Impossível conectar-se ao servidor com ssh sem senha

Navegue suas respostas
0

Eu tentei soluções diferentes, mas nenhuma delas funciona.

Eu gerou uma chave com o ssh-keygen em uma máquina. Eu adiciono essa chave em um servidor linux em /root/.ssh/authorized_keys , e funciona perfeitamente.

Em um segundo servidor linux, fiz o mesmo. Mas isso não funciona. Eu tentei coisas diferentes:

  • Coloque minha chave em /root/.ssh/authorized_keys2
  • Editado /etc/ssh/ssh_config e /etc/ssh/sshd_config (comentando e descomentando linhas)
  • Deu os direitos certos (700 para% de diretório.ssh e 600 para arquivos authorized_keys)

Nada parece funcionar ... Ainda me pedindo uma senha.

Qual poderia ser o problema?

Muito obrigado.

EDITAR:

'sshd_config 

Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
#PermitRootLogin without-password
PermitRootLogin no
StrictModes yes
AllowUsers user

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Ciphers [email protected],[email protected],aes256-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

Meu resultado ssh -vv

OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to IP [IP] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3 debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],ssh-ed25519,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,aes128-ctr debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,aes128-ctr debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup [email protected] debug1: kex: server->client aes128-ctr [email protected] none debug2: mac_setup: setup [email protected] debug1: kex: client->server aes128-ctr [email protected] none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: bits set: 1580/3072 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ED25519 67:fd:fd:6e:a5:c1:32:96:9d:33:32:1a:cf:83:94:ea debug1: Host '[IP]:22' is known and matches the ED25519 host key. debug1: Found key in /root/.ssh/known_hosts:1 debug2: bits set: 1546/3072 debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7f84b8ce74a0), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_dsa debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Trying private key: /root/.ssh/id_ed25519 debug2: we did not send a packet, disable method senha do usuário @ IP:

/var/log/auth.log (no servidor distante)

Jul 12 12:24:43 ns3111463 sshd[12971]: input_userauth_request: invalid user root [preauth] Jul 12 12:24:44 ns3111463 sshd[12971]: Connection closed by IP [preauth] Jul 12 12:24:46 ns3111463 sshd[12973]: Connection closed by IP [preauth] Jul 12 12:24:48 ns3111463 sshd[11787]: Received signal 15; terminating. Jul 12 12:24:48 ns3111463 sshd[12977]: Server listening on 0.0.0.0 port 22. Jul 12 12:24:48 ns3111463 sshd[12977]: Server listening on :: port 22. Jul 12 12:24:50 ns3111463 sshd[12978]: Connection closed by IP [preauth] Jul 12 12:24:51 ns3111463 sshd[12980]: User root from IP not allowed because not listed in AllowUsers Jul 12 12:24:51 ns3111463 sshd[12980]: input_userauth_request: invalid user root [preauth] Jul 12 12:24:51 ns3111463 sshd[12980]: Connection closed by IP [preauth] Jul 12 12:25:49 ns3111463 sshd[12977]: Received signal 15; terminating. Jul 12 12:25:49 ns3111463 sshd[13029]: Server listening on 0.0.0.0 port 22. Jul 12 12:25:49 ns3111463 sshd[13029]: Server listening on :: port 22. Jul 12 12:25:50 ns3111463 sshd[13030]: User root from IP not allowed because not listed in AllowUsers Jul 12 12:25:50 ns3111463 sshd[13030]: input_userauth_request: invalid user root [preauth] Jul 12 12:25:51 ns3111463 sshd[13030]: Connection closed by IP [preauth] Jul 12 12:25:53 ns3111463 sshd[13032]: Connection closed by IP [preauth] Jul 12 12:37:41 ns3111463 sshd[13552]: Connection closed by IP [preauth] Jul 12 12:38:09 ns3111463 sshd[13598]: Connection closed by IP [preauth]

    
por Gabriel 12.07.2017 / 11:38

2 respostas

1

Portanto, você tem o arquivo PermitRootLogin no e authorized_keys no diretório inicial raiz. Tente usar PermitRootLogin without-password . Em seguida, reinicie o servidor SSH: 

systemctl restart sshd.service

Para o aviso: é melhor proibir o login da raiz sobre o SSH, mesmo com as chaves. Crie um usuário customizado e faça login no SSH usando este usuário. Você pode então su mudar para a raiz.

EDITAR:

Se você quiser logar como não root, você tem que colocar sua chave pública no arquivo authorized_keys do seu usuário: 

/home/$USER/.ssh/authorized_keys

EDIT2:

Para desativar a autenticação com senhas para todos os usuários, defina PasswordAuthentication no e reinicie o servidor SSH.

    
por 12.07.2017 / 11:59
0

Então você precisa ter cuidado, pois o ssh é muito exigente quanto aos direitos quando se trata de autenticação de chave pública.

Você está, pelo menos, certo no .ssh , que deve ser limitado, mas isso não é tudo. O /root também deve ser limitado e de propriedade do usuário.

Portanto, tente ajustar a "casa" do usuário com 755 para que o grupo não possa gravar na casa + o proprietário direito da casa também seja atribuído.

Além disso, por que você está usando "authorized_keys2" em vez de "authorized_keys", não acho que isso funcionará?

    
por 12.07.2017 / 12:03

Tags

Como adicionar uma nova linha após uma expressão Como posso remover o ícone de ejeção sem formatação? [fechadas]