同主目录多用户通过ssh进行密钥登陆
转载自 http://www.linuxfly.org/post/261/
我们以前已经提过如何在客户端创建密钥后,拷贝到服务端,今后就可以使用该密钥进行无密码认证的登陆了。如果您已经忘了?可以看看这里:[原]putty使用密钥登陆OpenSSH。在这情况下,都是指每个用户自己去登陆服务器。但在今天的项目实施中,遇是这样的情况:
作为ssh客户端的机器,有多个用户,他们属于同一个主目录,并且都需要进行密钥验证。而私钥id_rsa的权限必须为600,其他用户不能访问。我们就需要用ssh的-i参数解决这问题。
一、系统环境
操作系统:Asianux 3.0
应用软件:OpenSSH v4.3p2
客户端和服务端同一IP地址:192.168.48.128
服务端用户:hyphen(以该用户模拟服务端)
用户1:test、主目录:/home/test、宿组:test
用户2:user、主目录:/home/test、宿组:test
二、单用户密钥登陆
为了方便说明,这里先做个单用户使用密钥登陆sshd服务器的过程。以test用户为例。
1、客户端
创建密钥:
[test@asianux3 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
15:b0:02:35:b4:0d:d3:fe:9c:e8:56:e1:a6:06:8c:e9 test@asianux3
然后拷贝公钥到服务器上:
[test@asianux3 ~]$ scp .ssh/id_rsa.pub hyphen@192.168.48.128:~/.ssh/authorized_keys
The authenticity of host ‘192.168.48.128 (192.168.48.128)’ can’t be established.
RSA key fingerprint is 19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.48.128’ (RSA) to the list of known hosts.
hyphen@192.168.48.128’s password:
id_rsa.pub
2、服务端
在服务端上创建的authorized_keys默认权限是644,这不能满足安全要求,需要改为600:
[hyphen@asianux3 ~]$ ll ~/.ssh/authorized_keys
-rw-r–r– 1 hyphen hyphen 395 11-10 13:32 /home/hyphen/.ssh/authorized_keys
[hyphen@asianux3 ~]$ chmod 600 ~/.ssh/authorized_keys
[hyphen@asianux3 ~]$ ll ~/.ssh/authorized_keys
-rw——- 1 hyphen hyphen 395 11-10 13:32 /home/hyphen/.ssh/authorized_keys
3、测试
使用test用户,使用密钥进行登陆:
[test@asianux3 ~]$ ssh hyphen@192.168.48.128
Last login: Mon Nov 10 12:34:20 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
测试成功。
三、多用户登陆
1、权限问题
user用户的信息如下:
[user@asianux3 ~]$ pwd
/home/test
[user@asianux3 ~]$ id
uid=514(user) gid=513(test) groups=513(test)
由于私钥权限是600的,user用户无法使用它进行登陆:
[user@asianux3 ~]$ ll ~/.ssh/id_rsa
-rw——- 1 test test 1675 11-10 12:40 /home/test/.ssh/id_rsa
[user@asianux3 ~]$ ssh hyphen@192.168.48.128
Enter passphrase for key ‘/home/test/.ssh/id_rsa’:
hyphen@192.168.48.128’s password:
2、解决
使用test用户把私钥文件拷贝成另一个文件:
[test@asianux3 ~]$ cd .ssh/
[test@asianux3 .ssh]$ cp id_rsa common_id_rsa
[test@asianux3 .ssh]$ chmod 640 common_id_rsa
[test@asianux3 .ssh]$ ll common_id_rsa
-rw-r—– 1 test test 1675 11-10 13:43 common_id_rsa
user用户使用ssh的-i参数指定私钥文件来登陆:
[user@asianux3 ~]$ ssh -i .ssh/common_id_rsa hyphen@192.168.48.128
Last login: Mon Nov 10 13:35:29 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
登陆成功。
四、其他问题
1、修改私钥id_rsa的权限
如果您看到id_rsa的私钥是600,然后希望其他用户可以使用该私钥,而改为640权限的话。那其他用户确实可以使用密钥登陆远端服务器的。
[test@asianux3 .ssh]$ chmod 640 id_rsa
[test@asianux3 .ssh]$ ll id_rsa
-rw-r—– 1 test test 1675 11-10 12:40 id_rsa
[user@asianux3 ~]$ ssh hyphen@192.168.48.128
Last login: Mon Nov 10 13:44:35 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
但原来的test用户就会因权限问题给挡住了:
[test@asianux3 .ssh]$ ssh hyphen@192.168.48.128
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for ‘/home/test/.ssh/id_rsa’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/test/.ssh/id_rsa
Enter passphrase for key ‘/home/test/.ssh/id_rsa’:
hyphen@192.168.48.128’s password:
解决方式还是和上面的一样啦,另外给一个600权限的私钥给test使用:
[test@asianux3 .ssh]$ ll common_id_rsa
-rw-r—– 1 test test 1675 11-10 13:43 common_id_rsa
[test@asianux3 .ssh]$ chmod 600 common_id_rsa
[test@asianux3 .ssh]$ ssh -i common_id_rsa hyphen@192.168.48.128
Last login: Mon Nov 10 13:48:06 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
成功了吧。O(∩_∩)O
※ 我觉得,最好还是保留原用户的密钥id_rsa权限,而另外给其他用户私钥清晰点咯。
2、客户端钥匙改变
linux上的ssh客户端,在登陆服务端时,会把自己的公钥写入~/.ssh/known_hosts文件中:
引用
[test@asianux3 .ssh]$ ssh hyphen@192.168.48.128
The authenticity of host ‘192.168.48.128 (192.168.48.128)’ can’t be established.
RSA key fingerprint is 19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Are you sure you want to continue connecting (yes/no)? yes
若后来因其他原因(如使用新的私钥等),客户端的公钥被修改了,在登陆服务器时,就会包错:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Please contact your system administrator.
Add correct host key in /home/test/.ssh/known_hosts to get rid of this message.
Offending key in /home/test/.ssh/known_hosts:1
RSA host key for 192.168.48.128 has changed and you have requested strict checking.
Host key verification failed.
这时,请把客户端的~/.ssh/known_hosts文件中对应的一行公钥删除,或直接删除该文件。