ssh配置踩坑

发表于 更新于 分类于 阅读次数: 本文字数: 3.1k 阅读时长 ≈ 3 分钟

昨晚又整ssh配置整了半天,记不清楚是第几次踩坑了,还是需要整理一下问题的处理思路

docker配置

我是在docker上操作的,首先在https://hub.docker.com/search?q=gcc5&type=image找到想要的镜像,然后拉镜像运行(https://github.com/dongyubin/DockerHub看下可用的代理)

1
2
~ docker pull proxy.vvvv.ee/conanio/gcc5
~ docker run -it -p2222:22 proxy.vvvv.ee/conanio/gcc5 /bin/bash

随后登陆安装ssh基础依赖

1
2
~ sudo -i
~ apt-get update && apt-get install -y ssh vim net-tools lrzsz

然后安装ssh的日志库依赖,这一步很重要!docker的ssh server默认是没有日志的,昨晚大部分时间都是看不到错误日志在猜问题

1
2
3
~ sudo -i
~ apt-get install -y rsyslog
~ rsyslogd

ssh client配置

如果手上没有密钥,要生成一个,我生成一个做示例

这里会要求输入密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
~ ssh-keygen -t rsa -o
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:e8eKzBMhXH/g5IClf3jA4TAYtZ8zolUC0gV6WP6RnX4 root@01a8b1195c7e
The key's randomart image is:
+---[RSA 2048]----+
|  ..=*=oo        |
|   *o..Xooo      |
|  o o.*.B* .     |
|   . .oB.++ .    |
|      +.S.E.     |
|     o ..B .     |
|    .   ... o    |
|       o.o o     |
|        +..      |
+----[SHA256]-----+

已有密钥的话要注意问题

  • 密钥的加密算法可能太老了被ban了,需要客户端配置一下放通

    1
    2
    3
    4
    5
    6
    ~ cat ~/.ssh/config
    Host x.x.x.x
      HostName x.x.x.x
      User root
      Port 2222
      PubkeyAcceptedKeyTypes +ssh-dss

  • 密钥的权限不能太open,否则会报错

    1
    2
    3
    Permissions 0777 for '~/.ssh/id_rsa' are too open.
    It is recommended that your private key files are NOT accessible by others.
    This private key will be ignored.

  • 要校验一下私钥和公钥是不是真的对应

    1
    2
    3
    4
    ~ ssh-keygen -lf ~/.ssh/id_rsa
    2048 SHA256:e8eKzBMhXH/g5IClf3jA4TAYtZ8zolUC0gV6WP6RnX4 root@01a8b1195c7e (RSA)
    ~ ssh-keygen -lf ~/.ssh/id_rsa.pub 
    2048 SHA256:e8eKzBMhXH/g5IClf3jA4TAYtZ8zolUC0gV6WP6RnX4 root@01a8b1195c7e (RSA)

ssh server配置

日志为了打印更多的细节信息,默认INFO,改成DEBUG模式

1
2
SyslogFacility AUTH
LogLevel DEBUG

然后要允许ROOT登陆

1
PermitRootLogin yes

然后是设置公钥文件

1
AuthorizedKeysFile	~/.ssh/authorized_keys

然后就可以把上面的公钥文件内容写入到~/.ssh/authorized_keys

写入以后要校验一下有没有复制错,生成指纹看一下(我就因为少复制一个字符查了半天)

1
2
~ tail -n 1 ~/.ssh/authorized_keys | ssh-keygen -lf -
2048 SHA256:e8eKzBMhXH/g5IClf3jA4TAYtZ8zolUC0gV6WP6RnX4 root@01a8b1195c7e (RSA)

ssh server启动

配置一下开机自启动

1
~ echo '' > /etc/rc.local && echo '/etc/init.d/ssh start' >> /etc/rc.local && echo 'rsyslogd' >> /etc/rc.local

现在就可以启动ssh server了

1
~ /etc/init.d/ssh start

问题排查

如果按照上面完整的配置下来应该是可以连上了

客户端

如果出了问题,首先从客户端日志查

  • -o PreferredAuthentications=publickey

    指定使用密钥方式登陆

  • -v

    打印详细日志

1
~ ssh -v -o PreferredAuthentications=publickey -i ~/.ssh/id_rsa root@x.x.x.x

如果是上面提到的太老的密钥加密算法,或者本地密钥文件的权限too open问题,日志中会打印,可以丢给AI分析

服务端

服务端日志在/var/log/auth.log,一样可以丢给AI分析

如果是客户端私钥在/root/.ssh/authorized_keys的所有公钥中匹配上了,会输出例如:

1
2
3
Aug 21 16:54:38 01a8b1195c7e sshd[25813]: debug1: trying public key file /root/.ssh/authorized_keys
Aug 21 16:54:38 01a8b1195c7e sshd[25813]: debug1: fd 4 clearing O_NONBLOCK
Aug 21 16:54:38 01a8b1195c7e sshd[25813]: debug1: matching key found: file /root/.ssh/authorized_keys, line 1 RSA SHA256:FmAzzqczXWzJTxjLD1PrzVSx61iqYr7qfMFqPOfSD2I

反之,如果都不匹配,会输出日志

1
2
3
4
Aug 21 16:49:24 01a8b1195c7e sshd[25802]: debug1: trying public key file /root/.ssh/authorized_keys
Aug 21 16:49:24 01a8b1195c7e sshd[25802]: debug1: fd 4 clearing O_NONBLOCK
Aug 21 16:49:24 01a8b1195c7e sshd[25802]: debug1: restore_uid: 0/0
Aug 21 16:49:24 01a8b1195c7e sshd[25802]: Failed publickey for root from 172.21.44.29 port 4665 ssh2: RSA SHA256:FmAzzqczXWzJTxjLD1PrzVSx61iqYr7qfMFqPOfSD2I