为了方便从一台linux server登录到另一台server,我们通常会将源server的ssh公钥(RSA公钥)上传到目标server,这样在源server通过ssh登录目标server的时候就不用输入密码直接登录,这就是我们经常说的ssh免密登录,关于免密登录的操作可以参考ssh免密登录。
但是有时候我们上传了公钥之后发现,登录还需要输入密码,比如下面这样
[root@tony ~]# ssh root@192.168.1.250
############################## WARNING!!! #################################
################## READ THIS BEFORE ATTEMPTING TO LOGON ###################
# #
# This System is for the use of authorized users only. Individuals #
# using this computer without authority, or in excess of their #
# authority, are subject to having all of their activities on this #
# system monitored and recorded by system personnel. In the course #
# of monitoring individuals improperly using this system, or in the #
# course of system maintenance, the activities of authorized users #
# may also be monitored. Anyone using this system expressly #
# consents to such monitoring and is advised that if such #
# monitoring reveals possible criminal activity, system personnel #
# may provide the evidence of such monitoring to law enforcement #
# officials. You cannot copy, disclose, display or otherwise #
# communicate the contents of this server except to other employees #
# who have been authorized to access this server. #
# #
######################### Confidential Information ########################
Password: 这时候应该怎么排查呢?
首先我们可以看下目标server的/var/log/secure和/var/log/messages日志文件,比如我的源server是192.168.1.251,目标server�����192.168.1.250,从250的日志中可以看到
[root@localhost]# tail -n 100 /var/log/secure
...
Dec 29 14:10:40 localhost sshd[47908]: User root from 192.168.1.251 not allowed because listed in DenyUsers
Dec 29 14:10:40 localhost sshd[47908]: Postponed keyboard-interactive for invalid user root from 192.168.1.251 port 40584 ssh2 [preauth]那么主要是这句话
Dec 29 14:10:40 localhost sshd[47908]: User root from 192.168.1.251 not allowed because listed in DenyUsers表示root这个用户是被ssh禁止的用户,这时我们可以查看下目标server的/etc/sshd/sshd_config中的配置,
[root@localhost]# cat /etc/ssh/sshd_config | grep Deny
DenyUsers root
DenyGroups root果然因为安全的考虑,有的linux镜像的sshd初始化设置是会禁用一些用户通过ssh登录的,所以如果想用root用户登录的话,那么可以相应的把里面的配置注释,比如
[root@localhost]# cat /etc/ssh/sshd_config | grep Deny
#DenyUsers root
#DenyGroups root然后重启一下ssh的服务
# 针对centos7的server
systemctl restart sshd之后重试一下发现可以免密登录了。
其实,可能还会存在有很多种限制的情况,这时我们基本都可以根据/var/log/secure和/var/log/messages中的信息看到原因,报错信息就不一一列举了,下面列出可能影响ssh登录的一些/etc/ssh/sshd_config中的配置
[root@localhost]# cat /etc/ssh/sshd_config
PermitRootLogin no #是否允许root用户ssh登录,no表示不允许
DenyUsers root #拒绝root用户ssh登录
DenyGroups root #拒绝root组的用户ssh登录有的时候不一定是ssh的配置问题,也有可能是文件夹的权限问题,比如之前碰到的情况是
[root@tony ~]# tail -f -n 100 /var/log/secure
...
Authentication refused: bad ownership or modes for directory /root
...目标server /root 目录权限是777,导致不能用root登录,
[root@tony ~]# ls -lha
total 120K
drwxrwxrwx. 10 root root 4.0K Sep 24 05:05 .然后把目标server /root 权限改为550,然后就正常了。
[root@tony ~]# ls -lha
total 120K
dr-xr-x---. 10 root root 4.0K Sep 24 05:05 .正文完
