题 连接到在Cygwin上运行的SSH服务器时使用公钥时出现问题


我们安装了 Cygwin的 在...上 Windows Server 2008 Standard 服务器,它工作得很好。不幸的是我们还有一个 大问题。我们想通过SSH使用公钥进行连接,这是行不通的。它总是回到使用密码登录。

我们已将公钥附加到 ~/.ssh/authorized_keys 在服务器上,我们有私钥和公钥 ~/.ssh/id_dsa 各自 ~/.ssh/id_dsa.pub 在客户端上。

在调试SSH登录会话时,我们发现服务器提供的密钥显然会被某些人拒绝 未知 原因。


从Ubuntu 9.10桌面连接并启用调试信息时的SSH输出:

$ ssh -v 192.168.10.11

OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/myuseraccount/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for 
debug1: Connecting to 192.168.10.11 [192.168.10.11] port 22.
debug1: Connection established.
debug1: identity file /home/myuseraccount/.ssh/identity type -1
debug1: identity file /home/myuseraccount/.ssh/id_rsa type -1
debug1: identity file /home/myuseraccount/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.10.11' is known and matches the RSA host key.
debug1: Found key in /home/myuseraccount/.ssh/known_hosts:12
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/myuseraccount/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/myuseraccount/.ssh/identity
debug1: Trying private key: /home/myuseraccount/.ssh/id_rsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
myuseraccount@192.168.10.11's password: 

Cygwin的版本:

$ uname -a
CYGWIN_NT-6.0 servername 1.7.1(0.218/5/3) 2009-12-07 11:48 i686 Cygwin

已安装的包:

