2. 程式人生 > >免匙SSH登入失敗問題(非常規)

免匙SSH登入失敗問題(非常規)

阿新 發佈:2019-02-04

問題描述:

上週給公司搭建大資料平臺,選取三臺機器,安裝配置一切順利。後來發現/home目錄的掛載盤容量不夠用,所以就擴容了,在擴容之前將/home/hadoop資料夾複製到其他地方,擴容後再複製回來,現在問題來了,hadoop資料夾遷移回來後,發現免匙SSH無用了。

問題排查:

1.檢測許可權

chmod 600 ~/.ssh/authorized_keys chmod 700 ~/.ssh/

2.debug SSH

通過命令 ssh -vvv master 檢視日誌

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to master [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/hadoop/.ssh/identity type -1
debug1: identity file /home/hadoop/.ssh/identity-cert type -1
debug3: Not a RSA1 key file /home/hadoop/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hadoop/.ssh/id_rsa type 1
debug1: identity file /home/hadoop/.ssh/id_rsa-cert type -1
debug1: identity file /home/hadoop/.ssh/id_dsa type -1
debug1: identity file /home/hadoop/.ssh/id_dsa-cert type -1
debug1: identity file /home/hadoop/.ssh/id_ecdsa type -1
debug1: identity file /home/hadoop/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 960 bytes for a total of 981
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: 
 
[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 
[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected]
 
,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 1005
debug2: dh_gen_key: priv key bits set: 114/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 1149
debug3: check_host_in_hostfile: host master filename /home/hadoop/.ssh/known_hosts
debug3: check_host_in_hostfile: host master filename /home/hadoop/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 5
debug1: Host 'master' is known and matches the RSA host key.
debug1: Found key in /home/hadoop/.ssh/known_hosts:5
debug2: bits set: 525/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1165
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1213
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/hadoop/.ssh/identity ((nil))
debug2: key: /home/hadoop/.ssh/id_rsa (0x2ae9888a6330)
debug2: key: /home/hadoop/.ssh/id_dsa ((nil))
debug2: key: /home/hadoop/.ssh/id_ecdsa ((nil))
debug3: Wrote 64 bytes for a total of 1277
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 127.0.0.1.
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_501' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_501' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_501' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/hadoop/.ssh/identity
debug3: no such identity: /home/hadoop/.ssh/identity
debug1: Offering public key: /home/hadoop/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1645
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/hadoop/.ssh/id_dsa
debug3: no such identity: /home/hadoop/.ssh/id_dsa
debug1: Trying private key: /home/hadoop/.ssh/id_ecdsa
debug3: no such identity: /home/hadoop/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

3.從日誌資訊並沒有看到是許可權問題,通過比較可以正常免匙的機器發現以下不同:


在這期間我嘗試新建了使用者test,在新建的使用者中配置免匙ssh依然不行,但是發現root使用者的免匙SSH是ok的,現在目標又回到了許可權問題,可是發現許可權都是ok的。

4.在快要放棄的時候搜到了這篇帖子:http://www.linuxidc.com/Linux/2013-07/87267.htm

看了這篇文章後我立刻用ls -laZ檢查了我的.ssh目錄:

[[email protected] ~]$ ls -laZ .ssh

drwx------. hadoop hadoop unconfined_u:object_r:file_t:s0  .

drwxr-xr-x. hadoop hadoop unconfined_u:object_r:file_t:s0  ..

-rw-------. hadoop hadoop unconfined_u:object_r:file_t:s0  authorized_keys

-rw-------. hadoop hadoop unconfined_u:object_r:file_t:s0  id_rsa

-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0  id_rsa.pub

-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0  id_rsa.pub.slave1

-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0  id_rsa.pub.slave2

-rw-r--r--. hadoop hadoop unconfined_u:object_r:file_t:s0  known_hosts

我也是“果然不是ssh_home_t”。

5.解決問題:

切換到root使用者,修復context:

[[email protected] ~]# restorecon -r -vv /home/ 

[[email protected] ~]$ ls -laZ .ssh

drwx------. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 .

drwxr-xr-x. hadoop hadoop unconfined_u:object_r:user_home_dir_t:s0..

-rw-------. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 authorized_keys

-rw-------. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa

-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub

-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub.slave1

-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub.slave2

-rw-r--r--. hadoop hadoop unconfined_u:object_r:ssh_home_t:s0 known_hosts


6.驗證是否解決:

[[email protected] ~]$ ssh master

Last login: Wed May 31 09:01:48 2017 from 10.0.17.19

Starting Nexus OSS...

Started Nexus OSS.

-bash: /etc/profile.d/mystart.sh: line 2: syntax error near unexpected token `&&'

-bash: /etc/profile.d/mystart.sh: line 2: ` && '

[[email protected] ~]$ 


7.問題總結:

根本原因是我將/home/hadoop目錄做了移動,可是移動回來的時候用的是root使用者,即便我改回了hadoop:hadoop,可是目錄下的資料夾的context變了,而ssh鑑權又非常嚴格必須是ssh_home_t才可以。

相關推薦

SSH登入失敗問題非常規

問題描述: 上週給公司搭建大資料平臺,選取三臺機器,安裝配置一切順利。後來發現/home目錄的掛載盤容量不夠用,所以就擴容了,在擴容之前將/home/hadoop資料夾複製到其他地方,擴容後再複製回來,現在問題來了,hadoop資料夾遷移回來後,發現免匙SSH無用了。 問題

