SSH不断跳过我的pubkey并要求输入密码


52

每次SSH到远程服务器上时,都需要提供密码。我使用以下命令将我的公钥(id_dsa.pub)复制到了远程服务器:

ssh-copy-id -i id_dsa.pub user@server

我检查了它是否已正确添加到authorized_keys。所有文件/目录权限均正确:

~user 755
~user/.ssh 700
~user/.ssh/authorized_keys 640
~user/.ssh/id_dsa.pub 644

/ etc / ssh / sshd_config中的PasswordAuthentication字段设置为yes。我将sshd置于调试模式,并将详细开关添加到ssh命令中。我的印象是,由于该行,服务器未尝试使用id_pub.dsa

Skipping ssh-dss key: ........... not in PubkeyAcceptedKeyTypes

服务器端没有加密的光盘。有什么想法如何进步吗?这是ssh守护程序的调试信息:

sudo /usr/sbin/sshd -d
====
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from xxx port 63521 on yyy port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.1
debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: permanently_set_uid: 115/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none [preauth]
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user damian service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "damian"
debug1: PAM: setting PAM_RHOST to "freebox-server.local"
debug1: PAM: setting PAM_TTY to "ssh"
Connection closed by xxxx [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup

这是ssh的详细输出:

$ ssh -v user@server
OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Connecting to server [xxxx] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to server:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:v4BNHM0Q33Uh6U4VHenA9iJ0wEyi8h0rFVetbcXBKqA
debug1: Host 'server' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:2
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Skipping ssh-dss key /home/user/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug1: Next authentication method: password
user@server's password:

1
关于相同的问题(也基本上是相同的解决方案),另请参见superuser.com/q/1016989/93541
DW

请注意,如果目标上的sshd_config具有PubkeyAuthentication no,则始终会提示您输入密码。将其设置为yes并重新启动sshd(在目标主机上)以启用pubkey身份验证。
C. Kelly

Answers:


84

新的openssh版本(7.0+)已弃用DSA密钥,并且默认情况下不使用DSA密钥(不在服务器或客户端上)。不希望再使用这些密钥,因此,如果可以的话,我建议尽可能使用RSA密钥

如果您确实需要使用DSA密钥,则需要使用以下命令在客户端配置中明确允许它们

PubkeyAcceptedKeyTypes +ssh-dss

应该足够在该行中添加该行~/.ssh/config,因为详细消息正试图告诉您。


5
+1,但更好的建议是使用另一个不推荐使用的密钥类型...
jasonwryan 2015年

@jasonwryan感谢您的评论。当然。我将更新答案。
Jakuje 2015年

谢谢Jakuje!这是有道理的,我没有意识到dsa是旧帽子。我生成了一个新的密钥对,ssh-keygenrsa现在是默认值。明天我将尝试从另一台计算机登录。
达莫

如果您~/.ssh/config不存在,则创建它。并记住设置corect权限:chmod 600 ~/.ssh/config
Florian Brucker

@knb不要那样做。由于您删除了所有椭圆曲线算法,因此以后将避免使用任何其他算法。
雅库耶

2

就我而言,我遇到了这个问题,因为另一个用户更改了AuthorizedKeysFile位置。由于authorized_keys此位置没有其他用户,因此即使authorized_keys默认主目录中具有正确的权限,登录名也将默认为密码。

AuthorizedKeysFile   /etc/ssh/%u/authorized_keys

评论了此修改后的线路输出,并重新启动了sshd服务以恢复为默认设置,然后该默认设置允许其他用户使用其密钥进行身份验证。


我刚刚在RHEL7系统上解决了一个类似的问题,该系统的SELinux上下文未在用户的homedir上正确初始化,因此ssh即使具有标准权限也无法读取授权密钥文件。最终,我最终restorecon -Rv /home为其他在同一系统上设置不正确的用户进行了修复。
dannysauer

1

我尝试了Jakuje的《不行》的答案。但我从那里了解问题。试图添加评论,但需要信誉,为什么要添加anwser。

但是对我来说配置文件是/ etc / ssh / ssh_config

  1. sudo nano /etc/ssh/ssh_config
  2. PubkeyAcceptedKeyTypes +ssh-dss 在底部添加此行。
  3. 保存并重试。

工作了!


1

总结一下我为通过SSH连接树莓派所做的工作。

在服务器计算机(Raspberry Pi)中:

$ ip addr show 

或者简单地ip a,这将显示Pi机器的IP地址-host_ip

$ mkdir .ssh

在客户端计算机(ubuntu)中:

$ ssh-keygen -t rsa  

感谢上面的@Jakuje。最初,我使用ssh-keygen -t dsa生成密钥,而ssh一直要求我提供密码。ssh -v ip-address不会给我很多有用的信息,直到我看到@Jakuje的回答

$ cat .ssh/id_rsa.pub | ssh user_id@host_ip 'cat >> ~/.ssh/authorized_keys'  

提示时替换user_id和host_ip,提供Pi机的密码

$ ssh user@ip_address

成功登录PI,没有更多密码


0

dsa对我不起作用。rsa做到了。

ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
cat /Users/user_name/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

而且我可以不用密码ssh。

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.