前阵子搭建Hadoop时,配置了本机(localhost)的ssh的公钥到authorized_keys文件中,但是在ssh连接localhost时仍然提示需要输入密码,后来发现是$HOME/.ssh/authorized_keys这个文件的权限问题引起的。其原因是,不能让所有者之外的用户对authorized_keys文件有写权限,否则,sshd将不允许使用该文件,因为它可能会被其他用户篡改。
命令行的演示如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[hadoop@guest1 ~]$ cd .ssh/[hadoop@guest1 .ssh]$ lltotal 16-rw-rw-r--1 hadoop hadoop 395 Jan 1218:37 authorized_keys-rw-------1 hadoop hadoop 1675 Jan 1218:36 id_rsa-rw-r--r--1 hadoop hadoop 395 Jan 1218:36 id_rsa.pub-rw-r--r--1 hadoop hadoop 796 Jan 6 08:40 known_hosts#注意这里的authorized_keys文件的权限;这时该文件中的key是不起作用的。#用chmod修改authorized_keys文件的权限[hadoop@guest1 .ssh]$ chmod g-w authorized_keys[hadoop@guest1 .ssh]$ lltotal 16-rw-r--r--1 hadoop hadoop 395 Jan 1218:37 authorized_keys-rw-------1 hadoop hadoop 1675 Jan 1218:36 id_rsa-rw-r--r--1 hadoop hadoop 395 Jan 1218:36 id_rsa.pub-rw-r--r--1 hadoop hadoop 796 Jan 6 08:40 known_hosts #修改后,sshd就可以正常使用authorized_keys文件了[hadoop@guest1 ~]$ ssh localhostLast login: Sat Jan 1218:40:332013 from localhost[hadoop@guest1 ~]$ exitlogoutConnection to localhost closed.[hadoop@guest1 ~]$ |
后来,我详细查了一下,如果authorized_keys文件、$HOME/.ssh目录 或 $HOME目录让本用户之外的用户有写权限,那么sshd都会拒绝使用 ~/.ssh/authorized_keys 文件中的key来进行认证的。
“man sshd”命令查看对authorized_keys文件的描述如下:
|
1
2
3
4
5
6
7
8
9
10
11
|
man sshd..... ~/.ssh/authorized_keys Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”......... |