普通使用者SSH無密碼互信建立 出現的問題以及解決辦法

JLongSL發表於2017-10-04

配置前提醒:.ssh目錄不需要手動建立!命令會自動完成這一切。
當你看見這篇文章時,假設你已經安裝好了ssh相關服務。

作為普通使用者,用sudo許可權去修改配置檔案/etc/ssh/sshd_config

$ sudo vim /etc/ssh/sshd_config
 ...
 RSAAuthentication yes # 啟用 RSA 認證
 PubkeyAuthentication yes # 啟用公鑰私鑰配對認證方式
 AuthorizedKeysFile %h/.ssh/authorized_keys # 公鑰檔案路徑
 ...

重啟SSH服務(不同版本有不同的重啟方式):
Debian / Ubuntu

$ sudo service ssh restart 
or
$ /etc/init.d/ssh restart 

CentOS / RHEL / Fedora / Redhat

$ /etc/init.d/sshd restart
or
$ service sshd restart

建立私鑰和公鑰
建立金鑰對時,一定不要在命令前加sudo
建立金鑰對時,一定不要在命令前加sudo
建立金鑰對時,一定不要在命令前加sudo

# -t 指定型別,-f指定檔案生成路徑,-P指定檔案密碼(''表示無密碼)
$ ssh-keygen -t rsa -f ~/.ssh/id_rsa -P ''
Generating public/private rsa key pair.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sRWB6v9sTYvBAJVc40QFZs49JQuQVkPjB6fRc7xETDM user@192.168.1.212
The key's randomart image is:
+---[RSA 2048]----+
|       ooX^=+=E  |
|      . *O %o+=o |
|       +. B =+ . |
|      . .+ . ..  |
|     .  So       |
|      .   o .    |
|       .   = .   |
|        ..o o    |
|         oo      |
+----[SHA256]-----+

此時生成了一對金鑰
公鑰:id_rsa.pub
金鑰:id_rsa

將生成的公鑰(id_ras.pub)拷貝至另外一臺伺服器

$ ssh-copy-id -i .ssh/id_rsa.pub user@192.168.1.213
...
Are you sure you want to continue connecting (yes/no)? yes
...
user@192.168.1.213's password: #這裡提示輸入密碼
...
Now try logging into the machine, with:   "ssh 'user@192.168.1.213'"
and check to make sure that only the key(s) you wanted were added.

拷貝成功,測試連線

$ ssh 192.168.1.213 'ifconfig'
ens33     Link encap:Ethernet  HWaddr 00:0c:29:c6:7e:6b  
          inet addr:192.168.1.213  Bcast:192.168.1.255  Mask:255.255.255.0
          ...

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          ...

連線成功,則對另外一臺伺服器主機進行相同的操作,完成互信無密碼連線。


注意:如果建立公鑰私鑰的時候,加上了sudo,比如像這樣:

$ sudo ssh-keygen -t rsa -f ~/.ssh/id_rsa -P ''

系統會給以下提示:

Generating public/private rsa key pair.
Saving key "/home/****/.ssh/id_rsa" failed: No such file or directory

提示沒有這個檔案或目錄
網上一些解答說,建立一個目錄就好了,然後就去這樣做

$ mkdir ~/.ssh

然後再來一次生成公鑰私鑰:

$ sudo ssh-keygen -t rsa -f ~/.ssh/id_rsa -P ''
Generating public/private rsa key pair.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/OxKIyjs01Z9yWae/Bnke1wQF1WMDSLmKH7XFQK3qyA root@192.168.1.212
The key's randomart image is:
+---[RSA 2048]----+
|          +.+ o**|
|         + o +o.+|
|      . . . . .o |
|     . o   . o.  |
|      E.S...+  . |
| .   ..o.=*+    .|
|  o.... o*+.o. . |
| ...o  o o+  +o  |
|  .o    ....+.   |
+----[SHA256]-----+

一看結果,成功!
但是。。。 使用者此時會把公鑰遠端傳送給另外一臺伺服器上,像這樣:

$ ssh-copy-id -i .ssh/id_rsa.pub user@192.168.1.213

/usr/bin/ssh-copy-id: ERROR: failed to open ID file '.ssh/id_rsa': Permission denied
    (to install the contents of '.ssh/id_rsa.pub' anyway, look at the -f option)

許可權不夠?加上sudo吧。。。

$ sudo ssh-copy-id -i .ssh/id_rsa.pub user@192.168.1.213
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@ip's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@192.168.1.213'"
and check to make sure that only the key(s) you wanted were added.

心中默唸:完美!公鑰已經成功拷貝到伺服器,可以免密遠端登入了!接著就開心的去連線…

$ ssh 192.168.1.213                                      
Load key "/home/user/.ssh/id_rsa": Permission denied
user@192.168.1.213's password: 

什麼?居然還要我輸入密碼!!!不能忍。
接著各種查資料,然而毫無進展。。。
接著檢視連線過程是不是出了錯:

$ ssh -vvv 192.168.1.213      
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "192.168.1.213" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.213 [192.168.1.213] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
...
...

去google搜尋半天也沒任何結果。
就當準備放棄的時候,用ll -a ~/.ssh/檢視了一下.ssh目錄下的檔案們….

$ ll -a ~./ssh/
-rw------- 1 root root 1.7K Oct  4 00:45 id_rsa
-rw-r--r-- 1 root root  406 Oct  4 00:45 id_rsa.pub

!!!居然我這個user使用者建立的檔案變成了root所有!好吧,把屬於我的奪回來:

$ sudo chown user /home/user/.ssh/id_rsa
$ sudo chgrp user /home/user/.ssh/id_rsa

再試一次連線

$ ssh 192.168.1.213
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-87-generic x86_64)
...
...
$

這下終於成功了。
雖說成功了,但是繞了好大的一個圈子,哎,人生苦短,千萬不要因為一些小細節,浪費掉自己大把時間。

寫這篇部落格的目的在於,希望能夠幫助一些遇到類似問題的朋友,雖然說到最後問題看似簡單,但往往bug就出現在一些很簡單的細節問題上,難以察覺。細節決定成敗。。。

總結:多注意細節上的東西,時間就是生命,多總結,多積累。

相關文章