免匙SSH登录失败问题(非常规)
问题描述:
上周给公司搭建大数据平台,选取三台机器,安装配置一切顺利。后来发现/home目录的挂载盘容量不够用,所以就扩容了,在扩容之前将/home/hadoop文件夹复制到其他地方,扩容后再复制回来,现在问题来了,hadoop文件夹迁移回来后,发现免匙SSH无用了。
问题排查:
1.检测权限
2.debug SSH
通过命令 ssh -vvv master 查看日志
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to master [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/hadoop/.ssh/identity type -1
debug1: identity file /home/hadoop/.ssh/identity-cert type -1
debug3: Not a RSA1 key file /home/hadoop/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hadoop/.ssh/id_rsa type 1
debug1: identity file /home/hadoop/.ssh/id_rsa-cert type -1
debug1: identity file /home/hadoop/.ssh/id_dsa type -1
debug1: identity file /home/hadoop/.ssh/id_dsa-cert type -1
debug1: identity file /home/hadoop/.ssh/id_ecdsa type -1
debug1: identity file /home/hadoop/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 960 bytes for a total of 981
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 1005
debug2: dh_gen_key: priv key bits set: 114/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 1149
debug3: check_host_in_hostfile: host master filename /home/hadoop/.ssh/known_hosts
debug3: check_host_in_hostfile: host master filename /home/hadoop/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 5
debug1: Host 'master' is known and matches the RSA host key.
debug1: Found key in /home/hadoop/.ssh/known_hosts:5
debug2: bits set: 525/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1165
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1213
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/hadoop/.ssh/identity ((nil))
debug2: key: /home/hadoop/.ssh/id_rsa (0x2ae9888a6330)
debug2: key: /home/hadoop/.ssh/id_dsa ((nil))
debug2: key: /home/hadoop/.ssh/id_ecdsa ((nil))
debug3: Wrote 64 bytes for a total of 1277
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 127.0.0.1.
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_501' not founddebug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_501' not founddebug1: Unspecified GSS failure. Minor code may provide more informationdebug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_501' not founddebug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/hadoop/.ssh/identity
debug3: no such identity: /home/hadoop/.ssh/identity
debug1: Offering public key: /home/hadoop/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1645
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/hadoop/.ssh/id_dsa
debug3: no such identity: /home/hadoop/.ssh/id_dsa
debug1: Trying private key: /home/hadoop/.ssh/id_ecdsa
debug3: no such identity: /home/hadoop/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
3.从日志信息并没有看到是权限问题,通过比较可以正常免匙的机器发现以下不同:
在这期间我尝试新建了用户test,在新建的用户中配置免匙ssh依然不行,但是发现root用户的免匙SSH是ok的,现在目标又回到了权限问题,可是发现权限都是ok的。
4.在快要放弃的时候搜到了这篇帖子:http://www.linuxidc.com/Linux/2013-07/87267.htm
看了这篇文章后我立刻用ls -laZ检查了我的.ssh目录:
[hadoop@master ~]$ ls -laZ .ssh
drwx------. hadoop hadoop unconfined_u:object_r:file_t:s0 .
drwxr-xr-x. hadoop hadoop unconfined_u:object_r:file_t:s0 ..
-rw-------. hadoop hadoop unconfined_u:object_r:file_t:s0 authorized_keys
-rw-------. hadoop hadoop unconfined_u:object_r:file_t:s0 id_rsa
-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0 id_rsa.pub
-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0 id_rsa.pub.slave1
-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0 id_rsa.pub.slave2
-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0 known_hosts
我也是“果然不是ssh_home_t”。
5.解决问题:
切换到root用户,修复context:
[root@master ~]# restorecon -r -vv /home/
[hadoop@master ~]$ ls -laZ .ssh
drwx------. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 .
drwxr-xr-x. hadoop hadoop unconfined_u:object_r:user_home_dir_t:s0..
-rw-------. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub
-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub.slave1
-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub.slave2
-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 known_hosts
6.验证是否解决:
[hadoop@master ~]$ ssh master
Last login: Wed May 31 09:01:48 2017 from 10.0.17.19
Starting Nexus OSS...
Started Nexus OSS.
