从头再来

Linux 服务器配置证书登陆


一、背景
项目需要,研究了使用ossec ,其中有一个ossec agentless的功能,可以实现远程的文件完整性校验 。为方便使用, 决定采用证书模式来处理登陆。


二、配置过程

以下直接抄了  http://praetorianprefect.com/archives/2009/11/ossec-agentless-to-save-the-day/

obsd46# sudo -u ossec ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/var/ossec/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/ossec/.ssh/id_rsa. Your public key has been saved in /var/ossec/.ssh/id_rsa.pub. The key fingerprint is: b8:c3:47:9a:33:09:5c:eb:54:a0:82:39:a6:06:63:08 ossec@obsd45.ptnsecurity.com   The key's randomart image is: +--[ RSA 2048]----+ |E     .          | |oo   . .         | |Bo. . . .        | |=o o . +         | |..  o + S        | |.    = *         | |      @ .        | |       =         | |                 | +-----------------+ 

Now that the SSH keys are present, we can add the host without a password. The special command line argument used with register_host.sh is NOPASS in all capitals, which will tell OSSEC supplied scripts to make use of SSH keys.

obsd46# /var/ossec/agentless/register_host.sh add root@172.17.20.20   NOPASS 

Enabling SSH key on the host to be monitored.

You will now need to securely get the contents of /var/ossec/.ssh/id_rsa.pub to 172.17.20.20.

Using SSH and the password for a single time will make this simple. This will create the /root/.ssh if it is not already created, but might throw an error as it does if the directory is already present. This is not a problem and can be ignored.

obsd46# cat /var/ossec/.ssh/id_rsa.pub | ssh root@172.17.20.20   "( mkdir /root/.ssh/;  cat - >> /root/.ssh/authorized_keys )" root@172.17.20.20  's password: mkdir: cannot create directory `/root/.ssh/': File exists obsd46# ssh root@172.17.20.20   "cat  /root/.ssh/authorized_keys " root@172.17.20.20  's password: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzyTBo7CqkI0TISR9S+KPS/gYY60nkD7Qe8wTTXrAEFvPNFJ NJJpVVKsij6zw86lvTZ6hx9ib1M+MXvt+70uF/z1hYwnYrczR2TR03Z5nwOUA9OK61nBWXVwCi9GsQs6Oeo mY9vkBDoKzB52+TKKSk9ZoC+HYPiT5SaiHZvMOV7kWuwF67lnYwlG5FdkRdOiXp7DcRjje4/Hixg7RLLl7o dEXpIakzGfalt3yQDmwvSUZhyg3OuoKimTeNiKU/jlHlmEPuDZpiQe6QhFH38EeEIZTdHsYITodl8sY+n9I eNMalGIHPs+bph+qcK+6cOb1RGaeGqJBFjaqPUyismz0bw== ossec@obsd45.ptnsecurity.com   

We can also verify that it worked with the following command.

obsd46# sudo -u ossec ssh root@172.17.20.20   The authenticity of host '172.17.20.20 (172.17.20.20)' can't be established. RSA key fingerprint is 14:cd:f2:e9:c3:5b:07:28:68:75:a7:b5:88:c2:6b:77. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.17.20.20' (RSA) to the list of known hosts. Last login: Tue Oct  6 12:40:05 2009 from 172.17.20.154 [linux26.ptnsecurity.com ~]# exit 

三、问题
在以上各种折腾完成后,使用root账号已经可以正常登陆使用了
但在使用普通账号的mytest时却一直失败。 经网上搜索有以下版本的信息

http://www.2cto.com/os/201206/137286.html
http://serverfault.com/questions/230771/ssh-configuration-publickeys-permission-denied-publickey-password-error 
另外还有一个网址一时忘记了。

中途试着将密码鉴权关闭,直接报错:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).  

最终查看 /var/log/secure Authentication refused: bad ownership or modes for directory /home/mytest/.ssh

想起来我忘记的那个网址上有一句话: .ssh 目录需要是 755 不能是775 。。。然后修改就搞定了!!!!完成收工。

posted on 2014-04-01 14:20 易宝@byhh 阅读(497) 评论(0)  编辑 收藏 引用


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理