V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
yuyueMJ
V2EX  ›  SSH

SSH 免密码登录虚拟机上的另一个节点设置失败。。。。。怎么办

  •  1
     
  •   yuyueMJ · 2016-12-19 18:45:07 +08:00 · 4911 次点击
    这是一个创建于 2933 天前的主题,其中的信息可能已经有所发展或是发生改变。

    RT ,

    • 想搭个集群学习一下 hadoop , 首先 hosts 里面是物理机主机名 HP-Pavilion-dv4(Ubuntu14.04)作为 Master 两个虚拟机节点( Ubuntu16.04 )主机名为 workerOne wokerTwo(大小写会有问题把) ,用户名都是 zsx 。
    • 在各个节点上都 ssh-keygen -t dsa 生成了秘钥,并 cat 到 authorized_keys..将物理机子上的 id_dsa.pub 使用 scp 传到两个节点上也用 cat >> 追加到节点的 authorized_keys 里。
    • 现在是物理机 ssh 自己可以免密码登陆。节点虚拟机 ssh 自己都要提示输入密码。物理机 ssh 节点也要求输入密码。不知道哪里的问题。折腾了一天了!能 Google 到的解决方案都试了一下包括:修改 /etc/ssh/sshd_config , 讲.ssh 文件夹改为 700 ,authorized_keys 改为 640 。使用-vvv 打印信息我之前没用过 ssh 看不懂,后面贴出来。

    OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to workerone [172.16.99.129] port 22.
    debug1: Connection established.
    debug1: identity file /home/zsx/.ssh/id_rsa type -1
    debug1: identity file /home/zsx/.ssh/id_rsa-cert type -1
    debug3: Incorrect RSA1 identifier
    debug3: Could not load "/home/zsx/.ssh/id_dsa" as a RSA1 public key
    debug1: identity file /home/zsx/.ssh/id_dsa type 2
    debug1: identity file /home/zsx/.ssh/id_dsa-cert type -1
    debug1: identity file /home/zsx/.ssh/id_ecdsa type -1
    debug1: identity file /home/zsx/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/zsx/.ssh/id_ed25519 type -1
    debug1: identity file /home/zsx/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
    debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug3: load_hostkeys: loading entries for host "workerone" from file "/home/zsx/.ssh/known_hosts"
    debug3: load_hostkeys: found key type ECDSA in file /home/zsx/.ssh/known_hosts:2
    debug3: load_hostkeys: loaded 1 keys
    debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],ecdsa- [email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
    debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha1-96- [email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,[email protected],zlib
    debug2: kex_parse_kexinit: none,[email protected],zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2- nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256ctr,[email protected],[email protected]
    debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256ctr,[email protected],[email protected]
    debug2: kex_parse_kexinit: [email protected],[email protected],hmac-sha2- [email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: kex_parse_kexinit: none,[email protected]
    debug2: kex_parse_kexinit: none,[email protected]
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_setup: setup [email protected]
    debug1: kex: server->client aes128-ctr [email protected] none
    debug2: mac_setup: setup [email protected]
    debug1: kex: client->server aes128-ctr [email protected] none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ECDSA d9:12:04:aa:13:93:6b:cc:f6:10:e9:a5:3e:de:35:bb
    debug3: load_hostkeys: loading entries for host "workerone" from file "/home/zsx/.ssh/known_hosts"
    debug3: load_hostkeys: found key type ECDSA in file /home/zsx/.ssh/known_hosts:2
    debug3: load_hostkeys: loaded 1 keys
    debug3: load_hostkeys: loading entries for host "172.16.99.129" from file "/home/zsx/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /home/zsx/.ssh/known_hosts:3
    debug3: load_hostkeys: loaded 1 keys
    debug1: Host 'workerone' is known and matches the ECDSA host key.
    debug1: Found key in /home/zsx/.ssh/known_hosts:2
    debug1: ssh_ecdsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /home/zsx/.ssh/id_dsa (0x7feb426afd90),
    debug2: key: /home/zsx/.ssh/id_rsa ((nil)),
    debug2: key: /home/zsx/.ssh/id_ecdsa ((nil)),
    debug2: key: /home/zsx/.ssh/id_ed25519 ((nil)),
    debug1: Authentications that can continue: publickey,password
    debug3: start over, passed a different list publickey,password
    debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering DSA public key: /home/zsx/.ssh/id_dsa
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /home/zsx/.ssh/id_rsa
    debug3: no such identity: /home/zsx/.ssh/id_rsa: No such file or directory
    debug1: Trying private key: /home/zsx/.ssh/id_ecdsa
    debug3: no such identity: /home/zsx/.ssh/id_ecdsa: No such file or directory
    debug1: Trying private key: /home/zsx/.ssh/id_ed25519
    debug3: no such identity: /home/zsx/.ssh/id_ed25519: No such file or directory
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    zsx@workerone's password:

