我正在检查我所有的虚拟机并添加一个 nagios 用户。
当我在 Ubuntu 上完成我的步骤(如下所述)时,一切正常。但是在 CentOS 6.2 上做同样的事情,我不能通过 pubkey auth 进行 ssh,只能通过密码 auth。
我已经验证了:
/home/nagios
目录具有正确的所有者和权限 authorized_keys
文件存在并正确填充我还应该检查哪些其他事项? 不同版本的 SSH 可能会导致问题吗?
连接到 CentOS 6.2 远程机器时的日志:
nagios@redacted:/home/redacted$ ssh -v nagios@remote.machine -i /var/lib/nagios/keys/id_rsa
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to remote.machine [192.168.redacted.redacted] port 22.
debug1: Connection established.
debug1: identity file /var/lib/nagios/keys/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/nagios/keys/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to remote.machine:22 as 'nagios'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:redacted
debug1: Host 'remote.machine' is known and matches the RSA host key.
debug1: Found key in /var/lib/nagios/.ssh/known_hosts:7
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/nagios/keys/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
细节:
这是我经历的步骤。
nagios
用户:sudo adduser nagios --system --group --shell /bin/bash
sudo adduser nagios --system --shell /bin/bash --home /home/nagios
sudo passwd nagios
nagios
用户添加到 /etc/ssh/sshd_config
中的允许用户列表中ssh-copy-id -i /var/lib/nagios/keys/id_rsa remote.machine
/etc/ssh/sshd_config
:Match user nagios
PasswordAuthentication no
ssh -i /var/lib/nagios/keys/id_rsa nagios@remote.machine
nagios
的密码验证,否则我无法登录. 最佳答案
我问过的一位同事提到了 StrictModes
在 sshd_config
.
如果 StrictModes
启用后,在 CentOS 上所需的权限为:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
source
当我检查
~/.ssh
的权限时和 ~/.ssh/authorized_keys
,我将它们与 进行比较Ubuntu/OpenSSH 7.2 要求而不是 CentOS/OpenSSH 5.3 要求。Ubuntu/OpenSSH 7.2 允许 775 用于
~/.ssh
即使是 StrictModes
已启用(但 ~/.ssh/authorized_keys
仍需要 600)。
关于linux - PubKey SSH Auth 在 CentOS 上失败,但在 Ubuntu 上有效,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43617438/