SSH pubkey身份validation仅在另一个会话已打开时才有效
权限在服务器(chibi)上正确设置。 如果我没有对服务器打开现有的ssh会话,则所有新会话都需要密码。 但是,如果已经有一个打开的,则额外的ssh会话正确地使用pubkey进行身份validation。
我的家是在SD卡上。 我将authorized_keys移动到/并将其链接,但这并没有解决问题。
没有会议开放:
ting@core[0][09:11:32]:~$ ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXRYefDRi18Qtlkfmt/qK5dbzMk5ajMgIv4+jUyWTtL1detZAs/hoIKocqBib5ul+/snrGiFbYV1JQiiLaidXNwe1nsNCk6UMagrRaCkPxyEqiygh9Ha5pf7anVdx2sLwdSXU42qKOgmVAHolpQfZQ4r/XItmR8fbDzNgkYeT+yEpm9b69wSl2d3xWPMd+EnqiqXuUoXISvMxDXIsC8I4qff6ms4JMX1S6HxBnVUKg/4DgJ7x07m4cM6RbXvGXNy2KBMhHoy45V/lPlf8pey+Af0Zxyw+na3mlG2WmAyOCnwXKJ/9TqLpYiCUHhTR4wgmgZpLWpSyyHYZhGP951ozP /home/ting/.ssh/id_rsa ting@core[0][09:12:35]:~$ ssh -v chibi OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to chibi [192.168.1.2] port 22. debug1: Connection established. debug1: identity file /home/ting/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/ting/.ssh/id_rsa-cert type -1 debug1: identity file /home/ting/.ssh/id_dsa type -1 debug1: identity file /home/ting/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu5 debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'chibi' is known and matches the RSA host key. debug1: Found key in /home/ting/.ssh/known_hosts:37 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /home/ting/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Trying private key: /home/ting/.ssh/id_dsa debug1: Next authentication method: password ting@chibi's password: 一个会议已经连接,开设第二届会议:
ting@core[0][09:14:14]:~$ ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXRYefDRi18Qtlkfmt/qK5dbzMk5ajMgIv4+jUyWTtL1detZAs/hoIKocqBib5ul+/snrGiFbYV1JQiiLaidXNwe1nsNCk6UMagrRaCkPxyEqiygh9Ha5pf7anVdx2sLwdSXU42qKOgmVAHolpQfZQ4r/XItmR8fbDzNgkYeT+yEpm9b69wSl2d3xWPMd+EnqiqXuUoXISvMxDXIsC8I4qff6ms4JMX1S6HxBnVUKg/4DgJ7x07m4cM6RbXvGXNy2KBMhHoy45V/lPlf8pey+Af0Zxyw+na3mlG2WmAyOCnwXKJ/9TqLpYiCUHhTR4wgmgZpLWpSyyHYZhGP951ozP /home/ting/.ssh/id_rsa ting@core[0][09:14:17]:~$ ssh -v chibi OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to chibi [192.168.1.2] port 22. debug1: Connection established. debug1: identity file /home/ting/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/ting/.ssh/id_rsa-cert type -1 debug1: identity file /home/ting/.ssh/id_dsa type -1 debug1: identity file /home/ting/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu5 debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'chibi' is known and matches the RSA host key. debug1: Found key in /home/ting/.ssh/known_hosts:37 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /home/ting/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.utf8 .bashrc executed. .bash_aliases executed. ting@chibi[0][14:14:41]:~$
两个会话之间的差异:
ting@core[0][09:20:47]:~$ diff ssh1.txt ssh2.txt 36,39c36,37 < debug1: Authentications that can continue: publickey,password < debug1: Trying private key: /home/ting/.ssh/id_dsa < debug1: Next authentication method: password debug1: Server accepts key: pkalg ssh-rsa blen 279 > debug1: Authentication succeeded (publickey). 53,54c51,52 < Transferred: sent 2216, received 8360 bytes, in 11.2 seconds Transferred: sent 2712, received 7464 bytes, in 9.1 seconds > Bytes per second: sent 298.4, received 821.3
文件权限:
drwx------ 2 ting ting 4.0K 2011-03-30 14:00 .ssh/ -rw------- 1 ting ting 404 2011-03-30 14:00 authorized_keys -rw------- 1 ting ting 132 2011-03-23 02:47 environment -rw-r--r-- 1 ting ting 4.4K 2011-03-25 11:59 known_hosts ting@chibi[0][23:57:13]:~/.ssh$
您的主目录或密钥所在的位置似乎已加密。 第一次登录会挂载并解密让ssh守护程序使用密钥文件的目录。
解决方案是将“authorized_keys”文件移动到默认情况下未加密的设备。
之后,您必须将ssh守护程序指向该位置。 以下配置选项用于此目的。
AuthorizedKeysFile指定包含可用于用户身份validation的公钥的文件。 AuthorizedKeysFile可能包含%Tforms的标记,这些标记在连接建立期间被替换。 定义了以下标记:%%由文字’%’替换,%h由正在validation的用户的主目录替换,%u由该用户的用户名替换。 扩展后,AuthorizedKeysFile被视为绝对路径或相对于用户主目录的路径。 默认值为“.ssh / authorized_keys”。
也许是这样的
AuthorizedKeysFile /etc/ssh/%u/authorized_keys