Я попытался вручную добавить ключ паба для authorized_keys и authorized_keys2. Я также дважды проверил разрешения для .ssh (700) и authorized_keys (644). Я могу войти без пароля на той же машине, используя другого пользователя (пользователя сервера).
Вот вывод из ssh -vvv:
ssh postgres@java7 -vvv OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to java7 [192.168.120.28] port 22. debug1: Connection established. debug1: identity file /home/informix/.ssh/identity type -1 debug3: Not a RSA1 key file /home/informix/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/informix/.ssh/id_rsa type 1 debug1: identity file /home/informix/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 118/256 debug2: bits set: 497/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts debug3: check_host_in_hostfile: match line 86 debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts debug3: check_host_in_hostfile: match line 82 debug1: Host 'java7' is known and matches the RSA host key. debug1: Found key in /home/informix/.ssh/known_hosts:86 debug2: bits set: 513/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/informix/.ssh/id_rsa (0x555560bb41c0) debug2: key: /home/informix/.ssh/identity ((nil)) debug2: key: /home/informix/.ssh/id_rsa (0x555560bae620) debug2: key: /home/informix/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 192.168.120.28. debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195 debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195 debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195 debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/informix/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/informix/.ssh/identity debug3: no such identity: /home/informix/.ssh/identity debug1: Offering public key: /home/informix/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/informix/.ssh/id_dsa debug3: no such identity: /home/informix/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password postgres@java7's password: Редактировать:
This is an excerpt of what the ssh server on a different port says: debug1: PAM: initializing for "postgres" debug1: PAM: setting PAM_RHOST to "192.168.120.97" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user postgres service ssh-connection method publickey debug1: attempt 1 failures 0 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 26/26 (e=0/0) debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4 Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee debug1: restore_uid: 0/0 Postponed publickey for postgres from 192.168.120.97 port 45341 ssh2 debug1: userauth-request for user postgres service ssh-connection method publickey debug1: attempt 2 failures 0 debug1: temporarily_use_uid: 26/26 (e=0/0) debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4 Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct debug1: do_pam_account: called Accepted publickey for postgres from 192.168.120.97 port 45341 ssh2 debug1: monitor_child_preauth: postgres has been authenticated by privileged process debug1: temporarily_use_uid: 26/26 (e=0/0) debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism debug1: restore_uid: 0/0 debug1: SELinux support enabled debug1: PAM: establishing credentials PAM: pam_open_session(): Authentication failure User child is on pid 10198 debug1: PAM: establishing credentials debug1: permanently_set_uid: 26/26 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: session 0 ssh_selinux_setup_pty: security_compute_relabel: Invalid argument debug1: session_pty_req: session 0 alloc /dev/pts/5 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 10199 debug1: session_exit_message: session 0 channel 0 pid 10199 debug1: session_exit_message: release channel 0 debug1: session_by_tty: session 0 tty /dev/pts/5 debug1: session_pty_cleanup: session 0 release /dev/pts/5 debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug1: channel 0: free: server-session, nchannels 1 Connection closed by 192.168.120.97 debug1: do_cleanup Transferred: sent 2296, received 2416 bytes Closing connection to 192.168.120.97 port 45341 debug1: PAM: cleanup debug1: PAM: deleting credentials /var/log/secure.log при запуске другого ssh-сервера :
Apr 4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): conversation failed Apr 4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Apr 4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): Unable to get valid context for postgres Apr 4 16:52:31 java7 sshd[10774]: pam_unix(sshd:session): session opened for user postgres by (uid=0) Я считаю, что в этих условиях лучше всего запустить демон SSH в режиме отладки. Если у вас есть доступ с правами root на компьютере, вы можете запустить:
# /usr/sbin/sshd -d -p 2222 и тогда вы можете использовать:
# ssh -p 2222 postgres@java7 и посмотрите, по какой причине сервер отклонил ключ.
Является ли 'postgres' пользователем, сгенерированным при установке сервера PostreSQL? Если так, большинство автоматически сгенерированных пользователей не могут быть "залогинены"; они существуют исключительно для целей демонов, которым требуются разрешения на доступ к файлам.
Вы можете включить журналы отладки на вашем существующем ssh-сервере. Измените файл / etc / ssh / sshd_config, LogLevel DEBUG3 если причина неудачного входа в систему Could not open authorized keys '/var/lib/pgsql/.ssh/authorized_keys': Permission deniedи права доступа к авторизованному ключу в порядке, то эта команда поможет
restorecon -FRvv /var/lib/pgsql/.ssh/
Another solution for Red Hat Enterprise Linux 6.5 SELinux feature preventing sshd from reading $HOME/.ssh is to use restorecon, see my answser here https://superuser.com/a/764020/213743.
убедитесь, что ваш selinux настроен правильно.
я изменил selinux на разрешающий, и он работает, или вы должны добавить .ssh к ролям selinux.