gpt4 book ai didi

linux - PubKey SSH Auth 在 CentOS 上失败,但在 Ubuntu 上有效

转载 作者:行者123 更新时间:2023-12-04 19:43:36 27 4
gpt4 key购买 nike

我正在检查我所有的虚拟机并添加一个 nagios 用户。

当我在 Ubuntu 上完成我的步骤(如下所述)时,一切正常。但是在 CentOS 6.2 上做同样的事情,我不能通过 pubkey auth 进行 ssh,只能通过密码 auth。

我已经验证了:

  • /home/nagios目录具有正确的所有者和权限
  • authorized_keys文件存在并正确填充

  • 我还应该检查哪些其他事项? 不同版本的 SSH 可能会导致问题吗?

    连接到 CentOS 6.2 远程机器时的日志:
    nagios@redacted:/home/redacted$ ssh -v nagios@remote.machine -i /var/lib/nagios/keys/id_rsa
    OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to remote.machine [192.168.redacted.redacted] port 22.
    debug1: Connection established.
    debug1: identity file /var/lib/nagios/keys/id_rsa type 1
    debug1: key_load_public: No such file or directory
    debug1: identity file /var/lib/nagios/keys/id_rsa-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
    debug1: Authenticating to remote.machine:22 as 'nagios'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
    debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
    debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: ssh-rsa SHA256:redacted
    debug1: Host 'remote.machine' is known and matches the RSA host key.
    debug1: Found key in /var/lib/nagios/.ssh/known_hosts:7
    debug1: rekey after 4294967296 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: rekey after 4294967296 blocks
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
    debug1: Next authentication method: gssapi-keyex
    debug1: No valid Key exchange context
    debug1: Next authentication method: gssapi-with-mic
    debug1: Unspecified GSS failure. Minor code may provide more information
    No Kerberos credentials available

    debug1: Unspecified GSS failure. Minor code may provide more information
    No Kerberos credentials available

    debug1: Unspecified GSS failure. Minor code may provide more information


    debug1: Unspecified GSS failure. Minor code may provide more information
    No Kerberos credentials available

    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /var/lib/nagios/keys/id_rsa
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
    debug1: No more authentication methods to try.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

    细节:

    这是我经历的步骤。
  • 【远程机】加个nagios用户:
  • [Ubuntu] sudo adduser nagios --system --group --shell /bin/bash
  • [CentOS] sudo adduser nagios --system --shell /bin/bash --home /home/nagios
  • 【遥控机】sudo passwd nagios
  • 【远程机】添加nagios用户添加到 /etc/ssh/sshd_config 中的允许用户列表中
  • [远程机器] 重启 ssh(d) 服务。
  • 【Nagios主机】ssh-copy-id -i /var/lib/nagios/keys/id_rsa remote.machine
  • [远程机器] 强制 nagios 仅通过 pubkey 登录,方法是将其添加到 /etc/ssh/sshd_config :
    Match user nagios
    PasswordAuthentication no
  • [远程机器] 重启 ssh(d) 服务。
  • 【Nagios主机】ssh -i /var/lib/nagios/keys/id_rsa nagios@remote.machine
  • 在 Ubuntu 上,这一切都非常有效
  • 在 CentOS (6.2) 上,除非我允许用户 nagios 的密码验证,否则我无法登录.
  • 最佳答案

    我问过的一位同事提到了 StrictModessshd_config .

    如果 StrictModes启用后,在 CentOS 上所需的权限为:

    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/id_rsa

    source

    当我检查 ~/.ssh 的权限时和 ~/.ssh/authorized_keys ,我将它们与 进行比较Ubuntu/OpenSSH 7.2 要求而不是 CentOS/OpenSSH 5.3 要求。

    Ubuntu/OpenSSH 7.2 允许 775 用于 ~/.ssh即使是 StrictModes已启用(但 ~/.ssh/authorized_keys 仍需要 600)。

    关于linux - PubKey SSH Auth 在 CentOS 上失败,但在 Ubuntu 上有效,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43617438/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com