ssh免密登录遇到过的坑
ssh免密登录原理
通过非对称密钥实现认证登录,可参考
ssh免密登录原理与实现
SSH 原理和基本应用
- 客户端和服务器都生成自己的密钥对
- 客户端将公钥写入服务器的authorized_keys
- ssh server远程访问服务器,发送连接请求,并发送id_rsa.pub公钥,服务器在本地的authorized_keys中查找是否存在该公钥,如果存在,用该公钥对任意字符串加密发送回客户端,客户端使用本地的id_rsa解密发送回服务器,服务器验证两个字符串是否相同。
ssh免密的登录设置方法
- 进入当前账号的home目录,进入.ssh文件夹
- ssh-keygen 生成密钥对,输入命令后一直回车即可
- 复制公钥到远程服务器的.ssh目录下的authorized_keys文件中,有三种方法:
- ssh-copy-id命令
- scp命令
- 手工复制粘贴
遇到的问题
非root账号
- 非root账号下设置ssh免密登录,使用ssh-copy-id命令会要求输入远程服务器的root密码,可通过手工复制粘贴解决。
root账号
root账号下设置ssh免密登录后,始终要求输入root密码。
解决思路:
- 检查本地生成密钥的.ssh文件夹和远程服务器上公钥复制粘贴操作的.ssh文件夹是否都是/root目录下的。我刚开始是把登录账号的.ssh目录和root账号的.ssh目录混在了一起。注意,在某账号下ssh server1相当于ssh 账号名@server1,不同账号的远程登录目录不一样,检索的位置就不一样。
- 检查etc/ssh/sshd_config配置,DenyUsers root, DenyGroups root这两行代表禁止通过远程访问根用户,需要注释掉。其它的配置也需要检查。这里我粘贴一下我最终的配置。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
# Authentication:
LoginGraceTime 60
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 600
ClientAliveCountMax 0
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
Banner /etc/issue.net
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Ciphers 隐藏
# DenyUsers root
# DenyGroups root
AllowTcpForwarding no
MaxStartups 10:30:60
MaxSessions 4
ssh免密登录遇到过的坑
https://yunzhen.github.io/2022/12/19/ssh免密登录详解/