本文记录了一次排查Linux服务器SSH免密码登录后仍提示输入密码的真实过程,详细解析了问题出现的原因和解决方案,包括检查SSH配置、公钥、目录权限等步骤,并最终成功实现免密登录。
最全的Linux教程,Linux从入门到精通
======================
-
linux从入门到精通(第2版)
-
Linux系统移植
-
Linux驱动开发入门与实战
-
LINUX 系统移植 第2版
-
Linux开源网络全栈详解 从DPDK到OpenFlow
第一份《Linux从入门到精通》466页
====================
内容简介
====
本书是获得了很多读者好评的Linux经典畅销书**《Linux从入门到精通》的第2版**。本书第1版出版后曾经多次印刷,并被51CTO读书频道评为“最受读者喜爱的原创IT技术图书奖”。本书第﹖版以最新的Ubuntu 12.04为版本,循序渐进地向读者介绍了Linux 的基础应用、系统管理、网络应用、娱乐和办公、程序开发、服务器配置、系统安全等。本书附带1张光盘,内容为本书配套多媒体教学视频。另外,本书还为读者提供了大量的Linux学习资料和Ubuntu安装镜像文件,供读者免费下载。
本书适合广大Linux初中级用户、开源软件爱好者和大专院校的学生阅读,同时也非常适合准备从事Linux平台开发的各类人员。
需要《Linux入门到精通》、《linux系统移植》、《Linux驱动开发入门实战》、《Linux开源网络全栈》电子书籍及教程的工程师朋友们劳烦您转发+评论
网上学习资料一大堆,但如果学到的知识不成体系,遇到问题时只是浅尝辄止,不再深入研究,那么很难做到真正的技术提升。
一个人可以走的很快,但一群人才能走的更远!不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
root@192.168.10.135’s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘192.168.10.135’”
and check to make sure that only the key(s) you wanted were added.
[root@rhel77 .ssh]#
-->CentOS7.9(ip:192.168.10.135)机器
命令:
cd ~
ssh-keygen
cd .ssh/
ls
ssh-copy-id 192.168.10.110
[root@centos79 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #同上
Enter passphrase (empty for no passphrase): #同上
Enter same passphrase again: #同上
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nK6khtCnoJB2o1aVfqVlTNpJHMug4QQ/3orcPqAgda4 root@centos79
The key’s randomart image is:
±–[RSA 2048]----+
| …o … |
| + o o+. |
| =. *o. |
| . oooo O |
| + oo. .S |
|B.o==…+ |
|*o=Booo . |
|.+E o+ . |
|. …o |
±—[SHA256]-----+
[root@centos79 ~]# cd .ssh/
[root@centos79 .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@centos79 .ssh]# ssh-copy-id 192.168.10.110
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/root/.ssh/id_rsa.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
root@192.168.10.110’s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘192.168.10.110’”
and check to make sure that only the key(s) you wanted were added.
[root@centos79 .ssh]#
### 4.ssh互信验证-问题重现
-->从RHEL7.7(ip:192.168.10.110)机器 ssh 到 CentOS7.9(ip:192.168.10.135)机器
-->从CentOS7.9(ip:192.168.10.135)机器 ssh 到 RHEL7.7(ip:192.168.10.110)机器
## 三. 问题解决梳理
### 1.两台机器文件权限验证(id\_rsa,id\_rsa.pub,authorized\_keys,known\_hosts)
-->RHEL7.7(ip:192.168.10.110)机器
[root@rhel77 /]# cd
[root@rhel77 ~]# cd .ssh/
[root@rhel77 .ssh]# pwd
/root/.ssh
[root@rhel77 .ssh]# ls -l
total 16
-rw------- 1 root root 395 Jun 9 09:26 authorized_keys
-rw------- 1 root root 1679 Jun 9 09:26 id_rsa
-rw-r–r-- 1 root root 393 Jun 9 09:26 id_rsa.pub
-rw-r–r-- 1 root root 176 Jun 9 09:27 known_hosts
[root@rhel77 .ssh]#
结论:**文件权限无误**
-->CentOS7.9(ip:192.168.10.135)机器
[root@centos79 .ssh]# cd
[root@centos79 ~]# cd .ssh/
[root@centos79 .ssh]# pwd
/root/.ssh
[root@centos79 .ssh]# ls -l
总用量 16
-rw------- 1 root root 393 6月 9 09:27 authorized_keys
-rw------- 1 root root 1679 6月 9 09:23 id_rsa
-rw-r–r-- 1 root root 395 6月 9 09:23 id_rsa.pub
-rw-r–r-- 1 root root 176 6月 9 09:26 known_hosts
[root@centos79 .ssh]#
结论:**文件权限无误**
### 2.两台机器.ssh目录权限验证
-->RHEL7.7(ip:192.168.10.110)机器
[root@rhel77 ~]# pwd
/root
[root@rhel77 ~]# ls -ld .ssh/
drwx------ 2 root root 80 Jun 9 09:27 .ssh/
[root@rhel77 ~]#
结论:**.ssh目录权限为700,权限无误**
-->CentOS7.9(ip:192.168.10.135)机器
[root@centos79 ~]# pwd
/root
[root@centos79 ~]# ls -ld .ssh/
drwx------ 2 root root 80 6月 9 09:27 .ssh/
[root@centos79 ~]#
结论:**.ssh目录权限为700,权限无误**
### 3.两台机器更改/etc/ssh/sshd\_config文件配置
添加如下信息:
RSAAuthentication yes #允许RSA密钥
PubkeyAuthentication yes #启用公告密钥配对认证方式
################################################
**添加位置:**
RSAAuthentication yes
PubkeyAuthentication yes
# The default is to check both .ssh/authorized\_keys and .ssh/authorized\_keys2
# but this is overridden so installations will only check .ssh/authorized\_keys
AuthorizedKeysFile .ssh/authorized\_keys
################################################
重启sshd,**发现问题仍旧存在。**
命令:
systemctl restart sshd
systemctl status sshd
### 4.问题点定位
最后,通过查看/var/log/secure,发现了问题的点
命令:
tail /var/log/secure -n 20
-->RHEL7.7(ip:192.168.10.110)机器
Jun 9 10:17:28 rhel77 sshd[12271]: Server listening on :: port 22.
