IT分销/经销
ssh配置双机信任后,为何任然要输入密码?
执行
ssh-keygen -t dsa
ssh-keygen -t rsa
生成公鈅、私鈅后,将公鈅上传到对端服务器,并追加到authorized_keys 中。用ssh远程登陆对端机器时,仍然提示要输入密码。
实验环境是aix 5.3 + openssh 4.7 。 同样的操作,同样的sshd_config配置,在hp-unix + openssh 4.1上执行成功。 请问这会跟系统平台有关吗?
以下附上两种环境的debug结果。在aix上调试时,提示Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 请问这是什么意思?
========================================hp-unix+openssh 4.1==================================
$ ssh -v 3410b
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
HP-UX Secure Shell-A.04.00.000, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to 3410b [132.97.32.225] port 22.
debug1: Connection established.
debug1: identity file /export/home/tomcat/.ssh/id_rsa type -1
debug1: identity file /export/home/tomcat/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '3410b' is known and matches the RSA host key.
debug1: Found key in /export/home/tomcat/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /export/home/tomcat/.ssh/id_rsa
debug1: Offering public key: /export/home/tomcat/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
===============================================AIX + openssh 4.7===============================
ssh -v gz_bstDB2
OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.
debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to gz_bstDB2 [132.97.183.99] port 22.
debug1: Connection established.
debug1: identity file /oracle/.ssh/identity type -1
debug1: identity file /oracle/.ssh/id_rsa type 1
debug1: identity file /oracle/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: ENC->NAME:aes128-cbc
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: ENC->NAME:aes128-cbc
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: TYPE :31,Expected Type:0
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: TYPE :33,Expected Type:0
debug1: Host 'gz_bstdb2' is known and matches the RSA host key.
debug1: Found key in /oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: TYPE :21,Expected Type:0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /oracle/.ssh/identity
debug1: Offering public key: /oracle/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /oracle/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
ssh-keygen -t dsa
ssh-keygen -t rsa
生成公鈅、私鈅后,将公鈅上传到对端服务器,并追加到authorized_keys 中。用ssh远程登陆对端机器时,仍然提示要输入密码。
实验环境是aix 5.3 + openssh 4.7 。 同样的操作,同样的sshd_config配置,在hp-unix + openssh 4.1上执行成功。 请问这会跟系统平台有关吗?
以下附上两种环境的debug结果。在aix上调试时,提示Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 请问这是什么意思?
========================================hp-unix+openssh 4.1==================================
$ ssh -v 3410b
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
HP-UX Secure Shell-A.04.00.000, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to 3410b [132.97.32.225] port 22.
debug1: Connection established.
debug1: identity file /export/home/tomcat/.ssh/id_rsa type -1
debug1: identity file /export/home/tomcat/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '3410b' is known and matches the RSA host key.
debug1: Found key in /export/home/tomcat/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /export/home/tomcat/.ssh/id_rsa
debug1: Offering public key: /export/home/tomcat/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
===============================================AIX + openssh 4.7===============================
ssh -v gz_bstDB2
OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.
debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to gz_bstDB2 [132.97.183.99] port 22.
debug1: Connection established.
debug1: identity file /oracle/.ssh/identity type -1
debug1: identity file /oracle/.ssh/id_rsa type 1
debug1: identity file /oracle/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: ENC->NAME:aes128-cbc
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: ENC->NAME:aes128-cbc
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: TYPE :31,Expected Type:0
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: TYPE :33,Expected Type:0
debug1: Host 'gz_bstdb2' is known and matches the RSA host key.
debug1: Found key in /oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: TYPE :21,Expected Type:0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /oracle/.ssh/identity
debug1: Offering public key: /oracle/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /oracle/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
25同行回答
这都想不通?密钥必然要放在用户的默认目录下,这样才安全的嘛密钥路径都不对,ssh就只能当成是没有密钥的了hello_unix 发表于 2008-6-27 11:32
也不是必须放在默认目录,那个是由配置文件控制的。只是平时我们都是使用的默认设置事实上,OPENSSH提供了多种灵活的配置方式...受用了。。。收起
浏览825
再一次受教了,谢谢!收起
浏览792
系统这么傻?你这个怀疑的方向不太对吧,
对于所有unix来说,每一个系统文件和相应的权限,都有严格的管理,unix系统的安全和健壮就是基于unix系统本省的文件权限管理。只不过我们日常为了方便,777的权限大行其道,让很多人忘了严格的权限管理。
对于这样的问题,如hellounix所述,系统给你指定了必须的位置,只有这个key文件只有用户本身可以rw,其他,包括同组用户连读的权限都没有,才能一定程度保证安全。
遇事多想想,慢慢就明白,aix的所有设置都是有一定道理的。
只不过,因为这些限制,平常的使用中给我们也造成很多麻烦,经常我也很烦,为什么一定这样这样,不能让大家好用一点吗?也许以后会有办法改进的,也希望我们能用上中国人自己开发的好系统,至少,符合中国人的习惯和用法吧。收起
对于所有unix来说,每一个系统文件和相应的权限,都有严格的管理,unix系统的安全和健壮就是基于unix系统本省的文件权限管理。只不过我们日常为了方便,777的权限大行其道,让很多人忘了严格的权限管理。
对于这样的问题,如hellounix所述,系统给你指定了必须的位置,只有这个key文件只有用户本身可以rw,其他,包括同组用户连读的权限都没有,才能一定程度保证安全。
遇事多想想,慢慢就明白,aix的所有设置都是有一定道理的。
只不过,因为这些限制,平常的使用中给我们也造成很多麻烦,经常我也很烦,为什么一定这样这样,不能让大家好用一点吗?也许以后会有办法改进的,也希望我们能用上中国人自己开发的好系统,至少,符合中国人的习惯和用法吧。收起
浏览1575
浏览1691