ssh key 一模一样的设置，另一个就不能登录是什么原因？

要用 user1 用户 ssh 登录两台服务器。

两个服务器，拷贝了相同的公钥：
/home/user1/.ssh/id_rsa.pub
和 /home/user1/.ssh/authorized_keys （ id_rsa.pub 拷进来的）
两个文件的权限都是 700

/home/user1 文件夹的权限是 600

id_rsa.pub 、authorized_keys 、/home/user1 的所属用户和所属组都是 user1

/etc/ssh/sshd_config 设置的也是一模一样的，也重新启动了 sshd service 。

为什么一台可以登录，一台就登录不了呢？
提示这个错误：

Permission denied (publickey).

每次都被这种东西卡住了，

/etc/ssh/sshd_config 配置都是这样的：

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation no

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no

Osk

2021-12-08 02:08:11 +08:00

@selfcreditgiving 公钥只是避免别人暴力试出密码, 但它进行中的尝试仍然会继续, 每次尝试都会记录 sshd 日志, 日志仍然会涨.

ssh 的部分建议:
不要用默认的 22 端口, 减少一些批量脚本工具有事没事的扫描.
不要使用密码登录, 而是使用公钥或者两步认证登录, 避免被试出密码进入.
禁止 root 用户登录.
限制 sshd 连接数, 但有把自己锁到外边无法登录的风险.
使用 sshguard, fail2ban 或者端口敲门等办法减少被扫描的次数.

另外, 建议使用跳板机管理你的服务器: 这样的话, 攻击者首先要破解了跳板机的登录才可以进行后续的扫描, 大大降低了其它生产服务器被 ssh 暴力攻击的次数, 跳板机的 sshd 日志涨就让它涨吧, 反正生产服务器不涨就行.

当然, 使用 vpn 来保护也是不错的方案, 不过我觉得 vpn 可能也有被扫描的问题, 不如把 sshd 的安全做好.

至于如何做, 确实没有很统一的做法, linux 发行版间碎片化太严重了, 只能根据你当前的发型版去看官方的 wiki 或者手册.

另外, windows rdp 3389 更不好搞, 两部认证, 证书登录什么的, 都相当不容易配置, 比 ssh 配置麻烦多了.

ssh key 一模一样的设置，另一个就不能 登录是什么原因？

ssh key 一模一样的设置，另一个就不能登录是什么原因？