두 대의 서버를 연결하려고 합니다. 서버 A의 사용자 john으로부터 id_dsa.pub 키를 얻어 사용자 mike에 대한 서버 B의 Authorized_keys에 붙여넣었습니다.
그런 다음 마이크 로그인을 사용하여 서버 A에서 서버 B로 연결을 시도했지만 여전히 비밀번호를 요청했습니다.
authorized_keysMike의 .ssh/ 디렉토리에는 다음과 같은 파일 만 있습니다 .
bash-3.00$ ls -l
total 16
-rw------- 1 mike users 2422 Oct 8 14:47 authorized_keys
bash-3.00$
서버 B의 관리자는 이 파일만 있으면 서버 B에 연결할 수 있도록 보장합니다.
내가 뭐 놓친 거 없니?
매우 감사합니다!
편집: 로그는 다음과 같습니다.
johndbb3:/home/john/.ssh> ssh -vvv [email protected]
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to fpnld1.uk.db.com [10.240.1.215] port 22.
debug1: Connection established.
debug1: identity file /home/john/.ssh/identity type -1
debug3: Not a RSA1 key file /home/john/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /home/john/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /home/john/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /home/john/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.3
debug1: no match: Sun_SSH_1.1.3
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hr-HR,hu-HU,is-IS,it,it-IT,kk-KZ,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,tr-TR,ar,ca,cz,da,el,et,fi,he,hu,lt,lv,nl,no,no-NO,no-NY,nr,pt,sr-SP,sr-YU,tr,i-default,uk-UA
debug2: kex_parse_kexinit: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hr-HR,hu-HU,is-IS,it,it-IT,kk-KZ,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,tr-TR,ar,ca,cz,da,el,et,fi,he,hu,lt,lv,nl,no,no-NO,no-NY,nr,pt,sr-SP,sr-YU,tr,i-default,uk-UA
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hr-HR,hu-HU,is-IS,it,it-IT,kk-KZ,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,tr-TR,ar,ca,cz,da,el,et,fi,he,hu,lt,lv,nl,no,no-NO,no-NY,nr,pt,sr-SP,sr-YU,tr,i-default,uk-UA
debug1: Peer sent proposed langtags, stoc: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hr-HR,hu-HU,is-IS,it,it-IT,kk-KZ,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,tr-TR,ar,ca,cz,da,el,et,fi,he,hu,lt,lv,nl,no,no-NO,no-NY,nr,pt,sr-SP,sr-YU,tr,i-default,uk-UA
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: Negotiated lang: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: Remote: Negotiated main locale: C
debug1: Remote: Negotiated messages locale: C
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1594/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/john/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 120
debug3: check_host_in_hostfile: filename /home/john/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 119
debug1: Host 'fpnld1.uk.db.com' is known and matches the RSA host key.
debug1: Found key in /home/john/.ssh/known_hosts:120
debug1: bits set: 1573/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug2: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/john/.ssh/identity
debug3: no such identity: /home/john/.ssh/identity
debug1: Trying public key: /home/john/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Trying public key: /home/john/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
johndbb3:/home/john/.ssh>
답변1
실수로 키를 복사했을 수도 있습니다. 이 시도:
- 서버 B(예: Mike):
rm ~/.ssh/authorized_keys - 서버 A(예: john):
ssh-copy-id -i /path/to/id_dsa.pub mike@serverb
이것SSH 복사 ID이 명령은 기본적으로 (비밀번호 인증을 사용하여) 원격 호스트에 연결한 다음 Authorized_keys를 적절하게 편집합니다. OpenSSH와 함께 배포된다고 생각합니다. 다른 것을 사용하면 사용하지 못할 수도 있습니다.
답변2
ServerB의 SSH 로그에 액세스할 수 있습니까? 그렇지 않은 경우 관리자가 관련 라인을 보내줄 수 있습니까?
ServerB에서 SSH 맨페이지에 설명된 대로 올바른 권한이 있는지 확인하십시오.
~/.ssh/
This directory is the default location for all user-specific con‐
figuration and authentication information. There is no general
requirement to keep the entire contents of this directory secret,
but the recommended permissions are read/write/execute for the
user, and not accessible by others.
~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in
as this user. The format of this file is described in the
sshd(8) manual page. This file is not highly sensitive, but the
recommended permissions are read/write for the user, and not
accessible by others.
답변3
SSH 공개 키에는 최소한 두 가지 형식이 있는데, 저는 이를 OpenSSH 형식과 PuTTY 형식이라고 부릅니다. 귀하의 로그에서 "----BEGIN"에 대한 불만 사항을 확인했기 때문에 귀하의 서버에는 OpenSSH 스타일이 필요하지만 귀하는 PuTTY 스타일 키를 제공한 것 같습니다.
OpenSSH 형식은 전체 키와 주석을 한 줄의 텍스트에 배치하며 다음과 같습니다(DSA 키의 경우).
ssh-dss <ASCII-ENCODED-KEY-MATERIAL> my-comment-for-human-convenience
(RSA 키의 경우 "ssh-dss"를 "ssh-rsa"로 바꾸십시오.)
PuTTY 스타일은 더 장황하지만 동일한 정보를 포함합니다. 다음과 같이 보입니다:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "my-comment-for-human-convenience"
<ASCII-ENCODED-KEY-MATERIAL, split into...>
<...multiple lines of 64 characters each>
---- END SSH2 PUBLIC KEY ----
당신은 할 수PuTTYgen을 사용하여 두 형식 간 변환(스택 오버플로 질문). 또는 PuTTY 스타일 키가 RSA인지 DSA인지 주의 깊게 알고 있는 경우 키 중 하나를 다른 종류의 키로 수동으로 변환할 수 있습니다. " 라벨.
답변4
클라이언트에서 다음을 입력합니다.
ssh-keygen -t rsa -b 4096
비밀번호를 묻는 메시지가 나타나면 ENTER를 입력하세요.
~/.ssh로 이동하여 id_rsa.pub를 서버에 복사합니다. 고양이 id_rsa.pub >> /home/username/.ssh/authorized_keys
또한 키 기반 인증을 허용하도록 서버에서 /etc/ssh/sshd_config 파일을 편집합니다.
/etc/init.d/sshd restart를 실행하세요.
그런 다음 클라이언트 시스템에서 ssh usernameOfTheUserOnTheServerWhereYouCopiedTheKeyToAuthorizedKeys@192.168.1.x를 입력합니다.