ssh密钥远程提示Permission denied (publickey)解决

Posted on | By fynn | No comments
内容目录

问题

一台新开的谷歌云服务器
ssh远程提示

root@172.23.2.3: Permission denied (publickey).

检查.ssh/authorized_keys密钥添加了权限也是600

排查以及解决

/var/log/auth.log 看日志排查原因
从日志中可以看到多个错误信息,其中 Authentication refused: bad ownership or modes for directory /root/.ssh 表示 SSH 拒绝认证是因为 /root/.ssh 目录或其权限设置不正确。

解决步骤:

  1. 检查并修复 /root/.ssh 目录的权限
    SSH 对目录和文件权限非常严格,尤其是对于 .ssh 目录。请确保 /root/.ssh 目录的权限是 700,并且 /root/.ssh/authorized_keys 的权限是 600。你可以通过以下命令修复权限:

    chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

  2. 确认 /root 目录的权限
    日志中还提到 bad ownership or modes for directory /root,这意味着 /root 目录的权限也可能不正确。确保 /root 目录的权限是 700

    chmod 700 /root

  3. 确认目录和文件的所有权
    这些目录和文件应该属于 root 用户和组。你可以使用以下命令检查并修复它们的所有权:

    chown root:root /root
chown root:root /root/.ssh
chown root:root /root/.ssh/authorized_keys

  4. 重启 SSH 服务
    修改权限后,重启 SSH 服务以应用更改:

    sudo systemctl restart sshd

  5. 重新尝试连接
    修复了权限和所有权后,再次尝试使用 SSH 密钥连接:

