From: http://segmentfault.com/q/1010000000445726

内网,想做ssh root公钥登录,配置好之后还是提示输入密码,现象:
在服务器端使用其他端口开放sshd:

$/usr/sbin/sshd -p 1234

此时客户端可以无密码登录,但是22端口的sshd还是需要密码

停止服务端22端口的sshd(service),手动使用22端口启动:

$/usr/sbin/sshd -p 22

此时客户端可以无密码登录

太诡异了,关键问题,如果是网上说的文件夹权限或者是操作疏漏什么的,怎么手动启动sshd就可以呢?求大神指导

客户端调试信息:

ssh root@git.com -vvdebug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/Zhou/.ssh/identity
debug1: Offering public key: /c/Users/Zhou/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering public key: /c/Users/Zhou/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
root@git.com's password:

补充

使用默认自启动的服务时候,客户端无法无密码登录 -vvv 参数结果如下:

debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/Zhou/.ssh/identity
debug3: no such identity: /c/Users/Zhou/.ssh/identity
debug1: Offering public key: /c/Users/Zhou/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering public key: /c/Users/Zhou/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

使用$/usr/sbin/sshd -p 22启动服务,客户端可以无密码登录 -vvv 参数结果如下:

debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/Zhou/.ssh/identity
debug3: no such identity: /c/Users/Zhou/.ssh/identity
debug1: Offering public key: /c/Users/Zhou/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: fp ca:03:6e:80:a9:5f:7c:12:69:dc:e5:f9:3c:c8:4f:83
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).

sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
#SyslogFacility AUTHPRIV
LogLevel debug# Authentication:#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none# no default banner path
#Banner none# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

系统服务器的ssh在进程中的体现:

[root@localhost ~]# ps -ef | grep sshd
root      1233     1  0 16:54 ?        00:00:00 /usr/sbin/sshd
root      1444  1233  0 16:55 ?        00:00:00 sshd: root@pts/0

自己启动的ssh:/usr/sbin/sshd -d -p 1234

root      1470  1449  0 17:03 pts/0    00:00:00 /usr/sbin/sshd -d -p 1234
root      1471  1233  0 17:03 ?        00:00:00 sshd: root@pts/1

P_Chou 1.7k2014年03月27日 回答

问题已解决:是因为.ssh目录没有ssh_home_t标签!!通过下面命令重置。参考public-key-authentication-fails-only-when-sshd-is-daemon一次由SELinux引起的ssh公钥认证失败问题

restorecon -r -vv /root/.ssh

[root@localhost ~]# restorecon -r -vv .ssh
restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/known_hosts context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa.pub context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

通过这个命令查看文件夹或文件的标签

[root@localhost ~]# ls -laZ
drwx------. root root unconfined_u:object_r:ssh_home_t:s0 .ssh

=========================================================

我在远程服务器上尝试了两种不同的启动方式(启动openssh服务端):

1.  service sshd restart (客户端仍需输入密码)

2. /usr/sbin/sshd -p 22 (客户端可以免密登录)

于是,我觉得应该是这两种方法启动进程的方式上存在区别。我们都知道通过service sshd restart 启动相当于执行/etc/init.d/sshd restart, 于是我对比正常机器上的/etc/init.d/sshd和异常机器上的该文件,发现他们的start函数确实存在区别,将正常机器上的start函数替换过来,再使用service sshd restart 重启服务端程序,客户端也可以免密登录了!

以下是正常机器上的完整的/etc/init.d/sshd文件内容,可参考下:

