在使用linux过程中经常会使用到ssh远程到对端机器,为了快捷方便,会建立rsa文件授权登陆。本文列举一些配置设置对登陆的影响。

验证OS:CentOS release 6.6 (Final)

正常登陆ssh到对端的日志如下:

[test@hq .ssh]$ ssh -vv localhost

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to localhost [::1] port 22.

debug1: Connection established.

debug1: identity file /home/test/.ssh/identity type -1

debug1: identity file /home/test/.ssh/identity-cert type -1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/test/.ssh/id_rsa type 1

debug1: identity file /home/test/.ssh/id_rsa-cert type -1

debug1: identity file /home/test/.ssh/id_dsa type -1

debug1: identity file /home/test/.ssh/id_dsa-cert type -1

debug1: identity file /home/test/.ssh/id_ecdsa type -1

debug1: identity file /home/test/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.3

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,[email protected],zlib

debug2: kex_parse_kexinit: none,[email protected],zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,[email protected]

debug2: kex_parse_kexinit: none,[email protected]

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_setup: found hmac-md5

debug1: kex: server->client aes128-ctr hmac-md5 none

debug2: mac_setup: found hmac-md5

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 120/256

debug2: bits set: 498/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'localhost' is known and matches the RSA host key.

debug1: Found key in /home/test/.ssh/known_hosts:1

debug2: bits set: 507/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/test/.ssh/identity ((nil))

debug2: key: /home/test/.ssh/id_rsa (0x7f080a413f50)

debug2: key: /home/test/.ssh/id_dsa ((nil))

debug2: key: /home/test/.ssh/id_ecdsa ((nil))

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug2: we did not send a packet, disable method

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure.  Minor code may provide more information

Credentials cache file '/tmp/krb5cc_501' not found


debug1: Unspecified GSS failure.  Minor code may provide more information

Credentials cache file '/tmp/krb5cc_501' not found


debug1: Unspecified GSS failure.  Minor code may provide more information



debug1: Unspecified GSS failure.  Minor code may provide more information

Credentials cache file '/tmp/krb5cc_501' not found


debug2: we did not send a packet, disable method

debug1: Next authentication method: publickey

debug1: Trying private key: /home/test/.ssh/identity

debug1: Offering public key: /home/test/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Server accepts key: pkalg ssh-rsa blen 277

debug2: input_userauth_pk_ok: SHA1 fp 26:ed:bb:45:e0:37:8e:64:32:fb:04:96:67:fa:30:43:8c:2b:28:9f

debug1: read PEM private key done: type RSA

debug1: Authentication succeeded (publickey).

debug1: channel 0: new [client-session]

debug2: channel 0: send open

debug1: Requesting [email protected]

debug1: Entering interactive session.

debug2: callback start

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug1: Sending environment.

debug1: Sending env LANG = zh_CN.UTF-8

debug2: channel 0: request env confirm 0

debug2: channel 0: request shell confirm 1

debug2: fd 3 setting TCP_NODELAY

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel_input_status_confirm: type 99 id 0

debug2: PTY allocation request accepted on channel 0

debug2: channel 0: rcvd adjust 2097152

debug2: channel_input_status_confirm: type 99 id 0

debug2: shell request accepted on channel 0

Last login: Sun Jul 20 07:42:04 2014 from localhost

[test@hq ~]$ debug2: client_check_window_change: changed

debug2: channel 0: request window-change confirm 0

1、家目录权限问题,正常权限为700

1)如果权限 g+w or  o+w,此时登陆需要密码,提示如下

....................................................

debug2: we did not send a packet, disable method

debug1: Next authentication method: publickey

debug1: Trying private key: /home/test/.ssh/identity

debug1: Offering public key: /home/test/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Trying private key: /home/test/.ssh/id_dsa

debug1: Trying private key: /home/test/.ssh/id_ecdsa

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

test@localhost's password: 

2、.ssh目录权限问题,正常为700

1)如果权限 g+w or  o+w,此时登陆需要密码,提示如上

3、 authorized_keys文件权限问题,正常为600

1)如果权限问g+w or  o+w,此时登陆需要密码,提示如上

4、selinux问题     设置成enforucing,登陆正常。

[test@hq ~]$ getenforce 

Enforcing

[test@hq ~]$ ssh localhost

Last login: Sun Jul 20 08:06:31 2014 from localhost

5、sshd_config配置问题

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

将上述三个文件注释掉,登陆正常。


总结:对ssh rsa验证影响的是文件和目录的权限问题,其他设置无实际影响。

附系统ssh登陆日志路径

/var/log/security