首页 > 代码库 > SSH 免密码登陆失败的一种原因,StrictModes
SSH 免密码登陆失败的一种原因,StrictModes
偶然因素帮别人配置ssh免密码登陆失败, ~/.ssh目录权限700,其下所有文件权限600,却依然失败。ssh -v 后发现密钥验证未通过,使用密码验证。
后来还是搜索得来,有人把ssh的StrictModes关闭就可以了,赶紧试了一下,果然可以。
于是搜了一下StrictModes限制的什么,
找到这么一段话
StrictModes no #修改为no,默认为yes.如果不修改用key登陆是出现server refused our key(如果StrictModes为yes必需保证存放公钥的文件夹的拥有与登陆用户名是相同的.“StrictModes”设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所有权。这通常是必要的,因为新手经常会把自己的目录和文件设成任何人都有写权限。)(来源http://matt-u.iteye.com/blog/851158)
还有这么一段话
3.14 - I copied my public key to authorized_keys but public-key authentication still doesn‘t work.
Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.
In this case, it can be solved by executing the following on the server.
$ chmod go-w $HOME $HOME/.ssh
$ chmod 600 $HOME/.ssh/authorized_keys
$ chown `whoami` $HOME/.ssh/authorized_keys
If this is not possible for some reason, an alternative is to set StrictModes no in sshd_config, however this is not recommended.
(来自http://www.openssh.com/faq.html)
还有
~/.ssh/authorized_keysLists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
If this file, the ~/.ssh directory, or the user‘s home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.
(来自http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8?query=sshd&sec=8)
最后来个
StrictModes Specifies whether sshd(8) should check file modes and ownership of the user‘s files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is “yes”. Note that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally.
(来自http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config&sec=5)
SSH 免密码登陆失败的一种原因,StrictModes