$ cygcheck -c
Cygwin Package Information
Package              Version             Status
_update-info-dir     00871-1             OK
alternatives         1.3.30c-10          OK
arj                  3.10.22-1           OK
aspell               0.60.5-1            OK
aspell-en            6.0.0-1             OK
aspell-sv            0.50.2-2            OK
autossh              1.4b-1              OK
base-cygwin          2.1-1               OK
base-files           3.9-3               OK
base-passwd          3.1-1               OK
bash                 3.2.49-23           OK
bash-completion      1.1-2               OK
bc                   1.06-2              OK
bzip2                1.0.5-10            OK
cabextract           1.1-1               OK
compface             1.5.2-1             OK
coreutils            7.0-2               OK
cron                 4.1-59              OK
crypt                1.1-1               OK
csih                 0.9.1-1             OK
curl                 7.19.6-1            OK
cvs                  1.12.13-10          OK
cvsutils             0.2.5-1             OK
cygrunsrv            1.34-1              OK
cygutils             1.4.2-1             OK
cygwin               1.7.1-1             OK
cygwin-doc           1.5-1               OK
cygwin-x-doc         1.1.0-1             OK
dash                 0.5.5.1-2           OK
diffutils            2.8.7-2             OK
doxygen              1.6.1-2             OK
e2fsprogs            1.35-3              OK
editrights           1.01-2              OK
emacs                23.1-10             OK
emacs-X11            23.1-10             OK
file                 5.04-1              OK
findutils            4.5.5-1             OK
flip                 1.19-1              OK
font-adobe-dpi75     1.0.1-1             OK
font-alias           1.0.2-1             OK
font-encodings       1.0.3-1             OK
font-misc-misc       1.1.0-1             OK
fontconfig           2.8.0-1             OK
gamin                0.1.10-10           OK
gawk                 3.1.7-1             OK
gettext              0.17-11             OK
gnome-icon-theme     2.28.0-1            OK
grep                 2.5.4-2             OK
groff                1.19.2-2            OK
gvim                 7.2.264-1           OK
gzip                 1.3.12-2            OK
hicolor-icon-theme   0.11-1              OK
inetutils            1.5-6               OK
ipc-utils            1.0-1               OK
keychain             2.6.8-1             OK
less                 429-1               OK
libaspell15          0.60.5-1            OK
libatk1.0_0          1.28.0-1            OK
libaudio2            1.9.2-1             OK
libbz2_1             1.0.5-10            OK
libcairo2            1.8.8-1             OK
libcurl4             7.19.6-1            OK
libdb4.2             4.2.52.5-2          OK
libdb4.5             4.5.20.2-2          OK
libexpat1            2.0.1-1             OK
libfam0              0.1.10-10           OK
libfontconfig1       2.8.0-1             OK
libfontenc1          1.0.5-1             OK
libfreetype6         2.3.12-1            OK
libgcc1              4.3.4-3             OK
libgdbm4             1.8.3-20            OK
libgdk_pixbuf2.0_0   2.18.6-1            OK
libgif4              4.1.6-10            OK
libGL1               7.6.1-1             OK
libglib2.0_0         2.22.4-2            OK
libglitz1            0.5.6-10            OK
libgmp3              4.3.1-3             OK
libgtk2.0_0          2.18.6-1            OK
libICE6              1.0.6-1             OK
libiconv2            1.13.1-1            OK
libidn11             1.16-1              OK
libintl3             0.14.5-1            OK
libintl8             0.17-11             OK
libjasper1           1.900.1-1           OK
libjbig2             2.0-11              OK
libjpeg62            6b-21               OK
libjpeg7             7-10                OK
liblzma1             4.999.9beta-10      OK
libncurses10         5.7-18              OK
libncurses8          5.5-10              OK
libncurses9          5.7-16              OK
libopenldap2_3_0     2.3.43-1            OK
libpango1.0_0        1.26.2-1            OK
libpcre0             8.00-1              OK
libpixman1_0         0.16.6-1            OK
libpng12             1.2.35-10           OK
libpopt0             1.6.4-4             OK
libpq5               8.2.11-1            OK
libreadline6         5.2.14-12           OK
libreadline7         6.0.3-2             OK
libsasl2             2.1.19-3            OK
libSM6               1.1.1-1             OK
libssh2_1            1.2.2-1             OK
libssp0              4.3.4-3             OK
libstdc++6           4.3.4-3             OK
libtiff5             3.9.2-1             OK
libwrap0             7.6-20              OK
libX11_6             1.3.3-1             OK
libXau6              1.0.5-1             OK
libXaw3d7            1.5D-8              OK
libXaw7              1.0.7-1             OK
libxcb-render-util0  0.3.6-1             OK
libxcb-render0       1.5-1               OK
libxcb1              1.5-1               OK
libXcomposite1       0.4.1-1             OK
libXcursor1          1.1.10-1            OK
libXdamage1          1.1.2-1             OK
libXdmcp6            1.0.3-1             OK
libXext6             1.1.1-1             OK
libXfixes3           4.0.4-1             OK
libXft2              2.1.14-1            OK
libXi6               1.3-1               OK
libXinerama1         1.1-1               OK
libxkbfile1          1.0.6-1             OK
libxml2              2.7.6-1             OK
libXmu6              1.0.5-1             OK
libXmuu1             1.0.5-1             OK
libXpm4              3.5.8-1             OK
libXrandr2           1.3.0-10            OK
libXrender1          0.9.5-1             OK
libXt6               1.0.7-1             OK
links                1.00pre20-1         OK
login                1.10-10             OK
luit                 1.0.5-1             OK
lynx                 2.8.5-4             OK
man                  1.6e-1              OK
minires              1.02-1              OK
mkfontdir            1.0.5-1             OK
mkfontscale          1.0.7-1             OK
openssh              5.4p1-1             OK
openssl              0.9.8m-1            OK
patch                2.5.8-9             OK
patchutils           0.3.1-1             OK
perl                 5.10.1-3            OK
rebase               3.0.1-1             OK
run                  1.1.12-11           OK
screen               4.0.3-5             OK
sed                  4.1.5-2             OK
shared-mime-info     0.70-1              OK
tar                  1.22.90-1           OK
terminfo             5.7_20091114-13     OK
terminfo0            5.5_20061104-11     OK
texinfo              4.13-3              OK
tidy                 041206-1            OK
time                 1.7-2               OK
tzcode               2009k-1             OK
unzip                6.0-10              OK
util-linux           2.14.1-1            OK
vim                  7.2.264-2           OK
wget                 1.11.4-4            OK
which                2.20-2              OK
wput                 0.6.1-2             OK
xauth                1.0.4-1             OK
xclipboard           1.1.0-1             OK
xcursor-themes       1.0.2-1             OK
xemacs               21.4.22-1           OK
xemacs-emacs-common  21.4.22-1           OK
xemacs-sumo          2007-04-27-1        OK
xemacs-tags          21.4.22-1           OK
xeyes                1.1.0-1             OK
xinit                1.2.1-1             OK
xinput               1.5.0-1             OK
xkbcomp              1.1.1-1             OK
xkeyboard-config     1.8-1               OK
xkill                1.0.2-1             OK
xmodmap              1.0.4-1             OK
xorg-docs            1.5-1               OK
xorg-server          1.7.6-2             OK
xrdb                 1.0.6-1             OK
xset                 1.1.0-1             OK
xterm                255-1               OK
xz                   4.999.9beta-10      OK
zip                  3.0-11              OK
zlib                 1.2.3-10            OK
zlib-devel           1.2.3-10            OK
zlib0                1.2.3-10            OK

