ssh 免密登录配置 (配置后还需要密码输入密码问题解决)
背景
需要搭建jenkins,用来自动部署服务到目标服务器, 所以需要在jenkins所在机器配置免密登录目标服务器
环境
阿里云服务器:服务器A(jenkins所在服务器),服务器B(部署目标服务器)
步骤
一 服务器A部分
1 登录A,
2 生成秘钥
1)首先查看.ssh下是否已经有id_rsa和id_rsa.pub文件, 以免被覆盖
2)生成秘钥
ssh-keygen -t rsa -C "xxx@jenkins"
3)将在.ssh文件夹下生成2个文件 id_rsa, id_rsa.pub, 重命名为 id_rsa_jenkins,id_rsa_jenkins.pub 以免以后冲突
3 配置config
在~/.ssh 下 创建config文件
Host pre1 HostName xx.xx.xx.xx Host pre2 HostName xx.xx.xx.xx Host * User 登录目标机器的用户 Port 登录目标机器的端口 IdentityFile ~/.ssh/id_rsa_jenkins 私钥所在路径
由于用户,端口号,秘钥, 都是通用的,所以以通配符来配置, 只有服务器地址不同, 每个目标服务器单独配置
4 拷贝 id_rsa_jenkins.pub 内的内容
二 服务器B部分
1 使用要免密登录的账户登录服务器B
2 在~/.ssh文件夹下 查看是否有 authorized_keys 没有则创建
3 将id_rsa_jenkins.pub的内容, 追加到authorized_keys后面
4 查看 /ect/ssh/sshd_config
需要有如下配置
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
5 切换到root用户 重启 sshd : service sshd restart
结果
在服务器A ssh pre1
结果还让输入密码, 一定是我哪里配置的不对, 查找问题
解决问题
开两个窗口, 分别登录服务器A和B
服务器B:
1 登录root用户
2 停止ssh service ssh stop
3 debug运行ssh /usr/sbin/sshd -d
服务器A:尝试ssh : ssh -v pre1 查看详情
服务器A日志:
OpenSSH_7.6p1 Ubuntu-4ubuntu0.4, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /var/lib/jenkins/.ssh/config debug1: /var/lib/jenkins/.ssh/config line 5: Applying options for pre1 debug1: /var/lib/jenkins/.ssh/config line 8: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to **.**.**.** [**.**.**.**] port ****. debug1: Connection established. debug1: identity file /var/lib/jenkins/.ssh/id_rsa_jenkins type 0 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/jenkins/.ssh/id_rsa_jenkins-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000 debug1: Authenticating to **.**.**.**:**** as 'username' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:+/jjmuxy3eZ61XEguY2327fz7OfrhIks1edgLK3AnWY debug1: Host '[**.**.**.**]:****' is known and matches the ECDSA host key. debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:4 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:XS0Qkck+0F5M0iJdLn3/owfK9QGxPSQxRoYcCGcb9zQ /var/lib/jenkins/.ssh/id_rsa_jenkins debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password
发现在登录过程中,尝试证书认证,但是没有认证通过, 改为密码登录, 于是查看服务器B日志,看看因为什么导致证书认证错误
服务器B日志
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: private host key #0: ssh-rsa SHA256:FdwiwpgHBW6MTxKJSkVYbtYS/H/kYr+o6JAoFjzOrY8 debug1: private host key #1: ssh-dss SHA256:thpjst+JHWAjnRyEDtOjWeVNO7JFl5K2FETPSLU5hcg debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:+/jjmuxy3eZ61XEguY2327fz7OfrhIks1edgLK3AnWY debug1: private host key #3: ssh-ed25519 SHA256:9X0yrjSoRLi/AM/oyozk3Sgd+G0JoDyJbIZFv1rt1Rg debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port **** on 0.0.0.0. Server listening on 0.0.0.0 port ****. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from **.**.**.** port **** on **.**.**.** port **** debug1: Client protocol version 2.0; client software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.4 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.4 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 debug1: permanently_set_uid: 109/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user username service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "username" debug1: PAM: setting PAM_RHOST to "**.**.**.**" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user username service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:XS0Qkck+0F5M0iJdLn3/owfK9QGxPSQxRoYcCGcb9zQ [preauth] debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /home/username/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK Authentication refused: bad ownership or modes for directory /home/usernamedebug1: restore_uid: 0/0 Failed publickey for username from **.**.**.** port **** ssh2: RSA SHA256:XS0Qkck+0F5M0iJdLn3/owfK9QGxPSQxRoYcCGcb9zQ Connection closed by **.**.**.** port **** [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 17849 debug1: audit_event: unhandled event 12
核心部分, /home/username 用户文件夹权限不对, 修改为700 :chmod 700 /home/username
再来一遍
又出现了
Authentication refused: bad ownership or modes for directory /home/username/.ssh
改为700
再来一遍 链接成功
最后提醒, 解决完了千万别忘记将服务器B的ssh再启动起来
最后提醒, 解决完了千万别忘记将服务器B的ssh再启动起来
最后提醒, 解决完了千万别忘记将服务器B的ssh再启动起来