背景
需要搭建jenkins,用來自動部署服務到目標服務器, 所以需要在jenkins所在機器配置免密登錄目標服務器
環境
阿里雲服務器:服務器A(jenkins所在服務器),服務器B(部署目標服務器)
步驟
一 服務器A部分
1 登錄A,
2 生成秘鑰
1)首先查看.ssh下是否已經有id_rsa和id_rsa.pub文件, 以免被覆蓋
2)生成秘鑰
ssh-keygen -t rsa -C "xxx@jenkins"
3)將在.ssh文件夾下生成2個文件 id_rsa, id_rsa.pub, 重命名為 id_rsa_jenkins,id_rsa_jenkins.pub 以免以后沖突
3 配置config
在~/.ssh 下 創建config文件
Host pre1 HostName xx.xx.xx.xx Host pre2 HostName xx.xx.xx.xx Host * User 登錄目標機器的用戶 Port 登錄目標機器的端口 IdentityFile ~/.ssh/id_rsa_jenkins 私鑰所在路徑
由於用戶,端口號,秘鑰, 都是通用的,所以以通配符來配置, 只有服務器地址不同, 每個目標服務器單獨配置
4 拷貝 id_rsa_jenkins.pub 內的內容
二 服務器B部分
1 使用要免密登錄的賬戶登錄服務器B
2 在~/.ssh文件夾下 查看是否有 authorized_keys 沒有則創建
3 將id_rsa_jenkins.pub的內容, 追加到authorized_keys后面
4 查看 /ect/ssh/sshd_config
需要有如下配置
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
5 切換到root用戶 重啟 sshd : service sshd restart
結果
在服務器A ssh pre1
結果還讓輸入密碼, 一定是我哪里配置的不對, 查找問題
解決問題
開兩個窗口, 分別登錄服務器A和B
服務器B:
1 登錄root用戶
2 停止ssh service ssh stop
3 debug運行ssh /usr/sbin/sshd -d
服務器A:嘗試ssh : ssh -v pre1 查看詳情
服務器A日志:
OpenSSH_7.6p1 Ubuntu-4ubuntu0.4, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /var/lib/jenkins/.ssh/config debug1: /var/lib/jenkins/.ssh/config line 5: Applying options for pre1 debug1: /var/lib/jenkins/.ssh/config line 8: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to **.**.**.** [**.**.**.**] port ****. debug1: Connection established. debug1: identity file /var/lib/jenkins/.ssh/id_rsa_jenkins type 0 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/jenkins/.ssh/id_rsa_jenkins-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000 debug1: Authenticating to **.**.**.**:**** as 'username' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:+/jjmuxy3eZ61XEguY2327fz7OfrhIks1edgLK3AnWY debug1: Host '[**.**.**.**]:****' is known and matches the ECDSA host key. debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:4 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:XS0Qkck+0F5M0iJdLn3/owfK9QGxPSQxRoYcCGcb9zQ /var/lib/jenkins/.ssh/id_rsa_jenkins debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password
發現在登錄過程中,嘗試證書認證,但是沒有認證通過, 改為密碼登錄, 於是查看服務器B日志,看看因為什么導致證書認證錯誤
服務器B日志
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: private host key #0: ssh-rsa SHA256:FdwiwpgHBW6MTxKJSkVYbtYS/H/kYr+o6JAoFjzOrY8 debug1: private host key #1: ssh-dss SHA256:thpjst+JHWAjnRyEDtOjWeVNO7JFl5K2FETPSLU5hcg debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:+/jjmuxy3eZ61XEguY2327fz7OfrhIks1edgLK3AnWY debug1: private host key #3: ssh-ed25519 SHA256:9X0yrjSoRLi/AM/oyozk3Sgd+G0JoDyJbIZFv1rt1Rg debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port **** on 0.0.0.0. Server listening on 0.0.0.0 port ****. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from **.**.**.** port **** on **.**.**.** port **** debug1: Client protocol version 2.0; client software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.4 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.4 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 debug1: permanently_set_uid: 109/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user username service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "username" debug1: PAM: setting PAM_RHOST to "**.**.**.**" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user username service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:XS0Qkck+0F5M0iJdLn3/owfK9QGxPSQxRoYcCGcb9zQ [preauth] debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /home/username/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK Authentication refused: bad ownership or modes for directory /home/usernamedebug1: restore_uid: 0/0 Failed publickey for username from **.**.**.** port **** ssh2: RSA SHA256:XS0Qkck+0F5M0iJdLn3/owfK9QGxPSQxRoYcCGcb9zQ Connection closed by **.**.**.** port **** [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 17849 debug1: audit_event: unhandled event 12
核心部分, /home/username 用戶文件夾權限不對, 修改為700 :chmod 700 /home/username
再來一遍
又出現了
Authentication refused: bad ownership or modes for directory /home/username/.ssh
改為700
再來一遍 鏈接成功
最后提醒, 解決完了千萬別忘記將服務器B的ssh再啟動起來
最后提醒, 解決完了千萬別忘記將服務器B的ssh再啟動起來
最后提醒, 解決完了千萬別忘記將服務器B的ssh再啟動起來