配置ssh公鑰後密碼ssh登入失敗

在公司的伺服器上配置過ssh公鑰,之前一直可以免密碼登入。但是最近登入時,每次都提示要輸入密碼。嘗試了刪除known_hosts,重新把id_rsa.pub新增到伺服器~/.ssh/authorized_keys下也沒有用。 通過檢視系統的登入驗證日誌檔案/v

ssh遠端登入Linuxubuntu

一般流程,如果有問題,按照下面步驟排查一遍即可 檢視ssh是否開啟 service ssh status service ssh start service ssh restart service ssh stop 如果沒有安裝 sudo apt-get install

SQL2008 使用者'sa'登入失敗錯誤18456圖文解決方法

SQL2008無法連線到.\SQLEXPRESS,使用者'sa'登入失敗(錯誤18456)圖文解決方法 出現問題 :   標題: 連線到伺服器 ------------------------------ 無法連線到

SQLServer2008R2使用者登入失敗錯誤18456解決方法

  SQL Server 2008 R2使用者'sa'登入失敗(錯誤18456),如下圖:     解決辦法:   1、首先用身份登入,有如下介面:   2、右鍵例項-- 屬性,選擇【安全性】,選擇身份驗證方式:   3、右鍵例項-- 【重新啟動】

Microsoft SQL Server 2005 使用者'sa'登入失敗錯誤18456解決方案圖

使用者'sa'登入失敗(錯誤18456)解決方案圖解 當我們在使用sql server 的時候可能會遇見這樣錯誤提示“無法連線到.,使用者'sa'登入失敗(錯誤18456)”, 如圖: 具體的解決方案: 首先使用管理員身份開啟SQL server ,並且以

sql server 使用者'sa'登入失敗錯誤18456

 使用者'sa'登入失敗(錯誤18456)解決方案圖解     當我們在使用sql server 的時候可能會遇見這樣錯誤提示“無法連線到.,使用者'sa'登入失敗(錯誤18456)”,     如圖: 具體的解決方案: 首先使用管理員身份開啟SQL server ,並且以windows

SQL2008.sa'登入失敗錯誤18456解決方法

標題: 連線到伺服器------------------------------無法連線到 .\SQLEXPRESS。------------------------------其他資訊:使用者 'sa' 登入失敗。 (Microsoft SQL Server,錯誤: 184

Mac使用SSH密碼連線遠端伺服器DigitalOcean

起因 作為Github學生包裡面幾個比較實用的東西,DigitalOcean提供給我們一張50美刀的券,不過需要用PayPal充值5美刀才能啟用,大概就三十塊錢吧。 以前有邀請他人送10美金的活動。但現在優惠提升了!!被邀請者六十天內有100美金的額度可以用,就

交換機登入認證失敗20121204—— 僅僅只是禁登了5分鐘的恐慌

今天登入s5720登入N次都失敗,換了幾臺電腦登入也是如此。我以為我的裝置被黑了,各種浮想聯翩。後面經過很久的折騰,發現並非如此。  首先詢問了一個華為售後工程師,他在翻閱了我大量的日誌以及交換機配置後(不容易),認為解決該問題要這樣做 telnet的問題可以調整下tel

SSH深度歷險 深入淺出----- Spring事務配置的五種方式

配置 處理 數據 data easy ont get 添加 由於 這對時間在學習SSH中Spring架構,Spring的事務配置做了具體總結。在此之間對Spring的事務配置僅僅是停留在聽說的階段,總結一下。總體把控。通過這次的學習發覺Spring的事務

SSH學習筆記

via linu inf 一段時間 isp x-window window max tcl 1 # 1. 關於 SSH Server 的整體設定,包含使用的 port 啦,以及使用的密碼演算方式 2 Port 22          # SSH 預設使用 22 這

解決jdk1.8中發送郵件失敗handshake_failure問題

註意 自己 ota target util tom exceptio images ive 解決jdk1.8中發送郵件失敗(handshake_failure)問題 作者 zhisheng_tian 2016.08.12 22:44* 字數 1573 閱讀 2

SSH框架整12

Struts2+Spring+HibeStruts2+Spring+Hibernate導包1.1 Struts2導入jar包:* struts2/apps/struts2-blank.war/WEB-INF/lib/*.jar* 導入與spring整合的jar* struts2/lib/struts2-s

MySQL服務本地鏈接成功,遠程失敗10060

size bin 我們 mark nbsp blog b2c span csdn 通過CMD命令行修改數據庫表的一個字段的值,實現連接,訪問。 第一步、找到MYSQL軟件安裝所在的bin目錄; (1)cd\當前目錄 (2)指定MYSQL安裝的bin目錄 (3)輸入 -h

登入問題1

網站使用者單點登入系統解決方案 1 背景   在網站建設的過程中,多個應用系統一般是在不同的時期開發完成的。各應用系統由於功能側重、設計方法和開發技術有所不同,也就形成了各自獨立的使用者庫和使用者認證體系。

ssh項目_Jquery的ajax應用,什麽是ajax

部分 dag context jsp 最好 其他 分享 學習 結果 本教程是個系列教程,最好先看“https://www.cnblogs.com/daguozb/p/9864770.html”, 若是只是學習ajax不想看其他的,可以參照github中的代碼看,文章中圖下面

網頁登入資料庫

<%@ page language="java" import="java.sql.*" contentType="text/html;charset=utf-8"%> <html>   <head>     

網頁註冊登入資料庫

<%@ page language="java" import="java.sql.*" contentType="text/html;charset=utf-8"%> <html>   <head>     

網頁註冊登入資料庫

<%@ page language="java" import="java.util.*" contentType="text/html;charset=utf-8"%> <html>   <head> <title>登陸成功&l