不知何故,我的 SSH 從來不想向我詢問密碼。
所以我在世界某個地方的某個隨機伺服器上設定了一個 VPS,並且我想透過 ssh 連接到它。
我可以設定一個密鑰,但是當我這樣做時:
ssh -l some-user IP
我收到錯誤:
Received disconnect from ##.##.##.##: 2: Too many authentication failures for some-user
當我查看詳細資訊時,我可以看到密碼是選項之一:
debug1: Offering RSA public key: some-user@computer
debug1: Authentications that can continue: publickey,password
然而 SSH 從來不要求我輸入密碼。它嘗試了 5 次,我懷疑是 publickey 方法,然後失敗了。為什麼 ssh 不嘗試輸入密碼?
以防萬一,我的 ssh_config 檔案有:
PasswordAuthentication yes
完整日誌
ssh -v -l root ##.##.##.##
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/someuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ##.##.##.## [##.##.##.##] port 22.
debug1: Connection established.
debug1: identity file /home/someuser/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/someuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_dsa type -1
debug1: identity file /home/someuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6
debug1: match: OpenSSH_6.2p2 Ubuntu-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA XX:XX:...:XX:XX
debug1: Host '##.##.##.##' is known and matches the ECDSA host key.
debug1: Found key in /home/someuser/.ssh/known_hosts:38
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/someuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
Received disconnect from ##.##.##.##: 2: Too many authentication failures for root
答案1
嘗試在禁用公鑰身份驗證的情況下登錄,使用
ssh -o PubkeyAuthentication=no root@newserver
答案2
identityfile
您的文件中很可能有多行.ssh/config
。
即使您的配置identityfile
不足host
,它也會全域應用。這意味著ssh
在向伺服器詢問密碼提示之前,會嘗試每個主機上的每個識別檔案(即公鑰)。
您可以透過以下方式修復此問題
- 刪除除一行以外的所有
identityfile
行,或者 - 添加
PubkeyAuthentication no
到.ssh/config
, 或 - 帶參數執行 ssh
-o PubkeyAuthentication=no
。
從man 5 ssh_config
:
PubkeyAuthentication
Specifies whether to try public key authentication. The argument to this
keyword must be “yes” or “no”. The default is “yes”. This option applies
to protocol version 2 only.
IdentityFile
...
It is possible to have multiple identity files specified in configuration
files; all these identities will be tried in sequence. Multiple
IdentityFile directives will add to the list of identities tried (this
behaviour differs from that of other configuration directives).
有關公鑰的一些一般說明:
- 一般來說,每個客戶端(工作站)應該只有一個私鑰,並將匹配的公鑰放置到客戶端應該有權存取的所有伺服器。換句話說,在伺服器之間共享公鑰,並且永遠不要在多個裝置上使用相同的私鑰。
- 始終在您的裝置上產生金鑰對,並僅傳輸公鑰。這樣,即使伺服器遭到破壞,您的私鑰仍然安全可靠。這可能會以令人驚訝的方式發生 - 例如,透過備份。
- 如果其他人管理伺服器,你應為他們提供公鑰;他們應該不是產生密鑰對並將私鑰發送給您。這樣,他們就無法用您的金鑰冒充您(當然,通常他們可以為所欲為)。此外,對於公鑰,僅必須保護完整性(即有人沒有更改公鑰);對於私鑰,必須保守機密性(即沒有其他人獲得該密鑰),並且不可能絕對確定它沒有洩露。
- 即使您使用相同的私鑰連接到多個伺服器,破壞伺服器也不會破壞其他伺服器(除非您將該私鑰傳輸到伺服器。切勿這樣做。)
- 無論如何,破壞您的工作站都會暴露您的私鑰。擁有多個私鑰對此沒有幫助(除非您有不同的強密碼短語,並且並非所有這些密碼短語都可供攻擊者使用)。
有一些例外,但不是太多。
答案3
你的本地 ssh 不應該要求你輸入密碼,另一端的 ssh 伺服器應該要求你輸入密碼。伺服器可能被設定為不接受密碼身份驗證。我的也不會要求你輸入密碼。
答案4
我發現的另一個原因。我有:
Host *
PreferredAuthentications publickey
(從~/.ssh/config
另一個用戶複製,認為這是「偏好」)。實際上PreferredAuthentications
指定“允許”的方法和順序。
刪除該PreferredAuthentications
行或新增password
Host *
PreferredAuthentications publickey,password
注意:逗號後面不能有空格!