ssh免密码登陆的一些注意点

#环境

• os: OpenSUSE Tumbleweed
• pc: Apple macbook 13’ pro 2015

#描述
Linux 系统用户免密码使用key登陆有时还会提示要输入密码。

#修复
生成key

[root@localhost jenkins]# su - jenkins
-bash-4.2$ ssh-key
ssh-keygen   ssh-keyscan  
-bash-4.2$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa): 
Created directory '/var/lib/jenkins/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/jenkins/.ssh/id_rsa.
Your public key has been saved in /var/lib/jenkins/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:KklV05QIfjCcFfvP7g8id+wfV+DthbY5ojXsLo5hiOM jenkins@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|     .++==..     |
|     .o+.oo      |
|      o o     .  |
|     . . .   . + |
|    .   S .   + +|
|   . o o   = . +o|
|    = o + o @ = o|
|   . o . =.O + + |
|    E   ..o+*oo  |
+----[SHA256]-----+

将生成的pubkey文件内容添加到目标主机用户的authorized_keys文件中，可以选择复制或使用下面的方式

-bash-4.2$ ssh-copy-id -i ~/.ssh/id_rsa.pub git@10.10.105.118
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/jenkins/.ssh/id_rsa.pub"
The authenticity of host '10.10.105.118 (10.10.105.118)' can't be established.
ECDSA key fingerprint is SHA256:hKMm0UBSHnJSMJoIW904lN2qhsasOMk8QheyIvYMqzE.
ECDSA key fingerprint is MD5:5b:7c:a0:be:50:a8:b3:91:03:2b:e4:2d:de:f5:7b:10.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
git@10.10.105.118's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'git@10.10.105.118'"
and check to make sure that only the key(s) you wanted were added.

确认已经存在目标主机的authorized_keys文件中后执行登陆操作

-bash-4.2$ ssh -v -l git 10.10.105.118 
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 10.10.105.118 [10.10.105.118] port 22.
debug1: Connection established.
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /var/lib/jenkins/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.10.105.118:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:hKMm0UBSHnJSMJoIW904lN2qhsasOMk8QheyIvYMqzE
debug1: Host '10.10.105.118' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:997)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:997)

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/jenkins/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.105.118 ([10.10.105.118]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Fri Aug  3 02:08:43 2018 from 10.10.105.118

如果多次登陆还是需要密码，确认以下文件的权限是否正确:

• .ssh目录的权限0600
• 目标主机的authorized_keys文件权限为0600.

-bash-4.2$ ls -ld .ssh/
drwx------. 2 jenkins jenkins 57 Aug  3 02:27 .ssh/
-bash-4.2$ ls -l .ssh/
total 12
-rw-------. 1 jenkins jenkins 1679 Aug  3 02:21 id_rsa
-rw-r--r--. 1 jenkins jenkins  411 Aug  3 02:21 id_rsa.pub
-rw-r--r--. 1 jenkins jenkins  175 Aug  3 02:27 known_hosts