场景重现
要求从10.183.93.181的root用户ssh免密登录至10.110.155.26的boss用户
1.在10.110.155.26 的boss用户下面新建目录.ssh
2.在10.110.155.26 的boss用户下面的.ssh目录中新建文件authorized_keys
3.将10.183.93.181 root用户的公钥放置于authorized_keys中
[boss@10-110-155-26 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7p2wqKGCLASL+EC7vSiqccuofUv6sjXif2P6nXbZnbHZLy6Z3+vAijOvHoqxABg+Hfv5XflRjaO9z8PMwvW3A8ECu+2Y/kYPTMuyC1TG9qYNmyfiVH5jIeKbdyHmtbMl5+R1o1Fbo2FvQYU5qANhjHZqxb1omVXnEJhFLxSzNnwhFgRMNUTcf72Cwqfnn0Sr0ea8A9Eok6XvhQQqk44Pn+VfxIiO6Gngi1JGG3q1BCinaiSqnvSOHj0qjdGZZuXX0/G4AEbWHE7yD4Gf2FwyWTKwLiQzBKPqjTbZVI7XGtekhOv0Fx4tvT2kIdX5DQiABfMyZre9k+dT4M0rvmDJ3Q== root@10-183-93-181
4.在root用户之ssh登录boss@10.110.155.26,发现需要密码
bug调试
使用ssh -vv boss@10.110.155.26,在登录过程的时候发现以下显示
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x7f42fed4cfe0)
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
boss@10.110.155.26's password:
ssh -vv没有显示其它异常,只是卡在验证这里
在10.110.155.26上面使用root用户打开sshd的调试模式
[root@10-110-155-26 .ssh]# /usr/sbin/sshd -d -p 4444
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='4444'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 4444 on 0.0.0.0.
Server listening on 0.0.0.0 port 4444.
socket: Address family not supported by protocol
然后再次在10.183.93.181上面进行ssh登录。切换至10.110.155.26上面,查看有一条bug记录
Authentication refused: bad ownership or modes for directory /data/slot0/home/boss/.ssh/
也就说明权限异常
1.查看文件权限
[boss@10-110-155-26 .ssh]$ ll -h
-rw-r--r-- 1 boss boss 1.6K Feb 1 15:28 authorized_keys
由于安全原因,authorized_keys权限不能被其它用户所读取,而该文件因为为手动建立,所以权限为644,chmod 600将其权限变更
将authorized_keys改为600权限后,然后发现ssh登录的时候,依然显示的目录权限异常
2.查看文件目录权限
[boss@10-110-155-26 ~]$ ll -d .ssh/
drwxr-xr-x 2 boss boss 99 Feb 1 16:38 .ssh/
将目录权限改为700,再次登陆,发现ssh ok。
总结
因为ssh安全的原因,所以不管是文件,还是目录,很多权限设定为都不能被group和other用户所读取,当权限不满足时,ssh认证会失败,即使ssh-key完全正确
相关权限列表如下:
1.ssh目录之下的各文件的权限
[boss@10-110-155-26 .ssh]$ ll -h
total 20K
-rw------- 1 boss boss 1.6K Feb 1 15:28 authorized_keys
-rw------- 1 boss boss 400 Feb 1 16:38 authorized_keys2
-rw------- 1 boss boss 1.7K Sep 29 17:45 id_rsa
-rw-r--r-- 1 boss boss 400 Sep 29 17:45 id_rsa.pub
-rw-r--r-- 1 boss boss 2.8K Feb 1 15:22 known_hosts
2..ssh目录的权限
[boss@10-110-155-26 ~]$ ll -d .ssh/
drwx------ 2 boss boss 99 Feb 1 16:38 .ssh/
go用户不能对.ssh目录有w权限,设置成755或者700都可以