ssh deamon配置文件:

$ cat /etc/sshd_config 

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#X11Forwarding yes
#AllowTcpForwarding yes
#ForceCommand cvs server

我希望这些信息足以解决问题。如果需要更多请注释,我会添加它。谢谢你的阅读!


6
2018-03-24 15:45






答案:


一位同事上周遇到了这个问题,他最终将其追踪到需要成为本地管理员的/ etc / passwd中的主要群组。


3
2018-03-24 15:52



谢谢您的回答! Windows Server 2008 Standard似乎不再具有本地管理员组。我尝试将用户置于组管理员中,并使其成为主要组,但没有成功。所以在这种情况下它似乎不是一个有效的解决方案。 - Deleted
也许这会有所帮助.. mail-archive.com/cygwin@cygwin.com/msg104485.html - Warner
有趣!我会尽快尝试一下!感谢你付出的努力!! - Deleted
没问题。这就是我的同事说他用于解决方案的原因。 - Warner
这是部分原因。我们的主目录位于远程服务器上。当我们通过SSH登录无密码时无法访问。我们将主目录更改为/ home / username,它可以工作(与您的信息相结合)。 - Deleted


确保您的访问权限 ~/.ssh/ 和底层文件是700或更少。否则ssh将忽略您的授权密钥。


2
2018-04-14 18:40



今天我在SU上回答了同样的问题: superuser.com/questions/130935/problem-with-shared-ssh-keys - warren


我在一台机器上有三个帐户(Mac OSX),我设置了所有的.ssh / authorized_keys文件,以包含其他两个的id_rsa.pub。但是,我不能从其他两个中的任何一个“ssh”进入其中一个帐户,但他们可以互相“ssh”。

答案来自一个名为的博客 Debugging SSH public key authentication problems。我的“坏”帐户在其主目录上具有组和公共“写入”权限。我所要做的就是

chmod 755 /Users/yourname

其中yourname是坏帐户,您登录到该帐户,或使用“sudo”(root)权限。看看这个。它对我有用。


1
2017-09-24 00:56





祝你通过Cygwin和sshkey登录进行任何类型的特权任务,祝你好运。我刚才有一个问题:

http://www.cygwin.com/ml/cygwin/2007-06/msg00252.html

我最终实现了VPN,因此您可以使用本机Windows工具。


0
2018-04-15 11:48



我们定期使用此实现。它有助于在我们的环境中平台之间保持一致的管理工具使用。不能用 psexec 在Linux中以编程方式执行软件。 - Warner
很酷,也许有些变化?或者也许我只是做错了。 - Cawflands
我搞定了!这是由于华纳的回应和他的评论。 :-) - Deleted