From: http://segmentfault.com/q/1010000000445726

內網，想做ssh root公鑰登錄，配置好之后還是提示輸入密碼，現象：
在服務器端使用其他端口開放sshd：

$/usr/sbin/sshd -p 1234

此時客戶端可以無密碼登錄，但是22端口的sshd還是需要密碼

停止服務端22端口的sshd(service)，手動使用22端口啟動：

$/usr/sbin/sshd -p 22

此時客戶端可以無密碼登錄

太詭異了，關鍵問題，如果是網上說的文件夾權限或者是操作疏漏什么的，怎么手動啟動sshd就可以呢？求大神指導

客戶端調試信息：

ssh root@git.com -vvdebug1: Next authentication method: publickey debug1: Trying private key: /c/Users/Zhou/.ssh/identity debug1: Offering public key: /c/Users/Zhou/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Offering public key: /c/Users/Zhou/.ssh/id_dsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: Next authentication method: password root@git.com's password:

補充

使用默認自啟動的服務時候，客戶端無法無密碼登錄 -vvv 參數結果如下：

debug1: Next authentication method: publickey debug1: Trying private key: /c/Users/Zhou/.ssh/identity debug3: no such identity: /c/Users/Zhou/.ssh/identity debug1: Offering public key: /c/Users/Zhou/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Offering public key: /c/Users/Zhou/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password

使用$/usr/sbin/sshd -p 22啟動服務，客戶端可以無密碼登錄 -vvv 參數結果如下：

debug1: Next authentication method: publickey debug1: Trying private key: /c/Users/Zhou/.ssh/identity debug3: no such identity: /c/Users/Zhou/.ssh/identity debug1: Offering public key: /c/Users/Zhou/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 277 debug2: input_userauth_pk_ok: fp ca:03:6e:80:a9:5f:7c:12:69:dc:e5:f9:3c:c8:4f:83 debug3: sign_and_send_pubkey debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey).

sshd_config

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.#Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::# Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024# Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH #SyslogFacility AUTHPRIV LogLevel debug# Authentication:#LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes# GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes# Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS#AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none# no default banner path #Banner none# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server

系統服務器的ssh在進程中的體現：

[root@localhost ~]# ps -ef | grep sshd root 1233 1 0 16:54 ? 00:00:00 /usr/sbin/sshd root 1444 1233 0 16:55 ? 00:00:00 sshd: root@pts/0

自己啟動的ssh:/usr/sbin/sshd -d -p 1234

root 1470 1449 0 17:03 pts/0 00:00:00 /usr/sbin/sshd -d -p 1234 root 1471 1233 0 17:03 ? 00:00:00 sshd: root@pts/1

P_Chou 1.7k2014年03月27日 回答

問題已解決：是因為.ssh目錄沒有ssh_home_t標簽！！通過下面命令重置。參考public-key-authentication-fails-only-when-sshd-is-daemon一次由SELinux引起的ssh公鑰認證失敗問題

restorecon -r -vv /root/.ssh [root@localhost ~]# restorecon -r -vv .ssh restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0 restorecon reset /root/.ssh/id_rsa context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0 restorecon reset /root/.ssh/known_hosts context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0 restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0 restorecon reset /root/.ssh/id_rsa.pub context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

通過這個命令查看文件夾或文件的標簽

[root@localhost ~]# ls -laZ drwx------. root root unconfined_u:object_r:ssh_home_t:s0 .ssh

=========================================================

我在遠程服務器上嘗試了兩種不同的啟動方式(啟動openssh服務端)：

1.? service sshd restart (客戶端仍需輸入密碼)

2. /usr/sbin/sshd -p 22 (客戶端可以免密登錄)

于是，我覺得應該是這兩種方法啟動進程的方式上存在區別。我們都知道通過service sshd restart 啟動相當于執行/etc/init.d/sshd restart, 于是我對比正常機器上的/etc/init.d/sshd和異常機器上的該文件，發現他們的start函數確實存在區別，將正常機器上的start函數替換過來，再使用service sshd restart 重啟服務端程序，客戶端也可以免密登錄了!

