Skocz do zawartości

Ssh Bez Hasła Klucz Publiczny Klucz Prywatny


callou

Rekomendowane odpowiedzi

Witam,

Mam jeszcze jeden nurtujacy problem -- nie dziala mi ssh w oparciu o klucze publiczne/prywatne.

Mam podmontowane zdalne katalogi na innym serwerze i nie mam do nich dostepu automatycznie.

Na poczatku wszystko dzialalo poprawnie, tzn. moglem sie podlaczyc przez ssh bez hasla do dwóch róznych serwerów do trzech róznych kont.

W pewnym momencie zrobilem pewna manipulacje polegajaca na skopiowaniu kluczy publicznych z serwera na moje konto, tak abym mógl sie logowac przez ssh bez hasla w obie strony i mniej wiecej od tego momentu przestalo mi dzialac. Pózniej zaczalem kombinowac, usunalem wszystkie klucze i chcialem postawic ta funkcjonalnosc od zera, jednak z mizernym skutkiem.

Teraz nie moge sie polaczyc nawet w jedna strone, tzn. mój komp -> serwery.

Wydaje mi sie, ze zadnej konfiguracji nie zmienialem, co mnie jeszcze bardziej irytuje, bo nie wiem, gdzie jest pies pogrzebany.

Na serwerze jest fc14, u mnie wówczas tez byla ta sama wersja systemu (teraz mam F15) i konfiguracja SElinux oraz sshd_config wygladala na pierwszy rzut oka jednakowo.

Wczesniej ustawilem ta funkcjonalnosc zgodnie z poradnikiem http://www.thegeekst...en-ssh-copy-id/ i wszystko dzialalo pieknie.

Natomiast teraz zawodzi i nie wiem juz, gdzie szukac bledu.

 

1. serwer1 -> serwer2 -- dziala

2. mój komp. (f15) -> serwer1 (fc14) -- nie dziala

3. mój komp. -> serwer2 (Ubuntu) -- nie dziala

4. serwer2 -> user2@serwer1 -- dziala

5. serwer1 -> mój komp. -- nie dziala

6. serwer2 -> mój komp. -- nie dziala

7. serwer2 -> user3@serwer1 -- nie dziala

 

Zauwazmy, ze pkt. 4 i 7 róznia sie tylko uzytkownikiem, tzn. dla jednego dziala a drugiego nie (dlaczego?), ustawienia sa te same, klulcze publiczne z konta na serwerze2 tez...

 

np. tutaj próba polaczenia z punktu 3.

[user1@mój komp. .ssh]$ ssh -v user2@serwer2
OpenSSH_5.6p1, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to serwer2 [serwer2] port 22.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serwer2' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
Agent admitted failure to sign using the key.
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
user2@serwer2's password: 

a tutaj z punktu 2.

[user1@mój komp.  .ssh]$ ssh -v user2@serwer1
OpenSSH_5.6p1, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to serwer1 [serwer1] port 22.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serwer1' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
user2@serwer1's password:

z punktu 7.

user1@serwer2:~$ ssh -v 'user3@serwer1'
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to serwer1 [serwer1] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/identity type -1
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serwer1' is known and matches the RSA serwer2 key.
debug1: Found key in /home/user1/.ssh/known_serwer2s:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1005' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1005' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Next authentication method: publickey
debug1: Trying private key: /home/user1/.ssh/identity
debug1: Offering public key: /home/user1/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Next authentication method: password
user3@serwer1's password:

z punktu 4.

user1@serwer2:~$ ssh -v 'user2@serwer1'
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to serwer1 [serwer1] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/identity type -1
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: serwer2 'serwer1' is known and matches the RSA serwer2 key.
debug1: Found key in /home/user1/.ssh/known_serwer2s:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1005' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1005' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Next authentication method: publickey
debug1: Trying private key: /home/user1/.ssh/identity
debug1: Offering public key: /home/user1/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = pl_PL.UTF-8
Last login: Thu Oct 13 11:18:51 2011 from xxx.xx.xxx.xxx
[user2@serwer2 ~]$ 

