一、背景
项目需要,研究了使用ossec ,其中有一个ossec agentless的功能,可以实现远程的文件完整性校验 。为方便使用, 决定采用证书模式来处理登陆。
二、配置过程
以下直接抄了 http://praetorianprefect.com/archives/2009/11/ossec-agentless-to-save-the-day/
obsd46# sudo -u ossec ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/var/ossec/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/ossec/.ssh/id_rsa. Your public key has been saved in /var/ossec/.ssh/id_rsa.pub. The key fingerprint is: b8:c3:47:9a:33:09:5c:eb:54:a0:82:39:a6:06:63:08 ossec@obsd45.ptnsecurity.com The key's randomart image is: +--[ RSA 2048]----+ |E . | |oo . . | |Bo. . . . | |=o o . + | |.. o + S | |. = * | | @ . | | = | | | +-----------------+
Now that the SSH keys are present, we can add the host without a password. The special command line argument used with register_host.sh is NOPASS in all capitals, which will tell OSSEC supplied scripts to make use of SSH keys.
obsd46# /var/ossec/agentless/register_host.sh add root@172.17.20.20 NOPASS
Enabling SSH key on the host to be monitored.
You will now need to securely get the contents of /var/ossec/.ssh/id_rsa.pub to 172.17.20.20.
Using SSH and the password for a single time will make this simple. This will create the /root/.ssh if it is not already created, but might throw an error as it does if the directory is already present. This is not a problem and can be ignored.
obsd46# cat /var/ossec/.ssh/id_rsa.pub | ssh root@172.17.20.20 "( mkdir /root/.ssh/; cat - >> /root/.ssh/authorized_keys )" root@172.17.20.20 's password: mkdir: cannot create directory `/root/.ssh/': File exists obsd46# ssh root@172.17.20.20 "cat /root/.ssh/authorized_keys " root@172.17.20.20 's password: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzyTBo7CqkI0TISR9S+KPS/gYY60nkD7Qe8wTTXrAEFvPNFJ NJJpVVKsij6zw86lvTZ6hx9ib1M+MXvt+70uF/z1hYwnYrczR2TR03Z5nwOUA9OK61nBWXVwCi9GsQs6Oeo mY9vkBDoKzB52+TKKSk9ZoC+HYPiT5SaiHZvMOV7kWuwF67lnYwlG5FdkRdOiXp7DcRjje4/Hixg7RLLl7o dEXpIakzGfalt3yQDmwvSUZhyg3OuoKimTeNiKU/jlHlmEPuDZpiQe6QhFH38EeEIZTdHsYITodl8sY+n9I eNMalGIHPs+bph+qcK+6cOb1RGaeGqJBFjaqPUyismz0bw== ossec@obsd45.ptnsecurity.com
We can also verify that it worked with the following command.
obsd46# sudo -u ossec ssh root@172.17.20.20 The authenticity of host '172.17.20.20 (172.17.20.20)' can't be established. RSA key fingerprint is 14:cd:f2:e9:c3:5b:07:28:68:75:a7:b5:88:c2:6b:77. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.17.20.20' (RSA) to the list of known hosts. Last login: Tue Oct 6 12:40:05 2009 from 172.17.20.154 [linux26.ptnsecurity.com ~]# exit
三、问题
在以上各种折腾完成后,使用root账号已经可以正常登陆使用了
但在使用普通账号的mytest时却一直失败。 经网上搜索有以下版本的信息
http://www.2cto.com/os/201206/137286.html
http://serverfault.com/questions/230771/ssh-configuration-publickeys-permission-denied-publickey-password-error
另外还有一个网址一时忘记了。
中途试着将密码鉴权关闭,直接报错:Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
最终查看 /var/log/secure Authentication refused: bad ownership or modes for directory /home/mytest/.ssh
想起来我忘记的那个网址上有一句话: .ssh 目录需要是 755 不能是775 。。。然后修改就搞定了!!!!完成收工。