Ssh
EC2 密鑰對身份驗證
我創建了一個自定義 ec2 ami 映像,並嘗試
USERVM
按照以下步驟對使用者使用 ec2 密鑰對身份驗證來驗證 aws 實例。
- ami 創作。
- ec2-執行實例…
- 使用 ec2-create-keypair 創建私鑰。
- 將私鑰儲存在 ~/.ssh/keypair.pem 下並提供權限。
- 使用連接 aws 實例
ssh -v -i ~/.ssh/keypair.pem USERVM@ec2-instance.com
對應的調試日誌:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to ec2-52-23-236-90.compute-1.amazonaws.com [52.23.236.90] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/keypair_14_10_721pm.pem type -1 debug1: identity file /root/.ssh/keypair_14_10_721pm.pem-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2 debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 12:6d:09:82:fd:4b:0d:1d:88:3d:2a:65:31:c0:ad:cd The authenticity of host 'ec2-52-23-236-90.compute-1.amazonaws.com (52.23.236.90)' can't be established. ECDSA key fingerprint is 12:6d:09:82:fd:4b:0d:1d:88:3d:2a:65:31:c0:ad:cd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ec2-52-23-236-90.compute-1.amazonaws.com,52.23.236.90' (ECDSA) to the list of known hosts. debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/keypair_14_10_721pm.pem debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password USERVM@ec2-52-23-236-90.compute-1.amazonaws.com's password: debug1: Authentication succeeded (password). Authenticated to ec2-52-23-236-90.compute-1.amazonaws.com
sshd_config 如下:
# Package generated configuration file # See the sshd(8) manpage for details Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 #PermitRootLogin yes PermitRootLogin without-password StrictModes no RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no #IgnoreUserKnownHosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes UseDNS no
我面臨的問題 aws 實例在嘗試使用 user 登錄時要求輸入密碼
USERVM
。使用者的公鑰USERVM
在啟動時生成並放置在 aws instance 下/home/USERVM/.ssh/authorized_keys
。但是,對於名為的使用者,相同的方法可以root
正常工作,而無需輸入密碼。任何幫助在這裡表示讚賞。編輯:對使用者的權限
USERVM
是:$ sudo ls -la /home/ total 36 drwxr-xr-x 6 root root 4096 Oct 14 12:34 . drwxr-xr-x 27 root root 4096 Oct 15 16:39 .. drwxr-xr-x 2 admin www-data 4096 Oct 14 12:34 admin drwxr-xr-x 3 USERVM www-data 4096 Oct 15 16:42 USERVM drwx------ 2 root root 16384 Oct 14 12:38 lost+found drwxrwsrwx 22 tuser www-data 4096 Oct 15 16:40 tuser $ sudo ls -la /home/USERVM/ total 16 drwxr-xr-x 3 USERVM www-data 4096 Oct 15 16:42 . drwxr-xr-x 6 root root 4096 Oct 14 12:34 .. -rw------- 1 USERVM www-data 105 Oct 15 16:42 .bash_history drwx------ 2 root root 4096 Oct 15 16:38 .ssh $ sudo ls -la /home/USERVM/.ssh/ total 12 drwx------ 2 root root 4096 Oct 15 16:38 . drwxr-xr-x 3 USERVM www-data 4096 Oct 15 16:42 .. -rw------- 1 root root 1203 Oct 15 16:39 authorized_keys
當嘗試使用與使用者相同的程序登錄時,
admin
它USERVM
會要求輸入密碼,但是root
它無需輸入密碼即可工作。
我原以為這是通常的權限問題,即授權密鑰文件問題,但它略有不同:所有權也必須正確,即文件必須由使用它們進行身份驗證的使用者擁有。
我不認為組所有權很重要,因為文件和目錄不能是組可寫的,但最好將它們設置為使用者的主要組。
無論如何,當你這樣做時
chown -R USERVM:www-data ~USERVM/.ssh
,問題就消失了。