解决SSH免密码登陆失败

前言

最近在搞持续构建,因为要用 Shell 脚本来连接 mac mini 然后执行一系列任务,所以不能用密码登录的方式访问,需要配置 ssh 免密码登录。就算把 .ssh 目录权限改为 700,目录下所有文件的权限改为 600,还是需要密码登录。ssh -vvv 后发现密钥验证未通过,最后把 StrictModes 关闭就可以了。

解决

修改 SSH 配置文件 sshd_config

1
$ vim /etc/ssh/sshd_config

StrictModes 默认为 #StrictModes yes,打开注释,修改为 StrictModes no

然后重启 sshd 服务即可。

1
2
3
$ whereis sshd
/usr/sbin/sshd
$ /usr/sbin/sshd

参考

《Linux SSH配置和禁止Root远程登陆设置》

用 key 登陆时出现 server refused our key。如果 StrictModes 为 yes,必需保证存放公钥的文件夹的拥有与登陆用户名是相同的。“StrictModes” 设置 ssh 在接收登录请求之前是否检查用户目录和 rhosts 文件的权限和所有权。

这通常是必要的,因为新手经常会把自己的目录和文件设成任何人都有写权限。

English Note

First

3.14 - I copied my public key to authorized_keys but public-key authentication still doesn’t work.

Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.

In this case, it can be solved by executing the following on the server.

1
2
3
$ chmod go-w $HOME $HOME/.ssh
$ chmod 600 $HOME/.ssh/authorized_keys
$ chown `whoami` $HOME/.ssh/authorized_keys

If this is not possible for some reason, an alternative is to set StrictModes no in sshd_config, however this is not recommended.

Second

~/.ssh/authorized_keysLists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
If this file, the ~/.ssh directory, or the user’s home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.

Last

《sshd_config — OpenSSH SSH daemon configuration file》

StrictModes

Specifies whether sshd(8) should check file modes and ownership of the user’s files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is “yes”. Note that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally.

后话

卡了半天的问题,最后还是 Google 查找到了解决办法,技术类问题真的不要用百度了,谷歌吧!

于是自己写了一个反向代理的镜像,科学开车上网 >>> Bingo的Google镜像 >>>

  • 本文作者: Bingo
  • 本文链接: https://blog.bingo.ren/33.html
  • 版权声明: 本博客所有文章除特别声明外,均采用 MIT 许可协议。转载请注明出处!