ssh-key自动登录问题集
2013-04-15 12:24:12 
阿炯
使用ssh-key免登录认证简单的操作过程如下:
[ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa;
ssh <username>@<remote_machine> 'mkdir -p ~/.ssh'
cat ~/.ssh/id_rsa.pub | ssh <username>@<remote_machine> 'cat >> ~/.ssh/authorized_keys'
最后一步也可以使用'ssh-copy-id'来实现,具体操作可以参考:ssh自动登录配置。当做好后发现不能自动登录时,可从如下方面进行排错:
零)、首次连接时自动接受公钥
当与另外一台主机第一次连接时,对方会把自己的公钥发送过来,ssh命令行会提示是否将该key加入到主目录下的'.ssh/known_hosts'中。必须要加入到该文件后才能继续连接认证的过程。于是便要输入'yes'后才能开始认证。
如果要一次性通过for循环语句连接多台机器,这个确认的过程就比较麻烦了。像下面的一个rsync,我有几十台机器需要同步,用for循环来实现,如果要一个个地确认就很麻烦。
rsync -av -e 'ssh -i freeoa.rsa' site/wxmaster 192.168.30.156:/home/freeoa/
for i in $(cat hosts);do rsync_fun;done
当然这个问题是有办法解决的,过程如下:
方法一:设置取消严格的key检查
can set the StrictHostKeyChecking option to no on the command line, and/or send the key to a null known_hosts file. You can also set these options in your config file, either for all hosts or for a given set of IP addresses or host names.
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
方法二:在配置文件中设置对某些连接的地址的key自动跳过
To disable (or control disabling), add the following lines to the beginning of /etc/ssh/ssh_config.
Host 192.168.0.*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
Options:
The Host subnet can be * to allow unrestricted access to all IPs.
Edit /etc/ssh/ssh_config for global configuration or ~/.ssh/config for user-specific configuration.
当然可以使用'*'来对所有的ssh连接都这样操作,这个设置可在主配置文件或用户的个人配置中设置。
一)、在客户端开启调试功能:
# ssh -vvv user@host.com
You can get the debug output and it will probably tell you that it can't authenticate with ~/.ssh/id_rsa (ssh's default key file).
直接声明使用哪个key进行连接:
ssh -i /home/user/.ssh/KEY user@host.com
You can also add your per-host keyfile to your .ssh/config, then you'll just have to type ssh host.com and user/key are selected automatically.
Example entry for .ssh/config (For more information see man ssh_config):
Host mysshserver ssh.host.com
HostName ssh.host.com
User myusername
IdentityFile ~/.ssh/mykeyfile
关于'-i'选项的说明:
-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro‐tocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in config‐uration files).
二)、用户主目录及'.ssh'目录的权限问题:
$ls -ld ~/
OpenSSH 手册里有相关的说明:
Chances are, your /home/<user> or ~/.ssh/authorized_keys permissions are too open by OpenSSH standards. You can get rid of this problem by issuing the following commands:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Your private key file (on the local machine) must be readable and writable only by you: rw-------, i.e. 600.
Your ~/.ssh/authorized_keys file (on the remote machine) must be readable (at least 400), but you'll need it to be also writable (600) if you will add any more keys to it.
Also, if SELinux is set to enforcing, you may need to run restorecon -R -v ~/.ssh
一般权限问题是导致ssh-autologin非正常工作的主要原因,因此出现此类问题时(或之前好好的),应该首先检查'.ssh'目录及个人的主目录的权限是否合理。
三)、显示地在配置文件里开启这些认证方式:
RSAAuthentication yes
PubKeyAuthentication yes
AuthorizedKeysFlle %h/.ssh/authorized_keys
The value of AuthorizedKeysFile is where you need to paste your public ssh key.
