ssh-key自动登录问题集
2013-04-15 12:24:12 
阿炯
使用ssh-key免登录认证简单的操作过程如下:
[ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa;
ssh <username>@<remote_machine> 'mkdir -p ~/.ssh'
cat ~/.ssh/id_rsa.pub | ssh <username>@<remote_machine> 'cat >> ~/.ssh/authorized_keys'
最后一步也可以使用'ssh-copy-id'来实现,具体操作可以参考:ssh自动登录配置。当做好后发现不能自动登录时,可从如下方面进行排错:
一)、在客户端开启调试功能:
# ssh -vvv user@host.com
You can get the debug output and it will probably tell you that it can't authenticate with ~/.ssh/id_rsa (ssh's default key file).
直接声明使用哪个key进行连接:
ssh -i /home/user/.ssh/KEY user@host.com
You can also add your per-host keyfile to your .ssh/config, then you'll just have to type ssh host.com and user/key are selected automatically.
Example entry for .ssh/config (For more information see man ssh_config):
Host mysshserver ssh.host.com
HostName ssh.host.com
User myusername
IdentityFile ~/.ssh/mykeyfile
关于'-i'选项的说明:
-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro‐tocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in config‐uration files).
二)、用户主目录及'.ssh'目录的权限问题:
$ls -ld ~/
OpenSSH 手册里有相关的说明:
Chances are, your /home/<user> or ~/.ssh/authorized_keys permissions are too open by OpenSSH standards. You can get rid of this problem by issuing the following commands:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Your private key file (on the local machine) must be readable and writable only by you: rw-------, i.e. 600.
Your ~/.ssh/authorized_keys file (on the remote machine) must be readable (at least 400), but you'll need it to be also writable (600) if you will add any more keys to it.
Also, if SELinux is set to enforcing, you may need to run restorecon -R -v ~/.ssh
一般权限问题是导致ssh-autologin非正常工作的主要原因,因此出现此类问题时(或之前好好的),应该首先检查'.ssh'目录及个人的主目录的权限是否合理。
三)、显示地在配置文件里开启这些认证方式:
RSAAuthentication yes
PubKeyAuthentication yes
AuthorizedKeysFlle %h/.ssh/authorized_keys
The value of AuthorizedKeysFile is where you need to paste your public ssh key.
What I ended up doing was created a /etc/ssh/username folder, owned by username, with the correct permissions, and placed the authroized_keys file in there. Then changed the AuthorizedKeysFile directive in ~/.ssh/config. to :
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
四)、ssh连接服务器时自动接收对方的公钥
ssh: automatically accept keys
该现象出现在首次连接ssh服务器时或对方ssh服务重新设定的情况,正常情况下需要键入'yes'来将对方的pub key存入到本机的known_hosts中
设定选项StrictHostKeyChecking为宽松模式
ssh -oStrictHostKeyChecking=no ipaddr uptime
$ ssh -o "StrictHostKeyChecking no" ipaddr
Warning: Permanently added 'centos7,ipaddr' (ECDSA) to the list of known hosts.
ok
或在发连接的客户端中设定到配置文件中~/.ssh/config
Host somehost
Hostname 10.0.0.1
StrictHostKeyChecking no
Host *
StrictHostKeyChecking no
Note that when the host keys have changed, you'll reget a warning.
记得更新文件的权限
chmod 640 ~/.ssh/config
如果经常重新安装主机(经常更改主机密钥),则可以使用-oUserKnownHostsFile=/dev/null选项来提升操作便捷性,但可能会降低安全性。这将丢弃所有接收到的主机密钥,因此它永远不会生成警告。
ubuntu 18.04 所带的ssh还支持新特性: StrictHostKeyChecking=accept-new. From man 5 ssh_config:
If this flag is set to "accept-new" then ssh will automatically add new host keys to the user known hosts files, but will not permit connections to hosts with changed host keys. If this flag is set to "no" or "off", ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.
可以使用以下命令将服务器的指纹添加到known_hosts文件中
ssh-keyscan -H <ip-address|hostname> >> ~/.ssh/known_hosts
唯一的问题是可能将在known_hosts中添加某些服务器两次,其实没什么大不了的,只是提一下。为了确保没有重复的服务器,可以先运行以下命令删除所有服务器:
ssh-keygen -R <ip-address|hostname>
So you could run:
for h in $SERVER_LIST; do
ip=$(dig +search +short $h)
ssh-keygen -R $h
ssh-keygen -R $ip
ssh-keyscan -H $ip >> ~/.ssh/known_hosts
ssh-keyscan -H $h >> ~/.ssh/known_hosts
done
五)、ssh登陆认证过慢的解决办法
[ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa;
ssh <username>@<remote_machine> 'mkdir -p ~/.ssh'
cat ~/.ssh/id_rsa.pub | ssh <username>@<remote_machine> 'cat >> ~/.ssh/authorized_keys'
最后一步也可以使用'ssh-copy-id'来实现,具体操作可以参考:ssh自动登录配置。当做好后发现不能自动登录时,可从如下方面进行排错:
一)、在客户端开启调试功能:
# ssh -vvv user@host.com
You can get the debug output and it will probably tell you that it can't authenticate with ~/.ssh/id_rsa (ssh's default key file).