#!/bin/bash
#
# sshd      Start up the OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: SSH is a protocol for secure remote shell access. \
#              This service starts up the OpenSSH server daemon.
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $syslog
# Should-Start: $syslog
# Should-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start up the OpenSSH server daemon
# Description:       SSH is a protocol for secure remote shell access.
#            This service starts up the OpenSSH server daemon.
### END INIT INFO# source function library
. /etc/rc.d/init.d/functions# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshdRETVAL=0
prog="sshd"
lockfile=/var/lock/subsys/$prog# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pidrunlevel=$(set -- $(runlevel); eval "echo \$$#" )fips_enabled() {if [ -r /proc/sys/crypto/fips_enabled ]; thencat /proc/sys/crypto/fips_enabledelseecho 0fi
}do_rsa1_keygen() {if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; thenecho -n $"Generating SSH1 RSA host key: "rm -f $RSA1_KEYif test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; thenchmod 600 $RSA1_KEYchmod 644 $RSA1_KEY.pubif [ -x /sbin/restorecon ]; then/sbin/restorecon $RSA1_KEY.pubfisuccess $"RSA1 key generation"echoelsefailure $"RSA1 key generation"echoexit 1fifi
}do_rsa_keygen() {if [ ! -s $RSA_KEY ]; thenecho -n $"Generating SSH2 RSA host key: "rm -f $RSA_KEYif test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; thenchmod 600 $RSA_KEYchmod 644 $RSA_KEY.pubif [ -x /sbin/restorecon ]; then/sbin/restorecon $RSA_KEY.pubfisuccess $"RSA key generation"echoelsefailure $"RSA key generation"echoexit 1fifi
}do_dsa_keygen() {if [ ! -s $DSA_KEY ]; thenecho -n $"Generating SSH2 DSA host key: "rm -f $DSA_KEYif test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; thenchmod 600 $DSA_KEYchmod 644 $DSA_KEY.pubif [ -x /sbin/restorecon ]; then/sbin/restorecon $DSA_KEY.pubfisuccess $"DSA key generation"echoelsefailure $"DSA key generation"echoexit 1fifi
}do_restart_sanity_check()
{$SSHD -tRETVAL=$?if [ $RETVAL -ne  0 ]; thenfailure $"Configuration file or keys are invalid"echofi
}start()
{[ -x $SSHD ] || exit 5[ -f /etc/ssh/sshd_config ] || exit 6# Create keys if necessaryif [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; thendo_rsa1_keygendo_rsa_keygendo_dsa_keygenfiecho -n $"Starting $prog: "$SSHD $OPTIONS && success || failureRETVAL=$?[ $RETVAL -eq 0 ] && touch $lockfileechoreturn $RETVAL
}stop()
{echo -n $"Stopping $prog: "if [ -n "`pidfileofproc $SSHD`" ] ; thenkillproc $SSHDelsefailure $"Stopping $prog"fiRETVAL=$?# if we are in halt or reboot runlevel kill all running sessions# so the TCP connections are closed cleanlyif [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; thentrap '' TERMkillall $prog 2>/dev/nulltrap TERMfi[ $RETVAL -eq 0 ] && rm -f $lockfileecho
}reload()
{echo -n $"Reloading $prog: "if [ -n "`pidfileofproc $SSHD`" ] ; thenkillproc $SSHD -HUPelsefailure $"Reloading $prog"fiRETVAL=$?echo
}restart() {stopstart
}force_reload() {restart
}rh_status() {status -p $PID_FILE openssh-daemon
}rh_status_q() {rh_status >/dev/null 2>&1
}case "$1" instart)rh_status_q && exit 0start;;stop)if ! rh_status_q; thenrm -f $lockfileexit 0fistop;;restart)restart;;reload)rh_status_q || exit 7reload;;force-reload)force_reload;;condrestart|try-restart)rh_status_q || exit 0if [ -f $lockfile ] ; thendo_restart_sanity_checkif [ $RETVAL -eq 0 ] ; thenstop# avoid racesleep 3startelseRETVAL=6fifi;;status)rh_statusRETVAL=$?if [ $RETVAL -eq 3 -a -f $lockfile ] ; thenRETVAL=2fi;;*)echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"RETVAL=2
esac
exit $RETVAL

CentOS SSH公钥登录问题相关推荐

  1. 配置ssh公钥登录提示还是输入密码

    一.知识点补充: 在客户端来看,SSH提供两种级别的安全验证 第一种级别(基于密码的安全验证),知道帐号和密码,就可以登录到远程主机,并且所有传输的数据都会被加密. 第二种级别(基于密钥的安全验证), ...