以下是正常機器上的完整的/etc/init.d/sshd文件內容，可參考下：

#!/bin/bash # # sshd Start up the OpenSSH server daemon # # chkconfig: 2345 55 25 # description: SSH is a protocol for secure remote shell access. \ # This service starts up the OpenSSH server daemon. # # processname: sshd # config: /etc/ssh/ssh_host_key # config: /etc/ssh/ssh_host_key.pub # config: /etc/ssh/ssh_random_seed # config: /etc/ssh/sshd_config # pidfile: /var/run/sshd.pid### BEGIN INIT INFO # Provides: sshd # Required-Start: $local_fs $network $syslog # Required-Stop: $local_fs $syslog # Should-Start: $syslog # Should-Stop: $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start up the OpenSSH server daemon # Description: SSH is a protocol for secure remote shell access. # This service starts up the OpenSSH server daemon. ### END INIT INFO# source function library . /etc/rc.d/init.d/functions# pull in sysconfig settings [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshdRETVAL=0 prog="sshd" lockfile=/var/lock/subsys/$prog# Some functions to make the below more readable KEYGEN=/usr/bin/ssh-keygen SSHD=/usr/sbin/sshd RSA1_KEY=/etc/ssh/ssh_host_key RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key PID_FILE=/var/run/sshd.pidrunlevel=$(set -- $(runlevel); eval "echo \$$#" )fips_enabled() {if [ -r /proc/sys/crypto/fips_enabled ]; thencat /proc/sys/crypto/fips_enabledelseecho 0fi }do_rsa1_keygen() {if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; thenecho -n $"Generating SSH1 RSA host key: "rm -f $RSA1_KEYif test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; thenchmod 600 $RSA1_KEYchmod 644 $RSA1_KEY.pubif [ -x /sbin/restorecon ]; then/sbin/restorecon $RSA1_KEY.pubfisuccess $"RSA1 key generation"echoelsefailure $"RSA1 key generation"echoexit 1fifi }do_rsa_keygen() {if [ ! -s $RSA_KEY ]; thenecho -n $"Generating SSH2 RSA host key: "rm -f $RSA_KEYif test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; thenchmod 600 $RSA_KEYchmod 644 $RSA_KEY.pubif [ -x /sbin/restorecon ]; then/sbin/restorecon $RSA_KEY.pubfisuccess $"RSA key generation"echoelsefailure $"RSA key generation"echoexit 1fifi }do_dsa_keygen() {if [ ! -s $DSA_KEY ]; thenecho -n $"Generating SSH2 DSA host key: "rm -f $DSA_KEYif test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; thenchmod 600 $DSA_KEYchmod 644 $DSA_KEY.pubif [ -x /sbin/restorecon ]; then/sbin/restorecon $DSA_KEY.pubfisuccess $"DSA key generation"echoelsefailure $"DSA key generation"echoexit 1fifi }do_restart_sanity_check() {$SSHD -tRETVAL=$?if [ $RETVAL -ne 0 ]; thenfailure $"Configuration file or keys are invalid"echofi }start() {[ -x $SSHD ] || exit 5[ -f /etc/ssh/sshd_config ] || exit 6# Create keys if necessaryif [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; thendo_rsa1_keygendo_rsa_keygendo_dsa_keygenfiecho -n $"Starting $prog: "$SSHD $OPTIONS && success || failureRETVAL=$?[ $RETVAL -eq 0 ] && touch $lockfileechoreturn $RETVAL }stop() {echo -n $"Stopping $prog: "if [ -n "`pidfileofproc $SSHD`" ] ; thenkillproc $SSHDelsefailure $"Stopping $prog"fiRETVAL=$?# if we are in halt or reboot runlevel kill all running sessions# so the TCP connections are closed cleanlyif [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; thentrap '' TERMkillall $prog 2>/dev/nulltrap TERMfi[ $RETVAL -eq 0 ] && rm -f $lockfileecho }reload() {echo -n $"Reloading $prog: "if [ -n "`pidfileofproc $SSHD`" ] ; thenkillproc $SSHD -HUPelsefailure $"Reloading $prog"fiRETVAL=$?echo }restart() {stopstart }force_reload() {restart }rh_status() {status -p $PID_FILE openssh-daemon }rh_status_q() {rh_status >/dev/null 2>&1 }case "$1" instart)rh_status_q && exit 0start;;stop)if ! rh_status_q; thenrm -f $lockfileexit 0fistop;;restart)restart;;reload)rh_status_q || exit 7reload;;force-reload)force_reload;;condrestart|try-restart)rh_status_q || exit 0if [ -f $lockfile ] ; thendo_restart_sanity_checkif [ $RETVAL -eq 0 ] ; thenstop# avoid racesleep 3startelseRETVAL=6fifi;;status)rh_statusRETVAL=$?if [ $RETVAL -eq 3 -a -f $lockfile ] ; thenRETVAL=2fi;;*)echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"RETVAL=2 esac exit $RETVAL

總結

以上是生活随笔為你收集整理的CentOS SSH公钥登录问题的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。