    12 条回复    2016-12-20 21:30:57 +08:00
    yuyueMJ
        1
    yuyueMJ  
    OP
       2016-12-19 19:06:56 +08:00 via iPhone
    不是有意要贴这么多信息,确实不知道怎么看这个信息,就全贴出来了,望见谅
    hadoop
        2
    hadoop  
       2016-12-19 19:07:31 +08:00
    1. work 节点里需要 ssh 服务需要开启:
    PubkeyAuthentication yes
    AuthorizedKeysFile %h/.ssh/authorized_keys

    2.不建议用 scp 然后 cat 追加 authority key 。 建议在 master 机器上执行 ssh-copy-id -i .ssh/id_rsa.pub workOne 这种自动追小的命令
    ooxxcc
        3
    ooxxcc  
       2016-12-19 19:09:06 +08:00
    debug1: Trying private key: /home/zsx/.ssh/id_rsa
    debug3: no such identity: /home/zsx/.ssh/id_rsa: No such file or directory

    根本没有私钥嘛……
    yuyueMJ
        4
    yuyueMJ  
    OP
       2016-12-19 19:29:23 +08:00
    @ooxxcc 用的是 dsa 。。。
    yuyueMJ
        5
    yuyueMJ  
    OP
       2016-12-19 19:29:45 +08:00
    @ooxxcc 我也不知道为什么会说 rsa
    yuyueMJ
        6
    yuyueMJ  
    OP
       2016-12-19 19:30:54 +08:00
    @hadoop worker 节点能输密码登录自己应该说明 ssh 服务开启了,其他的我再试一下!
    hadoop
        7
    hadoop  
       2016-12-19 19:46:08 +08:00 via Android
    @yuyueMJ 你生成个 rsa 的私钥呗, ssh-keygen -t rsa
    ooxxcc
        8
    ooxxcc  
       2016-12-19 19:48:39 +08:00
    @yuyueMJ 哦看到了,应该是 dsa 验证没成功然后接着找其他的了

    你看看虚拟机里的 /var/log/auth 或者 journalctl -xe
    yuyueMJ
        9
    yuyueMJ  
    OP
       2016-12-19 20:37:32 +08:00
    @ooxxcc 非常感谢!我在日志里发现了一条消息( userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]),其实上午排错的时候就发现了,不知为什么没有谷歌到正确结果,刚才找到了了解决方案,在 ssh7 以后已经不支持 dsa 加密方式了,所以建议使用 rsa !
    yuyueMJ
        10
    yuyueMJ  
    OP
       2016-12-19 20:39:50 +08:00
    这里同意回复一下,问题解决了!在做了之前的工作都失败的情况下, tail -20 /var/Log/auto.log 发现 userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] 。。
    然后 http://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey-and-asking-for-a-password 这里说的很明白。
    > The new openssh version (7.0+) deprecated DSA keys and is not using DSA keys by default (not on server or client). The keys are not preferred to be used anymore, so if you can, I would recommend to use RSA keys where possible.

    If you really need to use DSA keys, you need to explicitly allow them in your client config using
    ``` shell
    PubkeyAcceptedKeyTypes +ssh-dss
    ```
    Should be enough to put that line in ~/.ssh/config, as the verbose message is trying to tell you.
    yuyueMJ
        11
    yuyueMJ  
    OP
       2016-12-19 20:45:47 +08:00
    @hadoop 恩,使用 rsa 加密方式就可以了,原来是已经不支持 dsa 了。好蛋疼。我就是看的国内的摸个博客上用的 dsa 就用的。唉,弄了一天
    julyclyde
        12
    julyclyde  
       2016-12-20 21:30:57 +08:00
    最新版本 openssh 禁用了 dsa
    在 GnuPG 里, dsa 也属于不受待见的算法
    估计快淘汰了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1114 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 18:42 · PVG 02:42 · LAX 10:42 · JFK 13:42
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.