Не удаётся подключится по ssh используя RSA ключ

Автор Angel_ok, 23 мая 2018, 10:55:32

« назад - далее »

0 Пользователи и 1 гость просматривают эту тему.

Angel_ok

Подключаюсь с Windows на Debian по ssh. Просто по паролю подключается без проблем. Но с ключами не получается.
Пробовал генерировать ключи и на линуксе и на виндовс - результат отрицательный.
В путти генерирую ключ, копирую на debian в ~/.ssh/authorized_keys
выполняю:
chmod 600 ~/.ssh/authorized_keys

в windows, в putty ввожу айпи, порт, логин, указываю приватный ключ, подключаюсь и получаю:
Using username "ang".
Server refused our key
ang@54.130.121.11 password:


Код (sudo gedit /etc/ssh/sshd_config) Выделить
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile /home/ang/.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

RSAAuthentication yes
PubkeyAcceptedKeyTypes ssh-dss
PubkeyAcceptedKeyTypes ssh-rsa


итого 8
-rw------- 1 ang ang 398 Май 23 10:28 authorized_keys
-rw------- 1 ang ang 980 Май 21 22:23 known_hosts


ssh перезагружал
sudo /etc/init.d/ssh restart


Что я делаю не так? Как подключиться к debian используя RSA ключ?
Вы думаете, всё так просто? Да, всё просто. Но совсем не так...
                                                                                                          Альберт Эйнштейн

ihammers

Под GNU/Linux создаёте ключ на той машине с которой хотите подключиться и потом его копируете через ssh-copy-id. После чего у вас будет доступ по ключу (если его в настройках не отключили). Под MS Windows должно быть примерно так же. Генерируйте ключ и добавляйте его на ту машину к которой хотите подключиться.
Debian GNU/Linux Bookworm, LXQt/OpenBox: AMD Ryzen 5 5600G / 64Gb RAM
_______________________________
Debian GNU/Linux Bookworm, без графики: AMD Phenon X4 / 16Gb RAM
_______________________________
Debian GNU/Linux Bookworm, LXQt/OpenBox: Acer Aspire One 722 AMD C60 / 8Gb RAM / ATI HD6290

Angel_ok

Цитата: ihammers от 28 мая 2018, 15:14:47
Под GNU/Linux создаёте ключ на той машине с которой хотите подключиться и потом его копируете через ssh-copy-id. После чего у вас будет доступ по ключу (если его в настройках не отключили). Под MS Windows должно быть примерно так же. Генерируйте ключ и добавляйте его на ту машину к которой хотите подключиться.
Так и делаю!
Вот сейчас сделал с линукса.
На компьютере с которого хочу подключится создал ключ:
user@ubuntu:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
/home/user/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:LeKBSiY8axCU+EeD5zDk2rOwp3NvahF9HlUW2i+Bqko user@ubuntu
The key's randomart image is:
+---[RSA 2048]----+
|.oo.     .+.     |
|oo+ +   .=       |
|...B . .o o      |
|.+o +.o. . o     |
|=o=o.o+.S o .    |
|.*++ o.o . .     |
|.oE.. .          |
|o+o..            |
|.+o+.            |
+----[SHA256]-----+

копирую ключ на компьютер на который хочу подключится
user@ubuntu:~$ ssh-copy-id ang@XX.XXX.XXX.XX -p 49822
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ang@XX.XXX.XXX.XX's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '49822' 'ang@XX.XXX.XXX.XX'"
and check to make sure that only the key(s) you wanted were added.

далее подключаюсь по ssh, но ключ не проходит, в итоге можно войти по обычному паролю
user@ubuntu:~$ ssh ang@XX.XXX.XXX.XX -p 49822 -v
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to XX.XXX.XXX.XX [XX.XXX.XXX.XX] port 49822.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u3
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to XX.XXX.XXX.XX:49822 as 'ang'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:cWbDlc3SLtvcFpi2eXlPlSArOBvgQ7XSm7rH2NWSBDA
debug1: Host '[XX.XXX.XXX.XX]:49822' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug1: Next authentication method: password
ang@XX.XXX.XXX.XX's password:

Вы думаете, всё так просто? Да, всё просто. Но совсем не так...
                                                                                                          Альберт Эйнштейн

Бениамин Масан

#3
ssh  deb64@172.18.227.230
Warning: Permanently added '172.18.227.230' (ECDSA) to the list of known hosts.
Last login: Wed May 30 07:38:06 2018

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.


:/home/deb64# cat /etc/ssh/sshd_config

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::




PubkeyAuthentication yes        # это обязательно
PubkeyAcceptedKeyTypes=+ssh-dss  # это обязательно

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys



# override default of no subsystems
Subsystem sftp /usr/lib/sftp-server

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes


Вот так работает с RSA
PubkeyAuthentication yes        # это обязательно
PubkeyAcceptedKeyTypes=+ssh-dss  # это обязательно