ssh从不要求密码

Question

不知怎么的，我的SSH从来不想问我密码。

所以我在世界上某个随机服务器上设置了一个VPS，我想用ssh连接到它。

我可以设置一个密钥，但是当我这样做时：

ssh -l some-user IP

我知道错误：

Received disconnect from ##.##.##.##: 2: Too many authentication failures for some-user

当我查看细节时，我可以看到密码是以下选项之一：

debug1: Offering RSA public key: some-user@computer
debug1: Authentications that can continue: publickey,password

但是SSH从来没有问过我密码。它尝试了5次与我怀疑的是公开密钥方法，然后失败。为什么ssh不尝试使用密码？！

以防万一，我的ssh_config文件有：

PasswordAuthentication yes

全原木

ssh -v -l root ##.##.##.##
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/someuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ##.##.##.## [##.##.##.##] port 22.
debug1: Connection established.
debug1: identity file /home/someuser/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/someuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_dsa type -1
debug1: identity file /home/someuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa type -1
debug1: identity file /home/someuser/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6
debug1: match: OpenSSH_6.2p2 Ubuntu-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA XX:XX:...:XX:XX
debug1: Host '##.##.##.##' is known and matches the ECDSA host key.
debug1: Found key in /home/someuser/.ssh/known_hosts:38
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/someuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: someuser@computer
Received disconnect from ##.##.##.##: 2: Too many authentication failures for root

Answer 1

很可能在您的identityfile文件中有多个.ssh/config行。

即使在identityfile配置下有host，它也是全局应用的。这意味着ssh在向服务器请求密码提示之前，会在每个主机上尝试每个标识文件(即公钥)。

你可以通过

1. 删除除一条identityfile行以外的所有行，或
2. 将PubkeyAuthentication no添加到.ssh/config，或
3. 使用-o PubkeyAuthentication=no参数执行ssh。

来自man 5 ssh_config：

PubkeyAuthentication
    Specifies whether to try public key authentication.  The argument to this
    keyword must be “yes” or “no”.  The default is “yes”.  This option applies 
    to protocol version 2 only.

IdentityFile
    ...
    It is possible to have multiple identity files specified in configuration
    files; all these identities will be tried in sequence.  Multiple 
    IdentityFile directives will add to the list of identities tried (this 
    behaviour differs from that of other configuration directives).

一些带有公钥的一般说明：

1. 通常，每个客户端(工作站)应该只有一个私钥，并将匹配的公钥放在客户端应该访问的所有服务器上。换句话说，在服务器之间共享公钥，并且永远不要在多个设备上使用相同的私钥。
2. 始终在设备上生成密钥，并且只发送公钥。这样，即使服务器被破坏，您的私钥仍然是安全的。这可能会以令人惊讶的方式发生--例如，通过备份。
3. 如果其他人管理服务器，您应该为他们提供一个公钥；他们不应该生成密钥并向您发送私钥。这样，他们就不能用你的钥匙冒充你(当然，通常他们可以做他们想做的任何事情)。此外，对于公钥，只有完整性(即某人没有更改公钥)才必须受到保护；使用私钥，机密性(即没有其他人获得该密钥)必须得到保护，而且不可能绝对确定它不被破坏。
4. 危及服务器不会损害其他服务器，即使您使用相同的私钥连接多个服务器(除非您将该私钥传输到服务器)。不要这样做。)
5. 无论如何，危及您的工作站将暴露您的私钥。拥有多个私钥无助于此(除非您有不同的强密码，而且并非所有这些都可供攻击者使用)。

这方面有一些例外，但不多。

Answer 2

尝试在禁用公钥身份验证的情况下登录，使用

ssh -o PubkeyAuthentication=no root@newserver

Answer 3

本地ssh不应该问您密码，另一端的ssh服务器应该这样做。服务器很可能设置为不接受密码身份验证。我的也不会问你密码。