CentOS SSH公钥登录问题

From: http://segmentfault.com/q/1010000000445726

内网，想做ssh root公钥登录，配置好之后还是提示输入密码，现象：
在服务器端使用其他端口开放sshd：

$/usr/sbin/sshd -p 1234

此时客户端可以无密码登录，但是22端口的sshd还是需要密码

停止服务端22端口的sshd(service)，手动使用22端口启动：

$/usr/sbin/sshd -p 22

此时客户端可以无密码登录

太诡异了，关键问题，如果是网上说的文件夹权限或者是操作疏漏什么的，怎么手动启动sshd就可以呢？求大神指导

客户端调试信息：

ssh root@git.com -vvdebug1: Next authentication method: publickeydebug1: Trying private key: /c/Users/Zhou/.ssh/identitydebug1: Offering public key: /c/Users/Zhou/.ssh/id_rsadebug2: we sent a publickey packet, wait for replydebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,passworddebug1: Offering public key: /c/Users/Zhou/.ssh/id_dsadebug2: we sent a publickey packet, wait for replydebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,passworddebug2: we did not send a packet, disable methoddebug1: Next authentication method: passwordroot@git.com's password:

补充

使用默认自启动的服务时候，客户端无法无密码登录 -vvv 参数结果如下：

debug1: Next authentication method: publickeydebug1: Trying private key: /c/Users/Zhou/.ssh/identitydebug3: no such identity: /c/Users/Zhou/.ssh/identitydebug1: Offering public key: /c/Users/Zhou/.ssh/id_rsadebug3: send_pubkey_testdebug2: we sent a publickey packet, wait for replydebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,passworddebug1: Offering public key: /c/Users/Zhou/.ssh/id_dsadebug3: send_pubkey_testdebug2: we sent a publickey packet, wait for replydebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,passworddebug2: we did not send a packet, disable methoddebug3: authmethod_lookup passworddebug3: remaining preferred: ,passworddebug3: authmethod_is_enabled passworddebug1: Next authentication method: password

使用$/usr/sbin/sshd -p 22启动服务，客户端可以无密码登录 -vvv 参数结果如下：

debug1: Next authentication method: publickeydebug1: Trying private key: /c/Users/Zhou/.ssh/identitydebug3: no such identity: /c/Users/Zhou/.ssh/identitydebug1: Offering public key: /c/Users/Zhou/.ssh/id_rsadebug3: send_pubkey_testdebug2: we sent a publickey packet, wait for replydebug1: Server accepts key: pkalg ssh-rsa blen 277debug2: input_userauth_pk_ok: fp ca:03:6e:80:a9:5f:7c:12:69:dc:e5:f9:3c:c8:4f:83debug3: sign_and_send_pubkeydebug1: read PEM private key done: type RSAdebug1: Authentication succeeded (publickey).

sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $# This is the sshd server system-wide configuration file.  See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented.  Uncommented options change a# default value.#Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# Disable legacy (protocol version 1) support in the server for new# installations. In future the default will change to require explicit# activation of protocol 1Protocol 2# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2#HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_key# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h#ServerKeyBits 1024# Logging# obsoletes QuietMode and FascistLoggingSyslogFacility AUTH#SyslogFacility AUTHPRIVLogLevel debug# Authentication:#LoginGraceTime 2mPermitRootLogin yes#StrictModes yes#MaxAuthTries 6#MaxSessions 10RSAAuthentication yesPubkeyAuthentication yesAuthorizedKeysFile      .ssh/authorized_keys#AuthorizedKeysCommand none#AuthorizedKeysCommandRunAs nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI options#GSSAPIAuthentication noGSSAPIAuthentication yes#GSSAPICleanupCredentials yesGSSAPICleanupCredentials yes#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication.  Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.#UsePAM noUsePAM yes# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin no#UsePrivilegeSeparation yes#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS yes#PidFile /var/run/sshd.pid#MaxStartups 10#PermitTunnel no#ChrootDirectory none# no default banner path#Banner none# override default of no subsystemsSubsystem       sftp    /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs#       X11Forwarding no#       AllowTcpForwarding no#       ForceCommand cvs server

系统服务器的ssh在进程中的体现：

[root@localhost ~]# ps -ef | grep sshdroot      1233     1  0 16:54 ?        00:00:00 /usr/sbin/sshdroot      1444  1233  0 16:55 ?        00:00:00 sshd: root@pts/0

自己启动的ssh:/usr/sbin/sshd -d -p 1234

root      1470  1449  0 17:03 pts/0    00:00:00 /usr/sbin/sshd -d -p 1234root      1471  1233  0 17:03 ?        00:00:00 sshd: root@pts/1

P_Chou 1.7k2014年03月27日 回答

问题已解决：是因为.ssh目录没有ssh_home_t标签！！通过下面命令重置。参考public-key-authentication-fails-only-when-sshd-is-daemon一次由SELinux引起的ssh公钥认证失败问题

restorecon -r -vv /root/.ssh

[root@localhost ~]# restorecon -r -vv .sshrestorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0restorecon reset /root/.ssh/id_rsa context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0restorecon reset /root/.ssh/known_hosts context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0restorecon reset /root/.ssh/id_rsa.pub context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

通过这个命令查看文件夹或文件的标签

[root@localhost ~]# ls -laZdrwx------. root root unconfined_u:object_r:ssh_home_t:s0 .ssh

=========================================================

我在远程服务器上尝试了两种不同的启动方式(启动openssh服务端)：

1.  service sshd restart (客户端仍需输入密码)

2. /usr/sbin/sshd -p 22 (客户端可以免密登录)

于是，我觉得应该是这两种方法启动进程的方式上存在区别。我们都知道通过service sshd restart 启动相当于执行/etc/init.d/sshd restart, 于是我对比正常机器上的/etc/init.d/sshd和异常机器上的该文件，发现他们的start函数确实存在区别，将正常机器上的start函数替换过来，再使用service sshd restart 重启服务端程序，客户端也可以免密登录了!

