今晚在折騰集群管理問題,其中最重要的一個問題就是需要各節點的免密碼登錄,那就必須在各個機器上配置公鑰。

配置公鑰

ssh-keygen

將公鑰復制到被控制機器中,實現免密碼登錄

ssh-copy-id -i ~/.ssh/id_rsa.pub -p 22 [email protected]目標ip

正常情況下執行這兩步就已經可以了,但是我遇到了一個問題,就是有的機器沒有問題,可以正常直接登錄,但部分機器,永遠都是公鑰通不過,需要密碼登錄。

無法公鑰登錄的解決

登陸時執行如下命令查看詳細日志

ssh x.x.x.x -vvv

 debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password 

這里大家對比下正常登錄的日志是可以看到區別的,但是也看不出問題所在。

網上找了幾個小時的資料,試了各種方法,比如:

  • sshd_config配置
HostKey /etc/ssh/ssh_host_rsa_key

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile??????.ssh/authorized_keys
  • selinux配置
  • 目錄及文件權限調整
  • 文件格式問題

幾乎所有問題都排查了,仍然不行,但是在查看日志: /var/log/secure? 還是可以看出端倪

 
Feb 8 00:01:42 izwz90g1ws14xwy7e4fqe3z sshd[7454]: Authentication refused: bad ownership or modes for directory /root
Feb 8 00:35:48 izwz90g1ws14xwy7e4fqe3z sshd[15171]: Authentication refused: bad ownership or modes for directory /root
Feb 8 00:38:22 izwz90g1ws14xwy7e4fqe3z sshd[18337]: Authentication refused: bad ownership or modes for file /root/.ssh/authorized_keys
Feb 8 00:38:39 izwz90g1ws14xwy7e4fqe3z sshd[18337]: Connection closed by 120.77.212.168 [preauth]
Feb 8 00:38:41 izwz90g1ws14xwy7e4fqe3z sshd[18742]: Authentication refused: bad ownership or modes for directory /root 
其實這里相關的資料網上也找了不少,也都各種嘗試給權限:
chmod g-w /home/your_user # 或 chmod 0755 /home/your_user 
chmod 700 /home/your_user/.ssh(~/.ssh)
chmod 600 /home/your_user/.ssh/authorized_keys(~/.ssh/authorized_keys)

但是發現并沒有什么用,確認了.ssh 目錄 和?authorized_keys文件的權限都沒有問題,仍然不奏效。

因為我是root用戶家目錄就是/root,突發奇想看看/root根目錄的權限,發現是737,而正常可以連接的機器/root權限沒這么高,是550

無法登陸的機器:

正常機器:

所以? chmod 550 /root? 解決該問題。

總結

其實這個問題的出現很簡單,由于平時發現各種權限不足,就chmod -R 777 懟上去,總覺得這么懟不好,今天終于體會到除了安全問題之外的其他困擾。

因為ssh 對權限限制比較嚴,所以對于私鑰和公鑰文件的目錄及文件權限要求比較嚴,低了不行,高了也不行,所以容易出現這種情況。

另外也可以在ssh_config 文件里加上配置:StrictModes off 解決這個問題,但是不建議走這種捷徑,解決權限問題為主。

您的支持將鼓勵我們繼續創作!

[微信] 掃描二維碼打賞

[支付寶] 掃描二維碼打賞