    ssh  root@172.23.2.3

这些步骤解决权限问题后,使得公钥认证能够正常工作。

目标主机操作相关日志

root@instance-20250227-014344:~/.ssh# grep -v ^# /etc/ssh/sshd_config|grep -v ^$
TrustedUserCAKeys /etc/ssh/oslogin_trustedca.pub
AuthorizedPrincipalsCommand /usr/bin/google_authorized_principals %u %k
AuthorizedPrincipalsCommandUser root
AuthorizedKeysCommand /usr/bin/google_authorized_keys
AuthorizedKeysCommandUser root
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
root@instance-20250227-014344:~/.ssh# cd
root@instance-20250227-014344:~# stat .ssh/authorized_keys 
  File: .ssh/authorized_keys
  Size: 565             Blocks: 8          IO Block: 4096   regular file
Device: 8,1     Inode: 8565        Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-03-24 07:56:36.094608868 +0000
Modify: 2025-03-24 07:56:21.792633616 +0000
Change: 2025-03-24 07:56:21.796633609 +0000
 Birth: 2025-03-24 07:56:21.792633616 +0000
root@instance-20250227-014344:~# cat  .ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWeamj7i7UAv9A8pWF0W1eoLhtOmy5YM7FsQZpw2YFucQxziZ4Om9gWi75M5bQt56dDrX9O7TBRTitO1edq8+VgHkJjPFZou6114aK8M6f+zvZRCtsD7Gwy9Y8s7HHRocwGG9tNJMQoMuGt+c+qRU7JANpjNZ2joZGLYw6r6MFWkUj1yJGGuPDeRcVvvRJQ8T5gDA2+F9DmFEGY+a2hElLawqZ54aGyF5k782PD/6C2cIyw6gZLWnugK3JiKuKqN5c8rua22DzM8yEv8LWkYml7v29q1OZ2THX+P2eMQcEpQYAihJCOHVC8oX6/dXY9tHxD8Ulukecu6L5pFKFna96lgUttQS1bOXl237R3jCZEw3y2z4Z2VIec6Wf2FkGXMc05gr+zXR1uDtGyMttob9uI/dONduXnccUPvtd71aJTfG/mRul+60WmvSYvr9wykt8xcNXP5e2zju7YKrQjdROHwoGkSAmwDt1B5WXdsoyyyrqCTylcmJvpxCtSC7s+eU= root@devops
root@instance-20250227-014344:~# stat .ssh
  File: .ssh
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 8,1     Inode: 1741        Links: 2
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-03-24 07:57:24.433525223 +0000
Modify: 2025-03-24 07:56:38.768604242 +0000
Change: 2025-03-24 07:56:38.768604242 +0000
 Birth: 2025-02-14 08:41:00.193712462 +0000
root@instance-20250227-014344:~# chmod 700 .ssh
root@instance-20250227-014344:~# tail -f /var/log/auth.log
2025-03-24T07:59:30.282155+00:00 instance-20250227-014344 sshd[261638]: Connection closed by authenticating user root 39.105.231.200 port 52222 [preauth]
2025-03-24T08:00:40.118922+00:00 instance-20250227-014344 sshd[261646]: Authentication refused: bad ownership or modes for directory /root/.ssh
2025-03-24T08:02:06.364068+00:00 instance-20250227-014344 sshd[261658]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
2025-03-24T08:02:06.608020+00:00 instance-20250227-014344 sshd[261658]: Authentication refused: bad ownership or modes for directory /root/.ssh
2025-03-24T08:02:15.428841+00:00 instance-20250227-014344 sshd[261658]: Connection closed by authenticating user root 139.19.117.130 port 44214 [preauth]
2025-03-24T08:03:32.599873+00:00 instance-20250227-014344 sshd[261667]: Authentication refused: bad ownership or modes for directory /root/.ssh
2025-03-24T08:03:32.955672+00:00 instance-20250227-014344 sshd[261667]: Connection closed by authenticating user root 39.105.231.200 port 56770 [preauth]
2025-03-24T08:04:09.633179+00:00 instance-20250227-014344 sshd[261672]: Authentication refused: bad ownership or modes for directory /root
2025-03-24T08:04:09.983825+00:00 instance-20250227-014344 sshd[261672]: Connection closed by authenticating user root 39.105.231.200 port 45262 [preauth]
2025-03-24T08:04:35.457048+00:00 instance-20250227-014344 sshd[261675]: Unable to negotiate with 218.92.0.207 port 58228: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]
2025-03-24T08:05:01.508890+00:00 instance-20250227-014344 CRON[261678]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2025-03-24T08:05:01.513743+00:00 instance-20250227-014344 CRON[261678]: pam_unix(cron:session): session closed for user root
2025-03-24T08:05:09.099032+00:00 instance-20250227-014344 sshd[261681]: Authentication refused: bad ownership or modes for directory /root
2025-03-24T08:05:09.444370+00:00 instance-20250227-014344 sshd[261681]: Connection closed by authenticating user root 39.105.231.200 port 53646 [preauth]
2025-03-24T08:05:25.190313+00:00 instance-20250227-014344 sshd[261684]: Connection closed by 71.6.232.22 port 54636 [preauth]
2025-03-24T08:05:49.136226+00:00 instance-20250227-014344 sshd[261687]: Connection closed by authenticating user root 118.38.239.52 port 56204 [preauth]
^C
root@instance-20250227-014344:~# ^C
root@instance-20250227-014344:~# chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
root@instance-20250227-014344:~# 
root@instance-20250227-014344:~# chown root:root /root
chown root:root /root/.ssh
chown root:root /root/.ssh/authorized_keys
root@instance-20250227-014344:~# 
root@instance-20250227-014344:~# stat /root/
  File: /root/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 8,1     Inode: 1738        Links: 5
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-03-24 08:02:27.738000369 +0000
Modify: 2025-03-24 07:58:54.715368995 +0000
Change: 2025-03-24 08:06:12.720611051 +0000
 Birth: 2025-02-14 08:41:00.193712462 +0000
root@instance-20250227-014344:~# chmod 700 /root
Category: Linux, 运维 | Tag: , , ,

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注