Ssh
無法使用公鑰訪問遠端伺服器
我在Google廣泛搜尋以創建公鑰和訪問伺服器後發布這個問題
public key,我仍然無法解決這個問題,因為我遇到了錯誤。OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug2: resolving "192.168.12.2" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.12.2 [192.168.12.2] port 22. debug1: Connection established. debug1: identity file .ssh/authorized_keys type 1 debug1: key_load_public: No such file or directory debug1: identity file .ssh/authorized_keys-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.12.2:22 as 'ansible' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none debug1: kex: curve25519-sha256 need=16 dh_need=16 debug1: kex: curve25519-sha256 need=16 dh_need=16 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YTd6SSDMsb3Qhn8EoF/otK+TY6DSAsahYvZxFErZJnQ debug1: Host '192.168.12.2' is known and matches the ECDSA host key. debug1: Found key in /home/ansible/.ssh/known_hosts:1 debug2: set_newkeys: mode 1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks debug2: key: .ssh/authorized_keys (0x560667b2de80), explicit debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received This system is for the use of authorised users only. debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:1003) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:1003) debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Offering RSA public key: .ssh/authorized_keys debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
server side - 192.168.12.2 - user:ansiblechmod 700 .ssh/ chmod 600 .ssh/* ssh-keygen ssh-copy-id -i ~/.ssh/id_rsa.pub ansible@192.168.12.10 /sbin/restorecon -r .ssh/
client side - 192.168.12.10 - user:ansiblechmod 700 .ssh/ chmod 600 .ssh/* /sbin/restorecon -r .ssh/ /sbin/restorecon -r .ssh ssh -vv -i .ssh/authorized_keys -o PasswordAuthentication=no ansible@192.168.12.2在 sshd_config 文件中,
PubkeyAuthentication yes在客戶端和伺服器端都設置。在生成密鑰時,已經為伺服器驗證了使用者憑據,並且多次嘗試使用密碼和沒有密碼……但沒有運氣。
發現的大多數問題都是
user ownership.. 我確保雙方使用者的 .ssh/ 目錄及其文件都擁有使用者所有權,.ssh/ 目錄為 700,.ssh/ 文件為 600。
restorecon試過但沒有運氣。正如建議的那樣,我已經在伺服器端驗證了審計日誌,發現了這個。
type=USER_AUTH msg=audit(1593508901.404:87844): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="ansible" exe="/usr/sbin/sshd" hostname=? addr=192.168.12.10 terminal=ssh res=failed' type=USER_ERR msg=audit(1593508901.408:87847): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=localhost addr=192.168.12.10 terminal=ssh res=failed' type=USER_LOGIN msg=audit(1593508901.409:87851): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="ansible" exe="/usr/sbin/sshd" hostname=? addr=192.168.12.10 terminal=ssh res=failed'並
journalctl _COMM=sshd在伺服器顯示如下。Jun 30 10:21:41 localhost sshd[26089]: Connection closed by 192.168.12.10 port 47944 [preauth]
有一個混亂
ssh -vv -i .ssh/authorized_keys -o PasswordAuthentication=no ansible@192.168.12.2
authorized_keys是您允許連接的公鑰列表。此文件應設置在伺服器端。
您必須使用您的私鑰進行連接,可能
ssh -i .ssh/id_rsa ansible@192.168.12.2第 1 步(客戶)
使用使用者 ansible 連接到 192.168.12.10 並鍵入:
mkdir .ssh ; chmod go-rwx .ssh ; cd .ssh ssh-keygen -t rsa接受預設選項,不設置密碼。
只做一個,如果已經有一對密鑰就不要做。
如果知道 ansible 的密碼,請使用複製文件 id_rsa.pub
scp id_rsa.pub ansible@192.168.12.2:.ssh/id_rsa_ansible.pub第一次從 192.168.12.10 ssh 或 scp 到 192.168.12.2 時,您將看到一個確認對話框。
ansible@192.168.12.2:hosts.ansible The authenticity of host '192.168.12.10' can't be established. RSA key fingerprint is 89:dc:fe:d6:4a:40:28:e5:e9:d0:bd:09:28:01:93:23. Are you sure you want to continue connecting (yes/no)? y如果密碼未知或未設置,請使用 putty 緩衝區從 id_rsa.pub 複製該行
第 2 步(伺服器)
使用使用者 ansible 連接到 192.168.12.2
mkdir .ssh ; chmod go-rwx .ssh ; cd .ssh創建授權文件
cat id_rsa_ansible.pub >> authorized_keys或從 ansible 複製/粘貼 id_rsa.pub 文件的內容
授權密鑰必須:
- 屬於ansible(或root)
chown ansible authorized_keys
- ansible 必須是唯一的作家 (rw-r–r–)
chmod 644 authorized_keys確認
使用使用者 ansible 連接到 192.168.12.10
ssh ansible@192.168.12.2您應該無需輸入密碼即可連接
我已經有一個詳細說明這些步驟的網頁(法語和英語),您可以輸入使用者名和主機名。