What I ended up doing was created a /etc/ssh/username folder, owned by username, with the correct permissions, and placed the authroized_keys file in there. Then changed the AuthorizedKeysFile directive in ~/.ssh/config. to :
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
四)、ssh连接服务器时自动接收对方的公钥
ssh: automatically accept keys
该现象出现在首次连接ssh服务器时或对方ssh服务重新设定的情况,正常情况下需要键入'yes'来将对方的pub key存入到本机的known_hosts中
设定选项StrictHostKeyChecking为宽松模式
ssh -oStrictHostKeyChecking=no ipaddr uptime
$ ssh -o "StrictHostKeyChecking no" ipaddr
Warning: Permanently added 'centos7,ipaddr' (ECDSA) to the list of known hosts.
ok
或在发连接的客户端中设定到配置文件中~/.ssh/config
Host somehost
Hostname 10.0.0.1
StrictHostKeyChecking no
Host *
StrictHostKeyChecking no
Note that when the host keys have changed, you'll reget a warning.
记得更新文件的权限
chmod 640 ~/.ssh/config
如果经常重新安装主机(经常更改主机密钥),则可以使用-oUserKnownHostsFile=/dev/null选项来提升操作便捷性,但可能会降低安全性。这将丢弃所有接收到的主机密钥,因此它永远不会生成警告。
ubuntu 18.04 所带的ssh还支持新特性: StrictHostKeyChecking=accept-new. From man 5 ssh_config:
If this flag is set to "accept-new" then ssh will automatically add new host keys to the user known hosts files, but will not permit connections to hosts with changed host keys. If this flag is set to "no" or "off", ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.
可以使用以下命令将服务器的指纹添加到known_hosts文件中
ssh-keyscan -H <ip-address|hostname> >> ~/.ssh/known_hosts
唯一的问题是可能将在known_hosts中添加某些服务器两次,其实没什么大不了的,只是提一下。为了确保没有重复的服务器,可以先运行以下命令删除所有服务器:
ssh-keygen -R <ip-address|hostname>
So you could run:
for h in $SERVER_LIST; do
ip=$(dig +search +short $h)
ssh-keygen -R $h
ssh-keygen -R $ip
ssh-keyscan -H $ip >> ~/.ssh/known_hosts
ssh-keyscan -H $h >> ~/.ssh/known_hosts
done
五)、ssh登陆认证过慢的解决办法
[ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa;
ssh <username>@<remote_machine> 'mkdir -p ~/.ssh'
cat ~/.ssh/id_rsa.pub | ssh <username>@<remote_machine> 'cat >> ~/.ssh/authorized_keys'
最后一步也可以使用'ssh-copy-id'来实现,具体操作可以参考:ssh自动登录配置。当做好后发现不能自动登录时,可从如下方面进行排错:
零)、首次连接时自动接受公钥
当与另外一台主机第一次连接时,对方会把自己的公钥发送过来,ssh命令行会提示是否将该key加入到主目录下的'.ssh/known_hosts'中。必须要加入到该文件后才能继续连接认证的过程。于是便要输入'yes'后才能开始认证。
如果要一次性通过for循环语句连接多台机器,这个确认的过程就比较麻烦了。像下面的一个rsync,我有几十台机器需要同步,用for循环来实现,如果要一个个地确认就很麻烦。
rsync -av -e 'ssh -i freeoa.rsa' site/wxmaster 192.168.30.156:/home/freeoa/
for i in $(cat hosts);do rsync_fun;done
当然这个问题是有办法解决的,过程如下:
方法一:设置取消严格的key检查
can set the StrictHostKeyChecking option to no on the command line, and/or send the key to a null known_hosts file. You can also set these options in your config file, either for all hosts or for a given set of IP addresses or host names.
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
方法二:在配置文件中设置对某些连接的地址的key自动跳过
To disable (or control disabling), add the following lines to the beginning of /etc/ssh/ssh_config.
Host 192.168.0.*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
Options:
The Host subnet can be * to allow unrestricted access to all IPs.
Edit /etc/ssh/ssh_config for global configuration or ~/.ssh/config for user-specific configuration.
当然可以使用'*'来对所有的ssh连接都这样操作,这个设置可在主配置文件或用户的个人配置中设置。
一)、在客户端开启调试功能:
# ssh -vvv user@host.com
You can get the debug output and it will probably tell you that it can't authenticate with ~/.ssh/id_rsa (ssh's default key file).
