LINUX.ORG.RU
ФорумAdmin

ssh авторизация по ключам


1

1
1) имеем сервер куда нужно попадать
2)Клиентская тачка с которой хотим ходить на сервер без пароля 

на сервере делаем ssh-keygen -t rsa
root@debian:/etc/ssh# 
root@debian:/etc/ssh# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
10:6a:d6:67:d6:9f:18:1f:a6:e1:65:b7:b2:7f:92:fa root@debian
The key's randomart image is:
+--[ RSA 2048]----+
|      .          |
|     o . .       |
|    + o + + = .  |
|   o   = . @ + . |
|        S + = .  |
|             o   |
|            .  . |
|             .o .|
|            .oEo |
+-----------------+
root@debian:/etc/ssh# 

получаем два ключика 

id_rsa id_rsa.pub - первый секретный второй публичный , копируем публичный на рабочую станцию с которой будем конектится на сервер 
в каталог имя пользвателя/.ssh  c именем  с именем authorized_keys

Теперь по идее при попытке зайти на сервер во ssh имя пользователя@ip сервака меня должно пустить без пароля !

root@debtest:~# ssh root@192.168.3.15
The authenticity of host '192.168.3.15 (192.168.3.15)' can't be established.
RSA key fingerprint is 46:a6:35:68:c5:be:cc:fd:14:fc:a7:01:bc:9e:56:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.3.15' (RSA) to the list of known hosts.
Permission denied (publickey).



что не так сделал ? 

как именно копировал?
используй ssh-copy-id, он сам права даже нужные выставит.
ну и ssh -vvv root@192.168.3.15 в студию, если не поможет

zolden ★★★★★ ()

Я генерировал ключи на клиенте, а потом прописывал паблик на сервере. Проблем не было.

winlook38 ★★ ()
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
grep Pubkey /etc/ssh/sshd_config

на сервере

maloi ★★★★★ ()
Последнее исправление: maloi (всего исправлений: 1)

На клиенте должен быть id_rsa На сервере в ~/.ssh/authorized_keys должен быть id_rsa.pub.

cat id_rsa.pub > ~/.ssh/authorized_keys
или
cat id_rsa.pub >> ~/.ssh/authorized_keys
если на сервере уже есть публичные ключи в authorized_keys.

getup ()
Ответ на: комментарий от zolden
root@debian:~/.ssh# ssh-copy-id -i id_rsa.pub root@192.168.4.52
The authenticity of host '192.168.4.52 (192.168.4.52)' can't be established.
RSA key fingerprint is d8:ec:49:1d:78:59:f4:ed:28:82:a0:fc:e2:4f:8c:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.4.52' (RSA) to the list of known hosts.
root@192.168.4.52's password: 
Now try logging into the machine, with "ssh 'root@192.168.4.52'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

пробую конектится с 192.168.4.52
root@debtest:~# ssh 192.168.3.15
Permission denied (publickey).

root@debtest:~# ssh 192.168.3.15
Permission denied (publickey).
root@debtest:~# ssh -vvv root@192.168.3.15
OpenSSH_5.5p1 Debian-6+squeeze1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.3.15 [192.168.3.15] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 526/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host 192.168.3.15 filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: host 192.168.3.15 filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '192.168.3.15' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 521/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey)

drac753 ★★ ()
Ответ на: комментарий от getup

Большое Ограменное спасибо добрый человек помогло !!!

drac753 ★★ ()
Ответ на: комментарий от zolden

просто полез не в официальные доки, статья из бложика попалась по ней делал , понимаю что тупо лень -враг админа

drac753 ★★ ()

Детям мороженое! Бабе цветы!

anonymous ()
Ответ на: комментарий от drac753

если под сертификатами имелись в виду ключи, то надо курить /etc/sshd_config и PubkeyAuthentication

zolden ★★★★★ ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.