定那是怎麼發生的……但我跑了:[root@box1:.ssh/$] chown root.root /root [root@box1:.ssh/$] chown root.root /root/.ssh [root@box1:.ssh/$] chown root.root /root/.ssh/*將所有權更改為 root 和無密碼登錄可以雙向工作。