1. 使用ssh-copy-id命令创建B主机对A主机的ssh免密登录信任。
# ssh-keygen -t rsa
# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.128.129
2. 验证免密登录失败
ssh root@192.168.128.129
3. 使用ssh debug模式登录获取到信息如下:
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:Hn3kF7rYpaya5Uj2F2SMAzhrNMfcTyeJvmoZCqKPYJ4
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug3: no such identity: /root/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug3: no such identity: /root/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /root/.ssh/id_xmss
debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: passworddu
对比正常的登录信息如下:
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/itadmin/.ssh/identity
debug3: no such identity: /home/itadmin/.ssh/identity
debug1: Offering public key: /home/itadmin/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 372 bytes for a total of 1689
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp 4b:99:21:4e:ad:97:a7:3f:58:4b:c5:b1:57:28:4c:3d:29:b7:ac:67
debug3: sign_and_send_pubkey: RSA 4b:99:21:4e:ad:97:a7:3f:58:4b:c5:b1:57:28:4c:3d:29:b7:ac:67
debug1: read PEM private key done: type RSA
debug3: Wrote 644 bytes for a total of 2333
debug1: Authentication succeeded (publickey).
经过对比的话,没发现问题原因
4. 度娘搜索到如下提示:
StrictModes no #修改为no,默认为yes.如果不修改用key登陆是出现server refused our
key(如果StrictModes为yes必需保证存放公钥的文件夹的拥有与登陆用户名是相同的.“StrictModes”设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所有权。这通常是必要的,因为新手经常会把自己的目录和文件设成任何人都有写权限。)(来源http://matt-u.iteye.com/blog/851158)
————————————————
版权声明:本文为CSDN博主「UpUpUpUpUpUpUp」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/u012599988/article/details/53161991
5. 更改目标主机的/etc/ssh/sshd_config文件,修改StrictModes no后重启服务
# systemctl restart sshd
重新执行第二步成功免密登录。
6. 但是正常情况,ssh默认的这个参数应该为yes,并且配置其他主机免密都没有问题,继续找原因。
配置目标主机/etc/ssh/sshd_config文件,将StrictModes no行注释掉。
重新梳理StrictModes这个参数的解释,顾名思义严格模式就是对用户权限的要求比较严格,登录远程主机的用户是root,那么对应以下权限的要求:
- 默认的用户主目录/root所属用户组应该都是root,并且目录权限700,
- /root/.ssh/authorized_keys这个文件的权限为600.
经过核对权限,发现/root的用户组不是root,才想起来之前因为/目录空间不够,所以加了块虚拟硬盘,并挂载到/root路径,用户组的权限给了另外一个账户,改回root,免密登录正常。
总结:免密登录失败的大部分原因还是权限问题。
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
