ssh免密码登陆的一些注意点

#环境

  • os: OpenSUSE Tumbleweed
  • pc: Apple macbook 13’ pro 2015

#描述
Linux 系统用户免密码使用key登陆有时还会提示要输入密码。

#修复
生成key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@localhost jenkins]# su - jenkins
-bash-4.2$ ssh-key
ssh-keygen ssh-keyscan
-bash-4.2$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa):
Created directory '/var/lib/jenkins/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/lib/jenkins/.ssh/id_rsa.
Your public key has been saved in /var/lib/jenkins/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:KklV05QIfjCcFfvP7g8id+wfV+DthbY5ojXsLo5hiOM jenkins@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| .++==.. |
| .o+.oo |
| o o . |
| . . . . + |
| . S . + +|
| . o o = . +o|
| = o + o @ = o|
| . o . =.O + + |
| E ..o+*oo |
+----[SHA256]-----+

将生成的pubkey文件内容添加到目标主机用户的authorized_keys文件中,可以选择复制或使用下面的方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
-bash-4.2$ ssh-copy-id -i ~/.ssh/id_rsa.pub git@10.10.105.118
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/jenkins/.ssh/id_rsa.pub"
The authenticity of host '10.10.105.118 (10.10.105.118)' can't be established.
ECDSA key fingerprint is SHA256:hKMm0UBSHnJSMJoIW904lN2qhsasOMk8QheyIvYMqzE.
ECDSA key fingerprint is MD5:5b:7c:a0:be:50:a8:b3:91:03:2b:e4:2d:de:f5:7b:10.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
git@10.10.105.118's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'git@10.10.105.118'"
and check to make sure that only the key(s) you wanted were added.

确认已经存在目标主机的authorized_keys文件中后执行登陆操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
-bash-4.2$ ssh -v -l git 10.10.105.118 
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 10.10.105.118 [10.10.105.118] port 22.
debug1: Connection established.
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.10.105.118:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:hKMm0UBSHnJSMJoIW904lN2qhsasOMk8QheyIvYMqzE
debug1: Host '10.10.105.118' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:997)

debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:997)

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/jenkins/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.105.118 ([10.10.105.118]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Fri Aug 3 02:08:43 2018 from 10.10.105.118

如果多次登陆还是需要密码,确认以下文件的权限是否正确:

  • .ssh目录的权限0600
  • 目标主机的authorized_keys文件权限为0600.
1
2
3
4
5
6
7
-bash-4.2$ ls -ld .ssh/
drwx------. 2 jenkins jenkins 57 Aug 3 02:27 .ssh/
-bash-4.2$ ls -l .ssh/
total 12
-rw-------. 1 jenkins jenkins 1679 Aug 3 02:21 id_rsa
-rw-r--r--. 1 jenkins jenkins 411 Aug 3 02:21 id_rsa.pub
-rw-r--r--. 1 jenkins jenkins 175 Aug 3 02:27 known_hosts
坚持原创技术分享,您的支持将鼓励我继续创作!