我在嘗試使用 SSH 連接到遠端伺服器時遇到了一個非常奇怪的問題。
我從命令列執行此操作,私鑰和公鑰都位於我的當前目錄中。它們分別命名為 id_rsa 和 id_rsa.pub。我已經透過指紋驗證它們匹配公鑰和私鑰。
當我發出以下命令時:
ssh -vT -i ./id_rsa 使用者@遠端主機
我收到以下錯誤:權限被拒絕(公鑰)。
但是,如果我將 id_rsa.pub 重新命名為其他名稱,它可以正常工作。可能是什麼原因造成的?是否是遠端伺服器上的設定導致了這種情況?
當我將 id_rsa.pub 放在同一目錄中 -vT 的輸出是(並且失敗):
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 50: Applying options for *
debug1: Connecting to remotehost port 22.
debug1: Connection established.
debug1: identity file ./id_rsa type 1
debug1: identity file ./id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <removed>
debug1: Host remotehost is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Ubuntu 10.04.4 LTS
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ./id_rsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
我重命名 id_rsa.pub 時的偵錯輸出是:
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 50: Applying options for *
debug1: Connecting to remotehost port 22.
debug1: Connection established.
debug1: identity file ./id_rsa type -1
debug1: identity file ./id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_53p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <removed>
debug1: Host remotehost is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Ubuntu 10.04.4 LTS
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ./id_rsa
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key './id_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to reoteserver:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
答案1
我能夠透過使用彼此不匹配的公鑰和私鑰來重現您的症狀。即使兩個金鑰都被authorized_keys允許,當公鑰和私鑰不符時登入也會失敗。
據我所知,發生了以下情況。
- 客戶端注意到私鑰已加密
- 客戶端讀取公鑰文件
- 客戶端將此金鑰提供給伺服器
- 伺服器接受公鑰
- 客戶端提示輸入密碼
- 使用者輸入密碼
- 客戶端使用不匹配的私鑰繼續進行身份驗證
當您刪除公鑰時,客戶端將要求輸入密碼,而不知道伺服器是否會接受該金鑰。這意味著您最終可能會被要求輸入私鑰的密碼,卻發現伺服器無論如何都不會接受它。
答案2
這可能是 OpenSSH 中的錯誤,或者伺服器中的金鑰authorized_keys和您的私鑰根本不匹配。認證成功後,你會得到
debug1: identity file ./id_rsa type -1
這意味著 OpenSSH 無法在該階段載入身分文件(我認為是公鑰)。在關鍵載入部分的原始碼中有這樣的片段(authfile.c):
/* try ssh2 public key */
pub = key_new(KEY_UNSPEC);
if (key_try_load_public(pub, filename, commentp) == 1)
return pub;
if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
(strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
(key_try_load_public(pub, file, commentp) == 1))
return pub;
這意味著 OpenSSH 將嘗試載入-i參數 +“.pub”中給出的內容作為公鑰並成功,如日誌所示。如果目前目錄中沒有後綴為「.pub」的公鑰,則此操作將失敗。稍後,在進行身份驗證時(sshconnect2.c):
/*
* send a test message if we have the public key. for
* encrypted keys we cannot do this and have to load the
* private key instead
*/
if (id->key && id->key->type != KEY_RSA1) {
debug("Offering %s public key: %s", key_type(id->key),
id->filename);
sent = send_pubkey_test(authctxt, id);
} else if (id->key == NULL) {
debug("Trying private key: %s", id->filename);
id->key = load_identity_file(id->filename);
if (id->key != NULL) {
id->isprivate = 1;
sent = sign_and_send_pubkey(authctxt, id);
key_free(id->key);
id->key = NULL;
}
}
如果公鑰存在,OpenSSH 會將其作為測試訊息 (?) 發送,但由於某種原因會失敗。如果沒有預先載入公鑰,它將嘗試私鑰並成功。
我不知道為什麼公鑰會失敗(如果我有時間,我會嘗試找出更多資訊)。與其他路徑相比,處理的文件可能存在一些不匹配.ssh/,或者畢竟與您的密鑰存在一些不匹配。
答案3
我幾乎可以肯定這是一個權限問題。檢查資料夾權限以確保它不是770但740或類似的。如果您不使用該.ssh目錄,這很容易導致您遇到的問題。
要更正,請使用chmod o-w /root.我高度建議為這些鍵使用專用資料夾,因為主資料夾的權限設定很棘手。