为什么SSH公开密钥身份验证在一个帐户上失败，而在另一个服务器上工作

Question

我对SSH公钥有个奇怪的问题。在服务器上有一个帐户，我已经将我的公钥上传到.ssh/authorized_keys，它可以正常工作(我可以在没有密码的情况下登录)。然后在同一个服务器上有一个帐户，我在那里做了相同的操作(已经有几次了)，但是它仍然要求我输入一个密码来登录。

与这些帐户匹配的设置如下：

1. 目录权限是正确的，.ssh目录的所有者和组是用户。权限设置为0700
2. 已将用户和组设置为正确的用户，权限为0600
3. 我试过比较那些文件，它们完全一样。并尝试了几次scp ~/.ssh/id_rsa.pub user@server.com:.ssh/authorized_keys。

如果我试图将-v添加到ssh连接中，就会得到以下信息：

OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007  
debug1: Reading configuration data /Users/pacis/.ssh/config  
debug1: Reading configuration data /opt/local/etc/ssh/ssh_config  
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.  
debug1: Connection established.  
debug1: identity file /Users/pacis/.ssh/identity type -1  
debug1: identity file /Users/pacis/.ssh/id_rsa type 1  
debug1: identity file /Users/pacis/.ssh/id_dsa type -1  
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5  
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_4.7  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug1: kex: server->client aes128-cbc hmac-md5 none  
debug1: kex: client->server aes128-cbc hmac-md5 none  
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP  
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY  
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.  
debug1: Found key in /Users/pacis/.ssh/known_hosts:40  
debug1: ssh_rsa_verify: signature correct  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug1: SSH2_MSG_NEWKEYS received  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug1: Authentications that can continue: publickey,password  
debug1: Next authentication method: publickey  
debug1: Offering public key: /Users/pacis/.ssh/id_rsa  
debug1: Authentications that can continue: publickey,password  
debug1: Trying private key: /Users/pacis/.ssh/identity  
debug1: Trying private key: /Users/pacis/.ssh/id_dsa  
debug1: Next authentication method: password

下面是和预期一样的效果：

OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007  
debug1: Reading configuration data /Users/pacis/.ssh/config  
debug1: Reading configuration data /opt/local/etc/ssh/ssh_config  
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.  
debug1: Connection established.  
debug1: identity file /Users/pacis/.ssh/identity type -1  
debug1: identity file /Users/pacis/.ssh/id_rsa type 1  
debug1: identity file /Users/pacis/.ssh/id_dsa type -1  
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5  
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_4.7  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug1: kex: server->client aes128-cbc hmac-md5 none  
debug1: kex: client->server aes128-cbc hmac-md5 none  
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP  
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY  
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.  
debug1: Found key in /Users/pacis/.ssh/known_hosts:40  
debug1: ssh_rsa_verify: signature correct  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug1: SSH2_MSG_NEWKEYS received  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug1: Authentications that can continue: publickey,password  
debug1: Next authentication method: publickey  
debug1: Offering public key: /Users/pacis/.ssh/id_rsa  
debug1: Server accepts key: pkalg ssh-rsa blen 277  
debug1: Authentication succeeded (publickey).  
debug1: channel 0: new [client-session]  
debug1: Entering interactive session

这里是/etc/ssh/sshd_config：

Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

我能想到的最后一个信息是相对的，它是ls -la的两个帐户，主脏和.ssh脏。

工作一：

total 40
drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 .
drwxr-x--x 6 root  www-data 4096 2009-10-27 23:09 ..
....
drwx------ 2 user1 user1    4096 2009-10-23 07:20 .ssh

total 12
drwx------ 2 user1 user1   4096 2009-10-23 07:20 .
drwxr-x--- 5 user1 www-data 4096 2009-10-29 22:11 ..
-rw------- 1 user1 user1    413 2009-10-23 07:20 authorized_keys

不工作的：

total 68
drwxrwxr--  6 user2 www-data    4096 2009-11-07 12:13 .
drwxr-x--x  5 root  root            4096 2009-10-09 14:29 ..
....
drwx------  2 user2 user2       4096 2009-11-07 15:52 .ssh

total 12
drwx------ 2 user2 user2 4096 2009-11-08 20:32 .
drwxrwxr-- 6 user2 www-data     4096 2009-11-07 12:13 ..
-rw------- 1 user2 user2  412 2009-11-07 09:55 authorized_keys

我完全不知道为什么它不起作用，我已经检查和重复了所有东西好几次了。我遗漏了什么？

谢谢您抽时间见我。

Answer 1

检查要登录的服务器上的文件夹.ssh的权限。运行chmod -R 600 .ssh。当涉及到损坏的权限和公钥时，Ssh很挑剔。

Answer 2

您已经检查了所有常见的候选密钥身份验证失败；接下来我要做的是在服务器上提高日志记录级别，并检查/var/log/auth.log，看看它对这两个登录的报告有何不同。

另一件值得澄清的事情--在它要求密码的帐户上，如果你输入密码，它能工作并允许你登录吗？如果PAM限制拒绝为特定帐户登录(并且您已经将SSH配置为使用PAM)，则可以获得这种结果，因为对于密码auth，只有在输入密码之后才会检查其他PAM限制。

Answer 3

您的"authorized_keys“文件可以有不同的名称。看一看：

cat /etc/ssh/sshd_config | grep AuthorizedKeys
#AuthorizedKeysFile     %h/.ssh/authorized_keys

如果没有覆盖，请检查该文件及其目录的权限:它必须对您要登录的用户具有可读性。