直接声明使用哪个key进行连接:
ssh -i /home/user/.ssh/KEY user@host.com
You can also add your per-host keyfile to your .ssh/config, then you'll just have to type ssh host.com and user/key are selected automatically.
Example entry for .ssh/config (For more information see man ssh_config):
Host mysshserver ssh.host.com
HostName ssh.host.com
User myusername
IdentityFile ~/.ssh/mykeyfile
关于'-i'选项的说明:
-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro‐tocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in config‐uration files).
二)、用户主目录及'.ssh'目录的权限问题:
$ls -ld ~/
OpenSSH 手册里有相关的说明:
Chances are, your /home/<user> or ~/.ssh/authorized_keys permissions are too open by OpenSSH standards. You can get rid of this problem by issuing the following commands:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Your private key file (on the local machine) must be readable and writable only by you: rw-------, i.e. 600.
Your ~/.ssh/authorized_keys file (on the remote machine) must be readable (at least 400), but you'll need it to be also writable (600) if you will add any more keys to it.
Also, if SELinux is set to enforcing, you may need to run restorecon -R -v ~/.ssh
一般权限问题是导致ssh-autologin非正常工作的主要原因,因此出现此类问题时(或之前好好的),应该首先检查'.ssh'目录及个人的主目录的权限是否合理。
三)、显示地在配置文件里开启这些认证方式:
RSAAuthentication yes
PubKeyAuthentication yes
AuthorizedKeysFlle %h/.ssh/authorized_keys
The value of AuthorizedKeysFile is where you need to paste your public ssh key.
What I ended up doing was created a /etc/ssh/username folder, owned by username, with the correct permissions, and placed the authroized_keys file in there. Then changed the AuthorizedKeysFile directive in ~/.ssh/config. to :
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
四)、ssh连接服务器时自动接收对方的公钥
ssh: automatically accept keys
该现象出现在首次连接ssh服务器时或对方ssh服务重新设定的情况,正常情况下需要键入'yes'来将对方的pub key存入到本机的known_hosts中
设定选项StrictHostKeyChecking为宽松模式
ssh -oStrictHostKeyChecking=no ipaddr uptime
$ ssh -o "StrictHostKeyChecking no" ipaddr
Warning: Permanently added 'centos7,ipaddr' (ECDSA) to the list of known hosts.
ok
或在发连接的客户端中设定到配置文件中~/.ssh/config
Host somehost
Hostname 10.0.0.1
StrictHostKeyChecking no
Host *
StrictHostKeyChecking no
Note that when the host keys have changed, you'll reget a warning.
记得更新文件的权限
chmod 640 ~/.ssh/config
如果经常重新安装主机(经常更改主机密钥),则可以使用-oUserKnownHostsFile=/dev/null选项来提升操作便捷性,但可能会降低安全性。这将丢弃所有接收到的主机密钥,因此它永远不会生成警告。
ubuntu 18.04 所带的ssh还支持新特性: StrictHostKeyChecking=accept-new. From man 5 ssh_config:
If this flag is set to "accept-new" then ssh will automatically add new host keys to the user known hosts files, but will not permit connections to hosts with changed host keys. If this flag is set to "no" or "off", ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.
可以使用以下命令将服务器的指纹添加到known_hosts文件中
ssh-keyscan -H <ip-address|hostname> >> ~/.ssh/known_hosts
唯一的问题是可能将在known_hosts中添加某些服务器两次,其实没什么大不了的,只是提一下。为了确保没有重复的服务器,可以先运行以下命令删除所有服务器:
ssh-keygen -R <ip-address|hostname>
So you could run:
for h in $SERVER_LIST; do
ip=$(dig +search +short $h)
ssh-keygen -R $h
ssh-keygen -R $ip
ssh-keyscan -H $ip >> ~/.ssh/known_hosts
ssh-keyscan -H $h >> ~/.ssh/known_hosts
done
五)、ssh登陆认证过慢的解决办法