文章描述了一个Ubuntu20.04系统中SSH登录时遇到的问题,即使已经设置了免密登录,仍然需要输入密码并报错。通过分析ssh日志,发现可能是配置、文件权限或zsh相关问题。解决方案包括检查和修改.ssh目录及authorized_keys文件的权限,以及在zsh已卸载的情况下修正默认shell为bash。经过这些步骤,问题最终得到解决。
问题描述
- 环境:ubuntu 20.04
- 问题描述:在已经设置免密登录后,ssh登录时(例如
ssh localhost)还需要输入密码,并且输入密码后出现下面一系列的报错:
xxx(用户名)@localhost's password:
Permission denied, please try again.
xxx@localhost's password:
Permission denied, please try again.
xxx@localhost's password:
xxx@localhost: Permission denied (publickey,password).
问题排查
首先使用命令ssh localhost -v查看登录时的日志:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/yhy/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/yhy/.ssh/id_rsa type 0
debug1: identity file /home/yhy/.ssh/id_rsa-cert type -1
debug1: identity file /home/yhy/.ssh/id_dsa type 1
debug1: identity file /home/yhy/.ssh/id_dsa-cert type -1
debug1: identity file /home/yhy/.ssh/id_ecdsa type -1
debug1: identity file /home/yhy/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/yhy/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/yhy/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/yhy/.ssh/id_ed25519 type -1
debug1: identity file /home/yhy/.ssh/id_ed25519-cert type -1
debug1: identity file /home/yhy/.ssh/id_ed25519_sk type -1
debug1: identity file /home/yhy/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/yhy/.ssh/id_xmss type -1
debug1: identity file /home/yhy/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'yhy'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:KgNVsJSzDmK9KHR57LTY2Xarsui27l0FIm9CY2fUO6o
debug1: Host 'localhost' is known and matches the ED25519 host key.
debug1: Found key in /home/yhy/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/yhy/.ssh/id_dsa DSA SHA256:G/HRSEJY5SzAo4ejVp+GVHkIp+UjzMTETklcP2P0ym4 agent
debug1: Will attempt key: /home/yhy/.ssh/id_rsa RSA SHA256:ysy/bD0PakYR49V2kxCs95GxfpHjLifTAPqNJ5yH480 agent
debug1: Will attempt key: /home/yhy/.ssh/id_ecdsa
debug1: Will attempt key: /home/yhy/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/yhy/.ssh/id_ed25519
debug1: Will attempt key: /home/yhy/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/yhy/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/yhy/.ssh/id_dsa DSA SHA256:G/HRSEJY5SzAo4ejVp+GVHkIp+UjzMTETklcP2P0ym4 agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/yhy/.ssh/id_rsa RSA SHA256:ysy/bD0PakYR49V2kxCs95GxfpHjLifTAPqNJ5yH480 agent
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/yhy/.ssh/id_ecdsa
debug1: Trying private key: /home/yhy/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/yhy/.ssh/id_ed25519
debug1: Trying private key: /home/yhy/.ssh/id_ed25519_sk
debug1: Trying private key: /home/yhy/.ssh/id_xmss
debug1: Next authentication method: password
从日志上看,应该还是配置的问题。
可能的原因
- 配置问题:如果是ssh配置的问题首先可以尝试这里修改配置。(如果之前从未修改过相关配置,大概率不是这里的问题)
进行上面的方法后,如果还不行,说明不是配置文件的问题。 - 文件权限问题:有时文件权限也可能会导致登录失败,按照上述方法查看日志后,如果日志中出现有关文件权限的错误
badownership,那么就要考虑.ssh文件夹和authorized_keys文件的权限问题了。
进入.ssh文件夹下,使用如下命令查看文件夹的信息:
该目录必须具有上面所示的读(r)、写(w)、执行(x) 权限,如果没有则需要使用命令:ll -ld drwx------ 3 xxx xxx 4096 5月 3 08:41 ./
修改权限;chmod 0700 /home/your_home/.ssh
使用命令:
查看文件/home/xxx/.ssh$ ls -ld authorized_keys -rw------- 1 yhy yhy 564 5月 3 07:08 authorized_keysauthorized_keys的文件权限。该文件必须有上面所示的读写(rw) 权限,否则使用命令:
修改权限。chmod 0600 /home/[username]/.ssh/authorized_keys - zsh问题:如果上述方法都不奏效,且你正在/曾经使用
zsh那么恭喜你可能遇到了和我相同的问题。这个问题可以通过命令
查看ssh服务运行状态发现,如果运行日志中有:service sshd status
那么就是由于User xxx not allowed because shell /bin/zshzsh使用问题导致。我的问题是之前使用过zsh,卸载后忘记修改默认终端,导致ssh出现问题。
首先查看系统可用终端:
$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/bash
/usr/bin/bash
/bin/rbash
/usr/bin/rbash
/bin/dash
/usr/bin/dash
/bin/zsh
/usr/bin/zsh
可以看到由于之前设置过该文件,所以里面有bin/zsh和usr/bin/zsh,如果zsh已经卸载的话,可以删除后面这两行。
通过命令sudo nautilus可以以管理员身份打开文件夹,并且任意对里面的文件进行修改。
接下来查看系统默认shell:
$ echo $SHELL
/bin/zsh
可以看到还是因为之前的设置,默认shell是zsh。通过命令:
grep xxx(你的用户名) /etc/passwd #这条命令显示/etc/passwd中用户的终端设置
sudo chsh --shell /bin/bash xxx #这条命令修改用户的默认终端为/bin/bash
grep xxx /etc/passwd #再次查看,默认终端已经变成/bin/bash
在用户登录时,系统会根据/etc/passwd中的设置为用户设置默认终端,所以执行完上述操作后重启,再次检查默认终端:
echo $SHELL
/bin/bash
会发现终端已经改成了/bin/bash。
这时候再试一试ssh localhost,会发现登录成功:
问题得到解决。
如果上面的方法都不能解决,就要根据日志和服务状态信息中的其它内容进行排查了。
总结
这个ssh登录失败问题困扰了我很长时间,试了网上很多种方法都没有奏效,最后查看系统服务日志才发现问题所在。以后删除某个软件的时候,一定要把相关的配置还原成为默认的,否则不知道哪天会出问题!
扫一扫
13万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