Próba z pkt. 6.

user1@serwer2:~$ ssh -v 'user2@moj komp.'
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to moj komp. [moj komp.] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/identity type -1
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'moj komp.' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Trying private key: /home/user1/.ssh/identity
debug1: Offering public key: /home/user1/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Next authentication method: password
user2@moj komp.'s password:

Odnośnik do komentarza
Udostępnij na innych stronach

Z tego co widze to cala filozofia sprowadza sie do dwóch prostych punktów.

  1. Trzeba posiadac na koncie z którego sie logujemy wygenerowane klucze (prywatny i publiczny poprzez ssh-keygen)
  2. Na komputerze docelowym w pliku ~/.ssh/authorized_keys uzytkownika na którego chcemy sie zalogowac musi znajdowac sie kopia klucza publicznego.

 

Wygeneruj klucze na kazdym z kont z których chcesz sie logowac bez hasla. Zrób to tylko raz. Jesli wygenerujesz ponownie i nadpiszesz pliki to klucze beda sie zgadzac tylko dla ostatnio wygenerowanej pary. Nastepnie uzyj ssh-copy-id wedlug poradnika lub recznie doklej klucz publiczny do pliku ~/.ssh/authorized_keys na wszystkich hostach na które chcesz sie logowac bez hasla z danego komputera.

Odnośnik do komentarza
Udostępnij na innych stronach

Wygeneruj klucze na kazdym z kont z których chcesz sie logowac bez hasla. Zrób to tylko raz. Jesli wygenerujesz ponownie i nadpiszesz pliki to klucze beda sie zgadzac tylko dla ostatnio wygenerowanej pary. Nastepnie uzyj ssh-copy-id wedlug poradnika lub recznie doklej klucz publiczny do pliku ~/.ssh/authorized_keys na wszystkich hostach na które chcesz sie logowac bez hasla z danego komputera.

Zrobilem tak jak napisales, jest lepiej.

1. serwer1 -> serwer2 -- dziala bz

2.0. mój komp. (f15) -> user1@serwer1 (fc14) -- dziala

2.1. mój komp. (f15) -> user2@serwer1 (fc14) -- nie dziala ?? bz

3. mój komp. -> serwer2 (Ubuntu) -- dziala

4.0 serwer2 -> user1@serwer1 -- dziala bz

4.1 serwer2 -> user2@serwer1 -- nie dziala bz

5. serwer1 -> mój komp. -- nie dziala bz

6. serwer2 -> mój komp. -- nie dziala bz

Zrobilem tak:

1. usunalem wszystko z katalogów .ssh na wszystkich kontach

2. ssh-keygen -- generowanie kluczy rsa

3. ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host -- skopiowanie kluczy publicznych na zdalna maszyne

i nadal brak funkcjonalnosci, glównie mój komputer nie chce zautoryzowac transakcji, nie moge sie tez zalogowac na serwer1 na innego usera bez hasla pkt. 2.1.

Chociaz jest progres, bo w punktach 2.0 i 3 jest okej.

Ps.

user2 na serwer1 odrzucaja mozliwosc polaczenia przez ssh z wykorzystaniem kluczy publicznych.

Natomiast user2 z serwera1 moze sie zalogowac do serwera2 oraz serwera1 na konto user1.

Mój komputer nie moze zalogowac sie na konto user2 na serwerze1 (reszta jest ok).

Natomiast mój komputer odrzuca wszelkie próby logowania sie przez ssh za pomoca kluczy.

Moze tu jest jakis blad konfiguracyjny?

Odnośnik do komentarza
Udostępnij na innych stronach

Gość
Ten temat został zamknięty. Brak możliwości dodania odpowiedzi.
×
×
  • Dodaj nową pozycję...