  2. Docker初识:安装centos(ssh远程登录)

    初话: 为了学习k8s,不得不利用docker虚拟出多个Linux系统,所以才记录一下搭建过程. 1.下载centos镜像 [root@i-32jf8ek3 opt]# docker images R ...

  3. ssh 公钥登录远程主机

    ssh-keygen 然后一路回车就可以了 ssh-copy-id user@host user代表用户名,host代表主机地址 然后根据提示输入远程主机的密码,成功,再登录就不用输入密码了 转载于: ...

  4. linux ssh公钥免密码登录

    ssh 无密码登录要使用公钥与私钥.linux下可以用用ssh-keygen生成公钥/私钥对,下面我以CentOS为例. 一.SSH公钥登录原理 在平时工作中我们经常要远程登录服务器,这就要用到SSH ...

  5. 使用SecureCRT设置linux系统登录的ssh公钥认证

    使用SecureCRT设置linux系统登录的ssh公钥认证 linux系统环境:CentOS 5.8 1.修改ssh配置文件/etc/ssh/sshd_config RSAAuthenticatio ...

  6. ssh公钥免密码登录

    2019独角兽企业重金招聘Python工程师标准>>> ssh 无密码登录要使用公钥与私钥.linux下可以用用ssh-keygen生成公钥/私钥对,下面我以CentOS为例. 有机 ...

  7. CentOS配置ssh无密码登录

    前提配置:使用root登录修改配置文件:/etc/ssh/sshd_config,将其中三行的注释去掉,如下: 然后重启ssh服务:service sshd restart.最后退出root,以下所有 ...

  8. CentOS配置ssh无密码登录的注意点

    前提配置:使用root登录修改配置文件:/etc/ssh/sshd_config,将其中三行的注释去掉,如下: 然后重启ssh服务:service sshd restart.最后退出root,以下所有 ...

  9. CentOS设置ssh密钥登录

    2019独角兽企业重金招聘Python工程师标准>>> CentOS设置ssh密钥登录 centos 系统安全防御 2017年12月2日 329 0 0 一.生成密钥对(两种方式)并 ...

最新文章

  1. linux7内核优化,centos7 系统内核、网络等优化(适用高并发)
  2. JQuery DataTables插件汉化
  3. jquery自动补全
  4. IntelliJ Idea解决Could not autowire. No beans of 'xxxx' type found的错误提示
  5. shell编程系列23--shell操作数据库实战之mysql命令参数详解
  6. 理解吞吐量和停顿时间
  7. 【渝粤题库】国家开放大学2021春2717家畜解剖基础题目
  8. 暑期训练日志----2018.8.16
  9. 【Python】Python实战从入门到精通之一 -- 教你深入理解Python中的变量和数据类型
  10. 带你深入了解 GitLab CI/CD 原理及流程
  11. SAP License:SAP凭证的类别和记账码
  12. 转载: CentOS下配置Apache
  13. 计算机主机特点,计算机的五大特点是什么
  14. xshell以及xftp免费版
  15. 记录遇到的web前端开发面试题(八股文)
  16. 从10万到百亿营收的背后 | 同程旅游CTO V课堂实录
  17. Linux里面的进程管理
  18. Jenkins修改Job工作空间、修改日志路径
  19. 华为服务器信息失败,服务器远程信息失败
  20. 编码修养系列---提升性能必学篇

热门文章

  1. Samba将Linux集成到Windows网络
  2. 程序员是一盏省油的灯
  3. leetcode 867. 转置矩阵
  4. leetcode 1202. 交换字符串中的元素(并查集)
  5. leetcode413. 等差数列划分(动态规划)
  6. github和pypi_如何将GitHub用作PyPi服务器
  7. sublime 消除锯齿_如何在Sublime中消除麻烦
  8. struct.error: cannot convert argument to integer解决办法
  9. 【Codeforces Round #452 (Div. 2) C】 Dividing the numbers
  10. 修改数据表部分字段方法封装-及-动态生成对象并动态添加属性