添加 SSH Key 登录及问题排查

1. 添加 key 的步骤

1.1 客户端生成 ssh key

有两种格式的 Key:

老格式，私钥以 -----BEGIN RSA PRIVATE KEY----- 开头

1
ssh-keygen -m PEM -t rsa -b 4096 -C "[email protected]"

新格式，私钥以 -----BEGIN OPENSSH PRIVATE KEY----- 开头

1
ssh-keygen -t rsa -b 4096 -C "[email protected]"

由于某些旧的系统不支持新格式的 Key，这里建议生成老格式的 Key。如果你已经在使用新格式的 Key，可以使用 puttygen 工具将新格式的 Key 转换为老的格式。

1.2 服务端确保 sshd 允许 key 登录

编辑 /etc/ssh/sshd_config 文件，确保以下配置打开:

PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
PermitRootLogin yes
PasswordAuthentication yes

在没有成功配置 Key 登录之前，建议保留 PasswordAuthentication 登录方式。是否允许 root 登录，得看具体需求，通常会禁用。

修改完 sshd 配置之后，可以先测试配置文件是否正确。

1
sshd -t

确保无报错信息之后，再重启 sshd。

1
systemctl restart sshd

1.3 服务端上将客户端上的 key 添加到 `authorized_keys`

编辑登录用户的 authorized_keys 文件，添加公钥。公钥存储在客户端 ~/.ssh/id_rsa.pub 文件中。

在客户端获取公钥

1
2
3
cat ~/.ssh/id_rsa.pub

xxxx

在服务端添加公钥

1
vim ~/.ssh/authorized_keys

至此，正常情况下就可以使用 key 登录了。但是总能碰到各种问题，不能一次性配置成功。我就遇到过在 CentOS 7.6 上给 root 配置 key 一直不成功的情况。大概忍受密码登录半年之后，终于看 sshd 日志时发现了端倪，原来是 home 目录权限的问题。下面是一些常见的排查方法。

2. 查看 ssh 访问日志

使用 -v 参数，查看详细日志。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
ssh [email protected] -v

OpenSSH_8.9p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /Users/shaowenchen/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to 1.1.1.1 port 22.
debug1: Connection established.
debug1: identity file /Users/shaowenchen/.ssh/id_rsa type 0
debug1: identity file /Users/shaowenchen/.ssh/id_rsa-cert type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ecdsa type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ed25519 type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/shaowenchen/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/shaowenchen/.ssh/id_xmss type -1
debug1: identity file /Users/shaowenchen/.ssh/id_xmss-cert type -1
debug1: identity file /Users/shaowenchen/.ssh/id_dsa type -1
debug1: identity file /Users/shaowenchen/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat 0x04000006
debug1: Authenticating to 1.1.1.1:22 as 'root'
debug1: load_hostkeys: fopen /Users/shaowenchen/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:dIN1fBcDGeQ07m3An2G+p5sNC0Sx9TEAg95qXSs01s8
debug1: load_hostkeys: fopen /Users/shaowenchen/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '1.1.1.1' is known and matches the ECDSA host key.
debug1: Found key in /Users/shaowenchen/.ssh/known_hosts:2
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/shaowenchen/.ssh/id_rsa RSA SHA256:xxx/bYCe3TYhQ68gJA
debug1: Will attempt key: /Users/shaowenchen/.ssh/id_ecdsa
debug1: Will attempt key: /Users/shaowenchen/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/shaowenchen/.ssh/id_ed25519
debug1: Will attempt key: /Users/shaowenchen/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/shaowenchen/.ssh/id_xmss
debug1: Will attempt key: /Users/shaowenchen/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/shaowenchen/.ssh/id_rsa RSA SHA256:xxx/xxx
debug1: Server accepts key: /Users/shaowenchen/.ssh/id_rsa RSA SHA256:xxx/xxx
Authenticated to 1.1.1.1 using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: client_input_hostkeys: searching /Users/shaowenchen/.ssh/known_hosts for 1.1.1.1 / (none)
debug1: client_input_hostkeys: searching /Users/shaowenchen/.ssh/known_hosts2 for 1.1.1.1 / (none)
debug1: client_input_hostkeys: hostkeys file /Users/shaowenchen/.ssh/known_hosts2 does not exist
debug1: client_global_hostkeys_private_confirm: server used untrusted RSA signature algorithm ssh-rsa for key 0, disregarding
Learned new hostkey: ED25519 SHA256:xxx/xxx
Adding new key for 1.1.1.1 to /Users/shaowenchen/.ssh/known_hosts: ssh-ed25519 SHA256:xxx/xxx
debug1: update_known_hosts: known hosts file /Users/shaowenchen/.ssh/known_hosts2 does not exist

可以看到 ssh 客户端会在运行环境下，尝试各种登录方式，直到登录成功；如果尝试完全部方式，依然没有成功，将会报错。

3. 查看 sshd 访问日志

sshd 的日志是一个容易被忽略的地方，但是能提供非常有用的信息。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
journalctl -u sshd -f

-- Logs begin at Wed 2021-12-15 10:44:46 CST. --
Mar 09 19:56:22 node1 sshd[171565]: Accepted publickey for root from 1.1.1.1 port 61832 ssh2: RSA SHA256:xxx/xxx
Mar 10 08:17:15 node1 sshd[2028880]: Accepted publickey for root from 1.1.1.1 port 63966 ssh2: RSA SHA256:xxx/xxx
Mar 10 08:23:49 node1 sshd[2045429]: Accepted publickey for root from 1.1.1.1 port 64047 ssh2: RSA SHA256:xxx/xxx
Mar 10 08:32:11 node1 systemd[1]: Stopping OpenSSH server daemon...
Mar 10 08:32:11 node1 sshd[171382]: Received signal 15; terminating.
Mar 10 08:32:11 node1 systemd[1]: Stopped OpenSSH server daemon.
Mar 10 08:32:11 node1 systemd[1]: Starting OpenSSH server daemon...
Mar 10 08:32:11 node1 sshd[2066365]: Server listening on 0.0.0.0 port 22.
Mar 10 08:32:11 node1 sshd[2066365]: Server listening on :: port 22.

我碰到的问题，就是看到了这行日志：sshd[7302]: Authentication refused: bad ownership or modes for directory /root，才发现用户 home 目录权限不对。

4. 查看服务端文件权限

需要检查一下相关目录或文件的权限：

~
~/.ssh
~/.ssh/authorized_keys

如果不符合预期，需要修正权限:

1
2
3
chmod -R 750 ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys