나는 다른 해결책을 시도했지만 그 중 아무것도 효과가 없었습니다.
내 컴퓨터에서 ssh-keygen을 사용하여 키를 생성했습니다. 내 Linux 서버에 이 키를 추가했는데 /root/.ssh/authorized_keys
제대로 작동합니다.
두 번째 Linux 서버에서도 동일한 작업을 수행했습니다. 그러나 이것은 작동하지 않습니다. 나는 다른 것을 시도했습니다:
- 내 열쇠를 넣어줘
/root/.ssh/authorized_keys2
- 편집
/etc/ssh/ssh_config
및/etc/ssh/sshd_config
(라인에 주석 달기 및 주석 해제를 통해) - 올바른 권한 부여(
.ssh
디렉터리 700개, authenticate_keys 파일 600개)
아무 것도 작동하지 않는 것 같습니다. 여전히 비밀번호를 묻는 메시지가 나타납니다.
무엇이 문제일까요?
감사합니다.
편집하다:
`sshd_config
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
#PermitRootLogin without-password
PermitRootLogin no
StrictModes yes
AllowUsers user
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Ciphers [email protected],[email protected],aes256-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
내 ssh -vv 결과
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to IP [IP] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3 debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],ssh-ed25519,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,aes128-ctr debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,aes128-ctr debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: bits set: 1580/3072 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ED25519 67:fd:fd:6e:a5:c1:32:96:9d:33:32:1a:cf:83:94:ea debug1: Host '[IP]:22' is known and matches the ED25519 host key. debug1: Found key in /root/.ssh/known_hosts:1 debug2: bits set: 1546/3072 debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7f84b8ce74a0), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_dsa debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Trying private key: /root/.ssh/id_ed25519 debug2: we did not send a packet, disable method
user@IP의 비밀번호:
/var/log/auth.log
(원격 서버에서)
Jul 12 12:24:43 ns3111463 sshd[12971]: input_userauth_request: invalid user root [preauth] Jul 12 12:24:44 ns3111463 sshd[12971]: Connection closed by IP [preauth] Jul 12 12:24:46 ns3111463 sshd[12973]: Connection closed by IP [preauth] Jul 12 12:24:48 ns3111463 sshd[11787]: Received signal 15; terminating. Jul 12 12:24:48 ns3111463 sshd[12977]: Server listening on 0.0.0.0 port 22. Jul 12 12:24:48 ns3111463 sshd[12977]: Server listening on :: port 22. Jul 12 12:24:50 ns3111463 sshd[12978]: Connection closed by IP [preauth] Jul 12 12:24:51 ns3111463 sshd[12980]: User root from IP not allowed because not listed in AllowUsers Jul 12 12:24:51 ns3111463 sshd[12980]: input_userauth_request: invalid user root [preauth] Jul 12 12:24:51 ns3111463 sshd[12980]: Connection closed by IP [preauth] Jul 12 12:25:49 ns3111463 sshd[12977]: Received signal 15; terminating. Jul 12 12:25:49 ns3111463 sshd[13029]: Server listening on 0.0.0.0 port 22. Jul 12 12:25:49 ns3111463 sshd[13029]: Server listening on :: port 22. Jul 12 12:25:50 ns3111463 sshd[13030]: User root from IP not allowed because not listed in AllowUsers Jul 12 12:25:50 ns3111463 sshd[13030]: input_userauth_request: invalid user root [preauth] Jul 12 12:25:51 ns3111463 sshd[13030]: Connection closed by IP [preauth] Jul 12 12:25:53 ns3111463 sshd[13032]: Connection closed by IP [preauth] Jul 12 12:37:41 ns3111463 sshd[13552]: Connection closed by IP [preauth] Jul 12 12:38:09 ns3111463 sshd[13598]: Connection closed by IP [preauth]
답변1
따라서 공개 키 인증과 관련하여 ssh는 권한에 대해 매우 까다롭기 때문에 주의해야 합니다.
.ssh
무엇을 제한해야 하는지에 대해서는 적어도 당신 의 말이 옳습니다. 그러나 그게 전부는 아닙니다. 또한 /root
각각 사용자가 제한하고 소유 해야 합니다 .
따라서 그룹이 집에 쓸 수 없도록 사용자의 "집"을 조정하고 755
집의 올바른 소유자도 할당해 보십시오.
또한 "authorized_keys" 대신 "authorized_keys2"를 사용하는 이유는 무엇입니까? 작동하지 않는 것 같나요?
답변2
따라서 PermitRootLogin no
루트 홈 디렉터리에authorized_keys 파일이 있습니다. 대신 사용해 보세요 PermitRootLogin without-password
. 그런 다음 SSH 서버를 다시 시작합니다.
systemctl restart sshd.service
참고: 키를 사용하는 경우에도 SSH를 통해 루트 로그인을 비활성화하는 것이 가장 좋습니다. 대신, 사용자 정의 사용자를 생성하고 해당 사용자를 사용하여 SSH에 로그인하십시오. 그런 다음 su
루트로 전환 할 수 있습니다 .
편집하다:
루트가 아닌 사용자로 로그인하려면 공개 키를 사용자의 Authorized_keys 파일에 넣어야 합니다.
/home/$USER/.ssh/authorized_keys
편집 2:
PasswordAuthentication no
모든 사용자에 대해 비밀번호 확인을 비활성화하려면 SSH 서버를 설정 하고 다시 시작하세요.