以下是正常机器上的完整的/etc/init.d/sshd文件内容，可参考下：

#!/bin/bash## sshdStart up the OpenSSH server daemon## chkconfig: 2345 55 25# description: SSH is a protocol for secure remote shell access. \#              This service starts up the OpenSSH server daemon.## processname: sshd# config: /etc/ssh/ssh_host_key# config: /etc/ssh/ssh_host_key.pub# config: /etc/ssh/ssh_random_seed# config: /etc/ssh/sshd_config# pidfile: /var/run/sshd.pid### BEGIN INIT INFO# Provides: sshd# Required-Start: $local_fs $network $syslog# Required-Stop: $local_fs $syslog# Should-Start: $syslog# Should-Stop: $network $syslog# Default-Start: 2 3 4 5# Default-Stop: 0 1 6# Short-Description: Start up the OpenSSH server daemon# Description:       SSH is a protocol for secure remote shell access.#     This service starts up the OpenSSH server daemon.### END INIT INFO# source function library. /etc/rc.d/init.d/functions# pull in sysconfig settings[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshdRETVAL=0prog="sshd"lockfile=/var/lock/subsys/$prog# Some functions to make the below more readableKEYGEN=/usr/bin/ssh-keygenSSHD=/usr/sbin/sshdRSA1_KEY=/etc/ssh/ssh_host_keyRSA_KEY=/etc/ssh/ssh_host_rsa_keyDSA_KEY=/etc/ssh/ssh_host_dsa_keyPID_FILE=/var/run/sshd.pidrunlevel=$(set -- $(runlevel); eval "echo \$$#" )fips_enabled() {if [ -r /proc/sys/crypto/fips_enabled ]; thencat /proc/sys/crypto/fips_enabledelseecho 0fi}do_rsa1_keygen() {if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; thenecho -n $"Generating SSH1 RSA host key: "rm -f $RSA1_KEYif test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; thenchmod 600 $RSA1_KEYchmod 644 $RSA1_KEY.pubif [ -x /sbin/restorecon ]; then    /sbin/restorecon $RSA1_KEY.pubfisuccess $"RSA1 key generation"echoelsefailure $"RSA1 key generation"echoexit 1fifi}do_rsa_keygen() {if [ ! -s $RSA_KEY ]; thenecho -n $"Generating SSH2 RSA host key: "rm -f $RSA_KEYif test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; thenchmod 600 $RSA_KEYchmod 644 $RSA_KEY.pubif [ -x /sbin/restorecon ]; then    /sbin/restorecon $RSA_KEY.pubfisuccess $"RSA key generation"echoelsefailure $"RSA key generation"echoexit 1fifi}do_dsa_keygen() {if [ ! -s $DSA_KEY ]; thenecho -n $"Generating SSH2 DSA host key: "rm -f $DSA_KEYif test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; thenchmod 600 $DSA_KEYchmod 644 $DSA_KEY.pubif [ -x /sbin/restorecon ]; then    /sbin/restorecon $DSA_KEY.pubfisuccess $"DSA key generation"echoelsefailure $"DSA key generation"echoexit 1fifi}do_restart_sanity_check(){$SSHD -tRETVAL=$?if [ $RETVAL -ne  0 ]; thenfailure $"Configuration file or keys are invalid"echofi}start(){[ -x $SSHD ] || exit 5[ -f /etc/ssh/sshd_config ] || exit 6# Create keys if necessaryif [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; thendo_rsa1_keygendo_rsa_keygendo_dsa_keygenfiecho -n $"Starting $prog: "$SSHD $OPTIONS && success || failureRETVAL=$?[ $RETVAL -eq 0 ] && touch $lockfileechoreturn $RETVAL}stop(){echo -n $"Stopping $prog: "if [ -n "`pidfileofproc $SSHD`" ] ; then    killproc $SSHDelse    failure $"Stopping $prog"fiRETVAL=$?# if we are in halt or reboot runlevel kill all running sessions# so the TCP connections are closed cleanlyif [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then    trap '' TERM    killall $prog 2>/dev/null    trap TERMfi[ $RETVAL -eq 0 ] && rm -f $lockfileecho}reload(){echo -n $"Reloading $prog: "if [ -n "`pidfileofproc $SSHD`" ] ; then    killproc $SSHD -HUPelse    failure $"Reloading $prog"fiRETVAL=$?echo}restart() {stopstart}force_reload() {restart}rh_status() {status -p $PID_FILE openssh-daemon}rh_status_q() {rh_status >/dev/null 2>&1}case "$1" instart)rh_status_q && exit 0start;;stop)if ! rh_status_q; thenrm -f $lockfileexit 0fistop;;restart)restart;;reload)rh_status_q || exit 7reload;;force-reload)force_reload;;condrestart|try-restart)rh_status_q || exit 0if [ -f $lockfile ] ; thendo_restart_sanity_checkif [ $RETVAL -eq 0 ] ; thenstop# avoid racesleep 3startelseRETVAL=6fifi;;status)rh_statusRETVAL=$?if [ $RETVAL -eq 3 -a -f $lockfile ] ; thenRETVAL=2fi;;*)echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"RETVAL=2esacexit $RETVAL