直接声明使用哪个key进行连接:
ssh -i /home/user/.ssh/KEY user@host.com
You can also add your per-host keyfile to your .ssh/config, then you'll just have to type ssh host.com and user/key are selected automatically.
Example entry for .ssh/config (For more information see man ssh_config):
Host mysshserver ssh.host.com
HostName ssh.host.com
User myusername
IdentityFile ~/.ssh/mykeyfile
关于'-i'选项的说明:
-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro‐tocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in config‐uration files).
二)、用户主目录及'.ssh'目录的权限问题:
$ls -ld ~/
OpenSSH 手册里有相关的说明:
Chances are, your /home/<user> or ~/.ssh/authorized_keys permissions are too open by OpenSSH standards. You can get rid of this problem by issuing the following commands:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Your private key file (on the local machine) must be readable and writable only by you: rw-------, i.e. 600.
Your ~/.ssh/authorized_keys file (on the remote machine) must be readable (at least 400), but you'll need it to be also writable (600) if you will add any more keys to it.
Also, if SELinux is set to enforcing, you may need to run restorecon -R -v ~/.ssh
一般权限问题是导致ssh-autologin非正常工作的主要原因,因此出现此类问题时(或之前好好的),应该首先检查'.ssh'目录及个人的主目录的权限是否合理。
三)、显示地在配置文件里开启这些认证方式:
RSAAuthentication yes
PubKeyAuthentication yes
AuthorizedKeysFlle %h/.ssh/authorized_keys
The value of AuthorizedKeysFile is where you need to paste your public ssh key.
What I ended up doing was created a /etc/ssh/username folder, owned by username, with the correct permissions, and placed the authroized_keys file in there. Then changed the AuthorizedKeysFile directive in ~/.ssh/config. to :
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
四)、ssh连接服务器时自动接收对方的公钥
ssh: automatically accept keys
该现象出现在首次连接ssh服务器时或对方ssh服务重新设定的情况,正常情况下需要键入'yes'来将对方的pub key存入到本机的known_hosts中
设定选项StrictHostKeyChecking为宽松模式
ssh -oStrictHostKeyChecking=no ipaddr uptime
$ ssh -o "StrictHostKeyChecking no" ipaddr
Warning: Permanently added 'centos7,ipaddr' (ECDSA) to the list of known hosts.
ok
或在发连接的客户端中设定到配置文件中~/.ssh/config
Host somehost
Hostname 10.0.0.1
StrictHostKeyChecking no
Host *
StrictHostKeyChecking no
Note that when the host keys have changed, you'll reget a warning.
记得更新文件的权限
chmod 640 ~/.ssh/config
如果经常重新安装主机(经常更改主机密钥),则可以使用-oUserKnownHostsFile=/dev/null选项来提升操作便捷性,但可能会降低安全性。这将丢弃所有接收到的主机密钥,因此它永远不会生成警告。
ubuntu 18.04 所带的ssh还支持新特性: StrictHostKeyChecking=accept-new. From man 5 ssh_config:
If this flag is set to "accept-new" then ssh will automatically add new host keys to the user known hosts files, but will not permit connections to hosts with changed host keys. If this flag is set to "no" or "off", ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.
可以使用以下命令将服务器的指纹添加到known_hosts文件中
ssh-keyscan -H <ip-address|hostname> >> ~/.ssh/known_hosts
唯一的问题是可能将在known_hosts中添加某些服务器两次,其实没什么大不了的,只是提一下。为了确保没有重复的服务器,可以先运行以下命令删除所有服务器:
ssh-keygen -R <ip-address|hostname>
So you could run:
for h in $SERVER_LIST; do
ip=$(dig +search +short $h)
ssh-keygen -R $h
ssh-keygen -R $ip
ssh-keyscan -H $ip >> ~/.ssh/known_hosts
ssh-keyscan -H $h >> ~/.ssh/known_hosts
done
五)、ssh登陆认证过慢的解决办法