主页 / unix / 问题 / 407394
Accepted
Mithril
Asked: 2017-11-28 17:24:25 +0800 CST

ssh-copy-id 成功,但还是提示输入密码

  • 772
  1. 我以前ssh-copy-id root@c199成功过。
  2. 我可以在ssh root@c199没有密码提示的情况下登录
  3. 我想由另一个用户自动登录ufo (远程机器有这个用户)

  4. ssh-copy-id ufo@c199 问我输入密码,

    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ufo@c199's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'ufo@c199'"
and check to make sure that only the key(s) you wanted were added.

  5. 但是通过ssh ufo@c199仍然提示输入密码登录。

我尝试通过 ssh 在 msys2(在 Windows 上)上登录远程 centos,我发现有很多相同的行,例如

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs7RTfvn83Rxdmvgfh+F4kUlM5FzIUb9rRHaqq11xKIW1gztn/+G4tr+OWl4o6GTW2Z361hIi
ugy8DPtMATN66nTTDUYO0sSvw2BrQfDY4iIENdLpkkHO8KQVGpQE+8tDkaZfD6EQLVtl0uvDE3D77tfcnBLODXgZPQsUSlssMi+pxDbSVjjKgrP
hM1G/L9OTrEHKWDhF+ZBgY1RuLl7ZEdoATbhJaK4FFb9hNn/2CSibVfLts8HJGYQXIQRX/RBzaDZp47sKZvq302ewkkVorNY+c9mmoze6mi8Ip2
zEQOMi6S9zM/yRiD0XZrbmzYfNkoXA03WTmMR/DynVvX2nV /c/Users/xxxx/.ssh/id_rsa

在 centos 中/home/ufo/.ssh/authorized_keys

我已将 .ssh 用户的文件夹权限更改为 700 并将 authorized_keys 文件更改为 644 。

相同的ssh密钥,无提示ssh root@c199登录,但ssh ufo@c199提示输入密码..

更新

ssh ufo@c199 -vv输出:

....
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:zmCg5vHhBAMd5P4ei82+KsVg072KXbC63C44P0w3zbU
debug1: Host 'c199' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/xxxxx/.ssh/known_hosts:35
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /c/Users/xxxxx/.ssh/id_rsa (0x60006bec0), agent
debug2: key: /c/Users/xxxxx/.ssh/id_dsa (0x0)
debug2: key: /c/Users/xxxxx/.ssh/id_ecdsa (0x0)
debug2: key: /c/Users/xxxxx/.ssh/id_ed25519 (0x0)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /c/Users/xxxxx/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /c/Users/xxxxx/.ssh/id_dsa
debug1: Trying private key: /c/Users/xxxxx/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/xxxxx/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
ssh password

5 个回答

  1. Best Answer

    感谢https://unix.stackexchange.com/a/55481/106419,它告诉我如何调试 ssh。

    启用 ssh 调试以查看发生了什么

    systemctl stop sshd
/usr/sbin/sshd -d -p 22

    我发现:

    Authentication refused: bad ownership or modes for directory /home/ufo

    所有人只说:

    • /home/ufo/.ssh所有权正确 700
    • /home/ufo/.ssh/authorized_keys所有权正确 600/644

    但是 sshd 仍然检查用户主文件夹!!!没有人提到这个!

    sudo chmod 700 /home/ufo解决这个问题。

    概括:

    您需要确保:

    • /home/ufo所有权为 700
    • /home/ufo/.ssh所有权为 700
    • /home/ufo/.ssh/authorized_keys 所有权为 600

    将 ufo 更改为您的主文件夹名称

    • 8

  2. 我必须将以下内容添加到我的 sshd_config 文件中:

    PubkeyAcceptedKeyTypes=+ssh-dss

    重启ssh

    • 1

  3. 显然您没有在用户 ufo 的 authorized_keys 文件中添加条目.....或者 ~ufo/.ssh 文件/目录的权限错误。

    • 0

  4. 确保将您的公钥添加到您的目录,而不是 root 或其他用户。

    • 0

  5. 这是另一种解决方案,以防您无法访问或修改 sshd_config,如 millican 在他们的回答中所建议的那样。一种解决方案是使用 ED25519 算法创建一个新的 SSH 密钥:

    ssh-keygen -t ed25519 -C "[email protected]"

    如此所述。这解决了我的问题,这是由于 RSA SHA-1 哈希算法已被弃用。

    • 0

相关问题