2012年10月17日 星期三

ssh Authentication refused

今天公司有台環境不知道為什麼ssh-key一直無法通行,怎麼登入都還是需要打密碼。後來試著在client用ssh -vvv 去看訊息,得到了

debug3: load_hostkeys: loading entries for host "172.16.15.139" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:21
debug3: load_hostkeys: loaded 1 keys
debug1: Host '192.168.0.1' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:21
debug2: bits set: 512/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0x7f91407b54f0)
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).


似乎是跟permission有關,但看了半天包括client上的private key跟server上面的public key檔案都是正常。後來上網稍微搜尋了一下,看到這個文章提到可以看server上的/var/log/secure來得到確切的error log。

Authentication refused: bad ownership or modes for directory /root

在仔細看了一下,才發現原來不知道誰把/root權限由750改為755,而sshd設定檔(/etc/init.d/sshd)有個參數StrictModes跟這個有關,只要整條path有任何目錄權限不對就會阻止public key使用。

結果花了一個小時查原因,但畢竟是共同開發環境,難免遭遇這種狀況就是。