-bash: /etc/profile.d/mystart.sh: line 2: syntax error near unexpected token `&&'
-bash: /etc/profile.d/mystart.sh: line 2: ` && '
[hadoop@master ~]$
7.问题总结:
根本原因是我将/home/hadoop目录做了移动,可是移动回来的时候用的是root用户,即便我改回了hadoop:hadoop,可是目录下的文件夹的context变了,而ssh鉴权又非常严格必须是ssh_home_t才可以。
免匙SSH登录失败问题(非常规)相关推荐
- 华为交换机SSH登录失败原因
解决方案 SSH登录失败几种常见原因: 1.配置错误,例如设备没有开启STelnet服务功能等. 处理方法:参考"配置通过STelnet登录设备示例",检查配置是否正确和完整. 2 ...
- 三台linux之间免密 SSH 登录
三台linux之间免密 SSH 登录 注意:文中的node1.node2.node3均为linux相应的IP地址,做了域名映射. 第一步:三台机器生成公钥与私钥 在三台机器执行以下命令,生成公钥与私钥 ...
- 华为设备linux ssh登录失败,华为交换机SSH登录失败原因
解决方案 SSH登录失败几种常见原因: 1.配置错误,例如设备没有开启STelnet服务功能等. 处理方法:参考"配置通过STelnet登录设备示例",检查配置是否正确和完整. 2 ...
- linux ssh登录失败
刚刚在虚拟上装了一个redhat AS5,从本地的FC9中ssh登录,发现连结失败: ssh: connect to host 192.168.206.11 port 22: Connection r ...
- ssh被暴力猜解登录密码,利用pandas简单分析ssh登录失败记录
本人为了学习和使用VPS因此手中长期配置一到两台VPS,没想到这点苍蝇肉也成了黑客眼里的肥肉. 近来一个月发现被人正在暴力猜解ssh登录密码,心想,这准是有人想要拿shell想要把这点苍蝇肉都想占为己 ...
- Linux 服务器自动拉黑ssh登录失败的IP
最近有的人很闲,在网上到处攻击,今天一看一晚上失败登录517个 查了一下资料发现/etc/hosts.deny这个文件是存放ssh登录黑名单的文件 而lastb可以查看登录失败的记录 下面配置参考了h ...
- dropbear实现免密码ssh登录或scp文件传输
dropbear是轻量级的sshd服务器,与OpenSSH相比,他更简洁,更小巧,运行起来占用的内存也更少,因此被很多嵌入式设备所使用.SSH:Secure Shell (SSH) 是一个允许两台主机 ...
- SSH登录失败提示Key exchange failed
前两天去配置一台华为5735交换机,到现场才被告知网络中不允许接入私人电脑,要用他们的涉密电脑配置,结果配置完成后测试SSH远程登录失败,提示如下图: 多次检查配置没有发现有什么遗漏,后来询问别人告知 ...
- Linux脚本免交互,系统运维|sshpass:一个很棒的免交互 SSH 登录工具,但不要用在生产服务器上...
在大多数情况下,Linux 系统管理员使用 SSH 登录到程 Linux 服务器时,要么是通过密码,要么是无密码 SSH 登录或基于密钥的 SSH 身份验证. 如果你想自动在 SSH 登录提示符中提供 ...
- win10安装sshpass_系统运维|sshpass:一个很棒的免交互 SSH 登录工具,但不要用在生产服务器上...
在大多数情况下,Linux 系统管理员使用 SSH 登录到程 Linux 服务器时,要么是通过密码,要么是无密码 SSH 登录或基于密钥的 SSH 身份验证. 如果你想自动在 SSH 登录提示符中提供 ...
最新文章
- Nodejs+Express学习二(Mongoose基础了解)
- 深入理解分布式技术 - 理论基石 CAP
- Leaflet中使用Leaflet-MiniMap插件实现小地图效果
- js入门·表单详解一(修改表单属性,修改表单元素值)
- 超简单的利用plist 查看ipa包名及其它信息
- apache camel_REST与Apache Camel
- SQL工作笔记-达梦数据库关于时间的函数
- iPictrue:图片标注提示
- 使用case语句的3个诀窍
- 2012.4.17内存相关
- ubuntu 下系统监视器_Ubuntu系统监控工具
- 【毕业季】作为一名大二计科在校生,我有话想说
- EC2(elastic compute cloud,弹性计算云,又称EC2实例)
- Java||求集合数组中的中位数
- AUTOSAR——AUTOSAR基础
- 攻防世界web新手题解题writeup
- 设置一绝对地址为0x67a9的整型变量的值为0xaa66
- 为什么选择高防DNS云解析?(二)
- Java对接微信公众号模板消息推送(架包WxJava)
- JVM之 方法区、永久代(PermGen space)、元空间(Metaspace)三者的区别