前阵子搭建Hadoop时,配置了本机(localhost)的ssh的公钥到authorized_keys文件中,但是在ssh连接localhost时仍然提示需要输入密码,后来发现是$HOME/.ssh/authorized_keys这个文件的权限问题引起的。其原因是,不能让所有者之外的用户对authorized_keys文件有写权限,否则,sshd将不允许使用该文件,因为它可能会被其他用户篡改。
命令行的演示如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[hadoop@guest1 ~]$ cd .ssh/[hadoop@guest1 .ssh]$ ll
total
16
-rw-rw-r--
1
hadoop hadoop
395
Jan
1218
:
37
authorized_keys
-rw-------
1
hadoop hadoop
1675
Jan
1218
:
36
id_rsa
-rw-r--r--
1
hadoop hadoop
395
Jan
1218
:
36
id_rsa.pub
-rw-r--r--
1
hadoop hadoop
796
Jan
6
08
:
40
known_hosts
#注意这里的authorized_keys文件的权限;这时该文件中的key是不起作用的。#用chmod修改authorized_keys文件的权限[hadoop@guest1 .ssh]$ chmod g-w authorized_keys
[hadoop@guest1 .ssh]$ ll
total
16
-rw-r--r--
1
hadoop hadoop
395
Jan
1218
:
37
authorized_keys
-rw-------
1
hadoop hadoop
1675
Jan
1218
:
36
id_rsa
-rw-r--r--
1
hadoop hadoop
395
Jan
1218
:
36
id_rsa.pub
-rw-r--r--
1
hadoop hadoop
796
Jan
6
08
:
40
known_hosts
#修改后,sshd就可以正常使用authorized_keys文件了[hadoop@guest1 ~]$ ssh localhost
Last login: Sat Jan
1218
:
40
:
332013
from localhost
[hadoop@guest1 ~]$ exitlogout
Connection to localhost closed.
[hadoop@guest1 ~]$
|
后来,我详细查了一下,如果authorized_keys文件、$HOME/.ssh目录 或 $HOME目录让本用户之外的用户有写权限,那么sshd都会拒绝使用 ~/.ssh/authorized_keys 文件中的key来进行认证的。
“man sshd”命令查看对authorized_keys文件的描述如下:
|
1
2
3
4
5
6
7
8
9
10
11
|
man sshd
.....
~/.ssh/authorized_keys
Lists the
public
keys (DSA/ECDSA/RSA) that can be used
for
logging
in
as
this
user. The format of
this
file
is
described above. The content of the file
is
not highly sensitive, but the recommended
permissions are read/write
for
the user, and not accessible by others.
If
this
file, the ~/.ssh directory, or the user's home directory are writable by other users, then the
file could be modified or replaced by unauthorized users. In
this
case
, sshd will not allow it to be
used unless the StrictModes option has been
set
to “no”.
........
|
扫一扫
1415
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
