前陣子搭建Hadoop時,配置了本機(localhost)的ssh的公鑰到authorized_keys文件中,但是在ssh連接localhost時仍然提示需要輸入密碼,后來發現是$HOME/.ssh/authorized_keys這個文件的權限問題引起的。其原因是,不能讓所有者之外的用戶對authorized_keys文件有寫權限,否則,sshd將不允許使用該文件,因為它可能會被其他用戶篡改。
命令行的演示如下:
[hadoop@guest1 ~]$ cd .ssh/[hadoop@guest1 .ssh]$ ll
total 16-rw-rw-r--1 hadoop hadoop 395 Jan 1218:37 authorized_keys
-rw-------1 hadoop hadoop 1675 Jan 1218:36 id_rsa
-rw-r--r--1 hadoop hadoop 395 Jan 1218:36 id_rsa.pub
-rw-r--r--1 hadoop hadoop 796 Jan 6 08:40 known_hosts
#注意這里的authorized_keys文件的權限;這時該文件中的key是不起作用的。#用chmod修改authorized_keys文件的權限[hadoop@guest1 .ssh]$ chmod g-w authorized_keys
[hadoop@guest1 .ssh]$ ll
total 16-rw-r--r--1 hadoop hadoop 395 Jan 1218:37 authorized_keys
-rw-------1 hadoop hadoop 1675 Jan 1218:36 id_rsa
-rw-r--r--1 hadoop hadoop 395 Jan 1218:36 id_rsa.pub
-rw-r--r--1 hadoop hadoop 796 Jan 6 08:40 known_hosts
#修改后,sshd就可以正常使用authorized_keys文件了[hadoop@guest1 ~]$ ssh localhost
Last login: Sat Jan 1218:40:332013 from localhost
[hadoop@guest1 ~]$ exitlogout
Connection to localhost closed.
[hadoop@guest1 ~]$
后來,我詳細查了一下,如果authorized_keys文件、$HOME/.ssh目錄 或 $HOME目錄讓本用戶之外的用戶有寫權限,那么sshd都會拒絕使用 ~/.ssh/authorized_keys 文件中的key來進行認證的。
“man sshd”命令查看對authorized_keys文件的描述如下:
man sshd
.....
~/.ssh/authorized_keys
Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as this user. The format of
this file is described above. The content of the file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others.
If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the
file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be
used unless the StrictModes option has been set to “no”.
........