情况一:权限问题:
现象:A建立与B的信任关系,但是建立失败
解决:查看B的用户下.ssh/authorized_keys的权限,只能是700,或者是644,不能是其他
情况二:关于ssh信任关系--每台主机指定不同的私钥文件
当主机与10.11.70.25创建了信任关系后,每次ssh远程登陆10.11.70.25时都要求输入密码,如下:
linux:/etc/ssh/# ssh 10.11.70.25
Authorized users only. All activity may be monitored and reported.
Password:
排查了/etc/ssh/sshd_config中
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
都是默认的yes。
(
补充说明:
OpenSSH 的服务端配置文件一般为 /etc/ssh/sshd_config,和公钥认证有关的两个配置项是:
#RSAAuthentication yes
#PubkeyAuthentication yes
其缺省值一般为 yes。如果希望仅打开公钥认证,禁用其他的认证方式,则可以修改下列配置项:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
上述配置项如果有任何需要修改的地方在修改之后重启ssh服务器让新的设置生效。
)
最后排查到ssh_config配置文件,内容如下:
linux:/etc/ssh/# cat /etc/ssh/ssh_config
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after two minutes after remote login.
ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
# GSSAPIEnableMITMAttack no
# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
IdentityFile ~/.ssh/identification
文件末尾多了一行IdentityFile的定义,重新定义了IdentityFile为~/.ssh/identification
说明:
当主机中有多个密钥对的情况下,可以通过设置 /etc/ssh/ssh_config中对不同的主机和用户使用不同的私钥文件。如下例:
Host *
IdentityFile ~/.ssh/%r@%h
对所有主机使用私钥文件路径和名称格式为:~/.ssh/%r@%h
Host 10.11.70.25
IdentityFile ~/.ssh/id_dsa141
只对远程主机10.11.70.25进行ssh连接时,使用的私钥文件为~/.ssh/id_dsa141
而实际上我们的私钥文件还是使用的默认的~/.ssh/id_rsa
文件ssh_config中配置为了IdentityFile ~/.ssh/identification,导致远程登陆时私钥文件系统默认找identification,而不是id_rsa。
因此每次都需要重新输入密码。
修改方法:
删除掉或是注释掉最后一行:
#IdentityFile ~/.ssh/identification
修改后,文件配置文件是即时生效,无需重启ssh服务。
linux:~/.ssh # ssh 10.11.70.25
Authorized users only. All activity may be monitored and reported.
Last login: Thu Feb 20 15:23:10 2014 from 10.18.56.23
Authorized users only. All activity may be monitored and reported.
linux101:~ # ls
顺利登陆远程服务器10.11.70.25,问题解决。
![fping 与 ping 功能对比及使用[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)