sshd 的配置非常的多,好多功能都搞不清楚,遇到失败的情况下真的好痛苦。
/root 目录权限错误
通过查看 /var/log/secure 看到目录权限错误。
1
2
3
4
5
6
$ cat /var/log/secure |tail
Jun 2 12:07:23 iZj6c37ji07eeoyfn7cdvkZ sshd[30905]: Authentication refused: bad ownership or modes for directory /root
Jun 2 12:07:25 iZj6c37ji07eeoyfn7cdvkZ sshd[30905]: Connection closed by authenticating user root 27.154.255.221 port 4491 [preauth]
Jun 2 12:07:30 iZj6c37ji07eeoyfn7cdvkZ sshd[30907]: Authentication refused: bad ownership or modes for directory /root
Jun 2 12:07:30 iZj6c37ji07eeoyfn7cdvkZ sshd[30907]: Authentication refused: bad ownership or modes for directory /root
Jun 2 12:07:31 iZj6c37ji07eeoyfn7cdvkZ sshd[30907]: Connection closed by authenticating user root 27.154.255.221 port 4694 [preauth]
确认 /root 目录的权限。不知道为什么变成 admin。
1
2
3
$ ls -al /root
total 1536
drwxr-xr-x. 6 admin admin 4096 Jun 2 12:07 .
修改权限后可以登录
1
chown root /root
证书秘钥类型不支持
服务端的错误信息不是那么明显,无法判断是什么错误原因
1
2
3
4
5
6
7
$ cat /var/log/secure
Jun 2 11:40:03 iZwz9594tvykhrc0ajmm9gZ sshd[49912]: error: Received disconnect from 100.104.228.133 port 54274:10: [preauth]
Jun 2 11:40:03 iZwz9594tvykhrc0ajmm9gZ sshd[49912]: Disconnected from authenticating user root 100.104.228.133 port 54274 [preauth]
Jun 2 11:40:04 iZwz9594tvykhrc0ajmm9gZ sshd[49920]: error: Received disconnect from 100.104.228.133 port 54287:10: [preauth]
Jun 2 11:40:04 iZwz9594tvykhrc0ajmm9gZ sshd[49920]: Disconnected from authenticating user root 100.104.228.133 port 54287 [preauth]
Jun 2 11:40:07 iZwz9594tvykhrc0ajmm9gZ sshd[49928]: Connection closed by authenticating user root 27.154.255.221 port 3946 [preauth]
Jun 2 11:46:05 iZwz9594tvykhrc0ajmm9gZ sshd[49937]: Connection closed by authenticating user root 27.154.255.221 port 3316 [preauth]
ssh -v 的错误信息也不足以判断是什么错误信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ ssh -v -i .ssh/id_rsa root@120.1.2.3
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>^M
debug1: SSH2_MSG_SERVICE_ACCEPT received^M
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic^M
debug1: Next authentication method: gssapi-with-mic^M
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/id_rsa RSA SHA256:6Ye0PJ3T3qNAZ/TiLtaOJSehdXFRKieFKU66WaMHYgM explicit^M
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic^M
debug1: No more authentication methods to try.^M
root@120.24.224.44: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
最终,通过生成目前推荐的最新类型的 ssh 证书解决了问题。
1
ssh-keygen -t ed25519
