ssh-key添加之后依旧需要密码输入Bug的解决

场景重现

要求从10.183.93.181的root用户ssh免密登录至10.110.155.26的boss用户

1.在10.110.155.26 的boss用户下面新建目录.ssh
2.在10.110.155.26 的boss用户下面的.ssh目录中新建文件authorized_keys
3.将10.183.93.181 root用户的公钥放置于authorized_keys中

[boss@10-110-155-26 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7p2wqKGCLASL+EC7vSiqccuofUv6sjXif2P6nXbZnbHZLy6Z3+vAijOvHoqxABg+Hfv5XflRjaO9z8PMwvW3A8ECu+2Y/kYPTMuyC1TG9qYNmyfiVH5jIeKbdyHmtbMl5+R1o1Fbo2FvQYU5qANhjHZqxb1omVXnEJhFLxSzNnwhFgRMNUTcf72Cwqfnn0Sr0ea8A9Eok6XvhQQqk44Pn+VfxIiO6Gngi1JGG3q1BCinaiSqnvSOHj0qjdGZZuXX0/G4AEbWHE7yD4Gf2FwyWTKwLiQzBKPqjTbZVI7XGtekhOv0Fx4tvT2kIdX5DQiABfMyZre9k+dT4M0rvmDJ3Q== root@10-183-93-181

4.在root用户之ssh登录boss@10.110.155.26，发现需要密码

bug调试

使用ssh -vv boss@10.110.155.26，在登录过程的时候发现以下显示

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x7f42fed4cfe0)
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
boss@10.110.155.26's password:

ssh -vv没有显示其它异常，只是卡在验证这里

在10.110.155.26上面使用root用户打开sshd的调试模式

[root@10-110-155-26 .ssh]# /usr/sbin/sshd -d -p 4444
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='4444'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 4444 on 0.0.0.0.
Server listening on 0.0.0.0 port 4444.
socket: Address family not supported by protocol

然后再次在10.183.93.181上面进行ssh登录。切换至10.110.155.26上面，查看有一条bug记录

Authentication refused: bad ownership or modes for directory /data/slot0/home/boss/.ssh/

也就说明权限异常

1.查看文件权限

[boss@10-110-155-26 .ssh]$ ll -h
-rw-r--r-- 1 boss boss 1.6K Feb  1 15:28 authorized_keys

由于安全原因，authorized_keys权限不能被其它用户所读取，而该文件因为为手动建立，所以权限为644，chmod 600将其权限变更

将authorized_keys改为600权限后，然后发现ssh登录的时候，依然显示的目录权限异常

2.查看文件目录权限

[boss@10-110-155-26 ~]$ ll -d .ssh/
drwxr-xr-x 2 boss boss 99 Feb  1 16:38 .ssh/

将目录权限改为700，再次登陆，发现ssh ok。

总结

因为ssh安全的原因，所以不管是文件，还是目录，很多权限设定为都不能被group和other用户所读取，当权限不满足时，ssh认证会失败，即使ssh-key完全正确

相关权限列表如下:

1.ssh目录之下的各文件的权限

[boss@10-110-155-26 .ssh]$ ll -h
total 20K
-rw------- 1 boss boss 1.6K Feb  1 15:28 authorized_keys
-rw------- 1 boss boss  400 Feb  1 16:38 authorized_keys2
-rw------- 1 boss boss 1.7K Sep 29 17:45 id_rsa
-rw-r--r-- 1 boss boss  400 Sep 29 17:45 id_rsa.pub
-rw-r--r-- 1 boss boss 2.8K Feb  1 15:22 known_hosts

2..ssh目录的权限

[boss@10-110-155-26 ~]$ ll -d .ssh/
drwx------ 2 boss boss 99 Feb  1 16:38 .ssh/

go用户不能对.ssh目录有w权限，设置成755或者700都可以