欢迎访问昆山宝鼎软件有限公司网站! 设为首页 | 网站地图 | XML | RSS订阅 | 宝鼎邮箱 | 后台管理


新闻资讯

MENU

软件开发知识

we sent a p 昆山软件定制开发 ublic key packet

点击: 次  来源:昆山软开发 时间:2017-11-25

原文出处: xrzs

0、配景

因为 hadoop 情况需要 master 能免暗码 ssh localhost,所以我们需要成立与本机 localhost 的互信,要领很简朴:

1. ssh-keygen -t rsa
   #Press enter for each line 
2. cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
3. chmod og-wx ~/.ssh/authorized_keys

这三步执行下来就能顺利 ssh localhost 免暗码登录了,可是昨天刚建好的互信,本日下午溘然不能用了,ssh localhost 需要暗码,第一回响是大概那边配置和设置被窜改了,看了下文件版本、设置修改时间都无变革,然而登录时的提示信息又过于简朴,这个时候排查陷入僵局了。

work@test_zz_Master 192.168.187.213 18:45:18 ~ >
ssh localhost            
work@localhost's password: 

work@test_zz_Master 192.168.187.213 18:45:24 ~ >

1、怎么排查?

1.1 debug 日志

首先照旧要拿到明细 debug 日志,看看卡在那边了。linux 下的不少呼吁都自带调试成果,好比 ssh 就自带 debug 成果:

ssh -vvv localhost
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/work/.ssh/identity type -1
debug1: identity file /home/work/.ssh/identity-cert type -1
...
debug3: remaining preferred: keyboard-interactive,password
// 启用公钥登录
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/work/.ssh/identity
debug3: no such identity: /home/work/.ssh/identity
debug1: Offering public key: /home/work/.ssh/id_rsa
debug3: send_pubkey_test
// 发送公钥包,期待处事器认证响应
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1741
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/work/.ssh/id_dsa
debug3: no such identity: /home/work/.ssh/id_dsa
debug1: Trying private key: /home/work/.ssh/id_ecdsa
debug3: no such identity: /home/work/.ssh/id_ecdsa
// 没通过认证,禁用该认证要领
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
// 下一个认证要领:启用暗码登录
debug1: Next authentication method: password
work@localhost's password:

可以看到,确实是认证失败了,可是仅凭一句 we did not send a packet, disable method,咱们照旧无法看到失败的深条理原因,那咱们再比拟下正常的认证流程应该是奈何的:

we sent a p 昆山软件定制开拓 ublic key packet

可以看到右边正常的会接管公钥,左边的则没有获得响应,劳务派遣管理系统,继承走此外认证方法。

1.2 查抄设置

打开处事器的 /etc/ssh/sshd_config

确认下面几行是这样的:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

设置没问题,此路照旧不通。

1.3 Debugging SSH public key

在B呆板上,we sent a public key packet, wait for reply 之后则是紧随着”debug1: Server accepts key: pkalg ssh-rsa blen 277″。由此可以看出,是A呆板的sshd不承认publickey。

至于为什么不承认,在google上查了很多,毫无头绪,劳务派遣管理系统,直到利用雷同“ssh publickey ignore debug diagnose”这样的要害词,发明这个页面,个中的第二条和第六条给出相识答:

2. Debugging on the remote host by running sshd in debug mode: Run ‘/usr/sbin/sshd -d -p 2222′ on the remote host and connect to it. ’2222′ here is the port number of the sshd process you started on the remote host.

6. Check the permissions on your home directory, .ssh directory, and the authorized_keys file: If your ssh server is running with ‘StrictModes on’, it will refuse to use your public keys in the ~/.ssh/authorized_keys file. Your home directory should be writable only by you, ~/.ssh should be 700, and authorized_keys should be 600.

通过执行 /usr/sbin/sshd -d -p 2222 (在2222端口启动一个带debug输出的sshd) ,

然后 ssh -vv localhost -p 2222 ,可以看到 sshd 的输出:

[root(hostname)@bjdhj-187-213 ~]# /usr/sbin/sshd -d -p 2222
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
...
debug1: trying public key file /home/work/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /home/work
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug1: trying public key file /home/work/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /home/work
debug1: restore_uid: 0/0
Failed publickey for work from 127.0.0.1 port 45548 ssp

可以看到倒数第三行:Authentication refused: bad ownership or modes for directory /home/work,

正好与那第六条相对应,再查抄一下 /home/work ,其权限是否是其他组可读写。