建立信任关系失败

最新推荐文章于 2024-06-26 16:25:15 发布

原创最新推荐文章于 2024-06-26 16:25:15 发布 · 1.8w 阅读

2 ·

CC 4.0 BY-SA版权

Linux && Shell 专栏收录该内容

31 篇文章

订阅专栏

本文介绍了SSH免密登录常见的两种问题及解决方法。一种是权限问题，涉及.ssh目录和authorized_keys文件的权限设置；另一种是配置问题，涉及如何通过修改ssh_config文件来指定正确的私钥文件。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

情况一：权限问题：

现象：A建立与B的信任关系，但是建立失败

解决：查看B的用户下.ssh/authorized_keys的权限，只能是700，或者是644，不能是其他

情况二：关于ssh信任关系--每台主机指定不同的私钥文件
当主机与10.11.70.25创建了信任关系后，每次ssh远程登陆10.11.70.25时都要求输入密码，如下：
linux:/etc/ssh/# ssh 10.11.70.25
Authorized users only. All activity may be monitored and reported.
Password:

排查了/etc/ssh/sshd_config中
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
都是默认的yes。
（
补充说明：
OpenSSH 的服务端配置文件一般为 /etc/ssh/sshd_config，和公钥认证有关的两个配置项是：
#RSAAuthentication yes
#PubkeyAuthentication yes
其缺省值一般为 yes。如果希望仅打开公钥认证，禁用其他的认证方式，则可以修改下列配置项：
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
上述配置项如果有任何需要修改的地方在修改之后重启ssh服务器让新的设置生效。
）

最后排查到ssh_config配置文件，内容如下：
linux:/etc/ssh/# cat /etc/ssh/ssh_config

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
# ForwardAgent no
# ForwardX11 no

# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after two minutes after remote login.
ForwardX11Trusted yes

#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
    Protocol 2
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
# GSSAPIEnableMITMAttack no

# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
IdentityFile ~/.ssh/identification

文件末尾多了一行IdentityFile的定义，重新定义了IdentityFile为~/.ssh/identification

说明：
当主机中有多个密钥对的情况下，可以通过设置 /etc/ssh/ssh_config中对不同的主机和用户使用不同的私钥文件。如下例：
Host *
IdentityFile ~/.ssh/%r@%h

对所有主机使用私钥文件路径和名称格式为：~/.ssh/%r@%h

Host 10.11.70.25
IdentityFile ~/.ssh/id_dsa141
只对远程主机10.11.70.25进行ssh连接时，使用的私钥文件为~/.ssh/id_dsa141

而实际上我们的私钥文件还是使用的默认的~/.ssh/id_rsa
文件ssh_config中配置为了IdentityFile ~/.ssh/identification，导致远程登陆时私钥文件系统默认找identification，而不是id_rsa。
因此每次都需要重新输入密码。

修改方法：
删除掉或是注释掉最后一行：
#IdentityFile ~/.ssh/identification

修改后，文件配置文件是即时生效，无需重启ssh服务。
linux:~/.ssh # ssh 10.11.70.25
Authorized users only. All activity may be monitored and reported.
Last login: Thu Feb 20 15:23:10 2014 from 10.18.56.23
Authorized users only. All activity may be monitored and reported.
linux101:~ # ls

顺利登陆远程服务器10.11.70.25，问题解决。