Jun 9 10:17:28 rhel77 polkitd[948]: Unregistered Authentication Agent for unix-process:12264:668614 (system bus name :1.316, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jun 9 10:24:34 rhel77 sshd[12868]: Authentication refused: bad ownership or modes for directory /root
Jun 9 10:24:36 rhel77 sshd[12868]: Connection closed by 192.168.10.135 port 36168 [preauth]
[root@rhel77 ~]#
-->CentOS7.9(ip:192.168.10.135)机器
Jun 9 10:16:58 centos79 polkitd[728]: Unregistered Authentication Agent for unix-process:5517:669130 (system bus name :1.203, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
Jun 9 10:17:33 centos79 sshd[5534]: Authentication refused: bad ownership or modes for directory /root
Jun 9 10:17:37 centos79 sshd[5534]: Connection closed by 192.168.10.110 port 38882 [preauth]
Jun 9 10:24:02 centos79 sshd[5599]: Authentication refused: bad ownership or modes for directory /root
Jun 9 10:24:03 centos79 sshd[5599]: Connection closed by 192.168.10.110 port 38884 [preauth]
[root@centos79 ~]#
**问题点:**
-->RHEL7.7(ip:192.168.10.110)机器
**Jun 9 10:24:34 rhel77 sshd[12868]: Authentication refused: bad ownership or modes for directory /root**
-->CentOS7.9(ip:192.168.10.135)机器
**Jun 9 10:24:02 centos79 sshd[5599]: Authentication refused: bad ownership or modes for directory /root**
通过google搜索排查定位,被告知:/root目录权限过大(排查发现root目录权限为777),最多(建议)设置为700权限
/root目录权限
**更改前:**
-->RHEL7.7(ip:192.168.10.110)机器
[root@rhel77 ~]# cd /
[root@rhel77 /]# pwd
/
[root@rhel77 /]# ls -ld root
drwxrwxrwx. 17 root root 8192 Jun 9 08:33 root
[root@rhel77 /]#
-->CentOS7.9(ip:192.168.10.135)机器
[root@centos79 ~]# cd /
[root@centos79 /]# pwd
/
[root@centos79 /]# ls -ld root
drwxrwxrwx. 25 root root 4096 6月 9 09:37 root
[root@centos79 /]#
**权限更改,更改后:**
-->RHEL7.7(ip:192.168.10.110)机器
[root@rhel77 /]# pwd
/
[root@rhel77 /]# chmod 700 root/
[root@rhel77 /]# ls -ld root
drwx------. 17 root root 8192 Jun 9 08:33 root
[root@rhel77 /]#
-->CentOS7.9(ip:192.168.10.135)机器
[root@centos79 /]# pwd
/
[root@centos79 /]# chmod 700 root
[root@centos79 /]# ls -ld root
drwx------. 25 root root 4096 6月 9 09:37 root
[root@centos79 /]#
### 5.ssh互信登录验证
-->RHEL7.7(ip:192.168.10.110)机器
[root@rhel77 /]# ssh 192.168.10.135
Last login: Fri Jun 9 09:55:34 2023 from rhel77
IPAddress: 172.17.0.1
Memory Used: 17.9%
Swap Used: 0%
Disk Used: 27%
Disk Size: 38G
Services: 46
系统内核: 3.10.0-1160.90.1.el7.x86_64
yum源已配置,能正常使用
[root@centos79 ~]# hostname
centos79
[root@centos79 ~]# exit
logout
Connection to 192.168.10.135 closed.
[root@rhel77 /]#
-->CentOS7.9(ip:192.168.10.135)机器
[root@centos79 ~]# ssh 192.168.10.110
Last login: Fri Jun 9 10:33:32 2023 from gateway
IPAddress: 192.168.10.110
Cpu Used: 1.00%
Memory Used: 5.3%
Swap Used: 0%
Disk Used: 8%
Disk Size: 69G
Services: 40
system core: 3.10.0-1062.el7.x86_64
yum already installation
[root@rhel77 ~]# hostname
rhel77
[root@rhel77 ~]# exit
登出
Connection to 192.168.10.110 closed.
[root@centos79 ~]#
至此,问题解决。
四.总结梳理
Linux服务器之前进行ssh互信免密登录时,文件及目录的权限有严格控制,不能过渡授权,主要点:
1./root目录权限为:700
**网上学习资料一大堆,但如果学到的知识不成体系,遇到问题时只是浅尝辄止,不再深入研究,那么很难做到真正的技术提升。**
**[需要这份系统化的资料的朋友,可以点击这里获取!](https://bbs.csdn.net/topics/618542503)**
**一个人可以走的很快,但一群人才能走的更远!不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!**
扫一扫
361
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
