情況一:權限問題:
現象:A建立與B的信任關系,但是建立失敗
解決:檢視B的使用者下.ssh/authorized_keys的權限,隻能是700,或者是644,不能是其他
情況二:關于ssh信任關系--每台主機指定不同的私鑰檔案
當主機與10.11.70.25建立了信任關系後,每次ssh遠端登陸10.11.70.25時都要求輸入密碼,如下:
linux:/etc/ssh/# ssh 10.11.70.25
Authorized users only. All activity may be monitored and reported.
Password:
排查了/etc/ssh/sshd_config中
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
都是預設的yes。
(
補充說明:
OpenSSH 的服務端配置檔案一般為 /etc/ssh/sshd_config,和公鑰認證有關的兩個配置項是:
#RSAAuthentication yes
#PubkeyAuthentication yes
其預設值一般為 yes。如果希望僅打開公鑰認證,禁用其他的認證方式,則可以修改下列配置項:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
上述配置項如果有任何需要修改的地方在修改之後重新開機ssh伺服器讓新的設定生效。
)
最後排查到ssh_config配置檔案,内容如下:
linux:/etc/ssh/# cat /etc/ssh/ssh_config
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after two minutes after remote login.
ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
# GSSAPIEnableMITMAttack no
# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
IdentityFile ~/.ssh/identification
檔案末尾多了一行IdentityFile的定義,重新定義了IdentityFile為~/.ssh/identification
說明:
當主機中有多個密鑰對的情況下,可以通過設定 /etc/ssh/ssh_config中對不同的主機和使用者使用不同的私鑰檔案。如下例:
Host *
IdentityFile ~/.ssh/%r@%h
對所有主機使用私鑰檔案路徑和名稱格式為:~/.ssh/%r@%h
Host 10.11.70.25
IdentityFile ~/.ssh/id_dsa141
隻對遠端主機10.11.70.25進行ssh連接配接時,使用的私鑰檔案為~/.ssh/id_dsa141
而實際上我們的私鑰檔案還是使用的預設的~/.ssh/id_rsa
檔案ssh_config中配置為了IdentityFile ~/.ssh/identification,導緻遠端登陸時私鑰檔案系統預設找identification,而不是id_rsa。
是以每次都需要重新輸入密碼。
修改方法:
删除掉或是注釋掉最後一行:
#IdentityFile ~/.ssh/identification
修改後,檔案配置檔案是即時生效,無需重新開機ssh服務。
linux:~/.ssh # ssh 10.11.70.25
Authorized users only. All activity may be monitored and reported.
Last login: Thu Feb 20 15:23:10 2014 from 10.18.56.23
Authorized users only. All activity may be monitored and reported.
linux101:~ # ls
順利登陸遠端伺服器10.11.70.25,問題解決。
![fping 與 ping 功能對比及使用[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)