SSH 免密码登录虚拟机上的另一个节点设置失败。。。。。怎么办

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

这是一个创建于 2894 天前的主题，其中的信息可能已经有所发展或是发生改变。

RT ，

想搭个集群学习一下 hadoop ，首先 hosts 里面是物理机主机名 HP-Pavilion-dv4(Ubuntu14.04)作为 Master 两个虚拟机节点（ Ubuntu16.04 ）主机名为 workerOne wokerTwo(大小写会有问题把) ，用户名都是 zsx 。
在各个节点上都 ssh-keygen -t dsa 生成了秘钥，并 cat 到 authorized_keys..将物理机子上的 id_dsa.pub 使用 scp 传到两个节点上也用 cat >> 追加到节点的 authorized_keys 里。
现在是物理机 ssh 自己可以免密码登陆。节点虚拟机 ssh 自己都要提示输入密码。物理机 ssh 节点也要求输入密码。不知道哪里的问题。折腾了一天了！能 Google 到的解决方案都试了一下包括：修改 /etc/ssh/sshd_config , 讲.ssh 文件夹改为 700 ,authorized_keys 改为 640 。使用-vvv 打印信息我之前没用过 ssh 看不懂，后面贴出来。

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to workerone [172.16.99.129] port 22.
debug1: Connection established.
debug1: identity file /home/zsx/.ssh/id_rsa type -1
debug1: identity file /home/zsx/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/zsx/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/zsx/.ssh/id_dsa type 2
debug1: identity file /home/zsx/.ssh/id_dsa-cert type -1
debug1: identity file /home/zsx/.ssh/id_ecdsa type -1
debug1: identity file /home/zsx/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/zsx/.ssh/id_ed25519 type -1
debug1: identity file /home/zsx/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "workerone" from file "/home/zsx/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/zsx/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],ecdsa- [email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha1-96- [email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2- nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256ctr,[email protected],[email protected]
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256ctr,[email protected],[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],hmac-sha2- [email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA d9:12:04:aa:13:93:6b:cc:f6:10:e9:a5:3e:de:35:bb
debug3: load_hostkeys: loading entries for host "workerone" from file "/home/zsx/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/zsx/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "172.16.99.129" from file "/home/zsx/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /home/zsx/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'workerone' is known and matches the ECDSA host key.
debug1: Found key in /home/zsx/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/zsx/.ssh/id_dsa (0x7feb426afd90),
debug2: key: /home/zsx/.ssh/id_rsa ((nil)),
debug2: key: /home/zsx/.ssh/id_ecdsa ((nil)),
debug2: key: /home/zsx/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/zsx/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/zsx/.ssh/id_rsa
debug3: no such identity: /home/zsx/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/zsx/.ssh/id_ecdsa
debug3: no such identity: /home/zsx/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/zsx/.ssh/id_ed25519
debug3: no such identity: /home/zsx/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
zsx@workerone's password:

12 条回复 • 2016-12-20 21:30:57 +08:00

yuyueMJ

2016-12-19 19:06:56 +08:00 via iPhone

不是有意要贴这么多信息，确实不知道怎么看这个信息，就全贴出来了，望见谅

hadoop

2016-12-19 19:07:31 +08:00

1. work 节点里需要 ssh 服务需要开启：
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

2.不建议用 scp 然后 cat 追加 authority key 。建议在 master 机器上执行 ssh-copy-id -i .ssh/id_rsa.pub workOne 这种自动追小的命令

ooxxcc

2016-12-19 19:09:06 +08:00

debug1: Trying private key: /home/zsx/.ssh/id_rsa
debug3: no such identity: /home/zsx/.ssh/id_rsa: No such file or directory

根本没有私钥嘛……

yuyueMJ

2016-12-19 19:29:23 +08:00

@ooxxcc 用的是 dsa 。。。

yuyueMJ

2016-12-19 19:29:45 +08:00

@ooxxcc 我也不知道为什么会说 rsa

yuyueMJ

2016-12-19 19:30:54 +08:00

@hadoop worker 节点能输密码登录自己应该说明 ssh 服务开启了，其他的我再试一下！

hadoop

2016-12-19 19:46:08 +08:00 via Android

@yuyueMJ 你生成个 rsa 的私钥呗， ssh-keygen -t rsa

ooxxcc

2016-12-19 19:48:39 +08:00

@yuyueMJ 哦看到了，应该是 dsa 验证没成功然后接着找其他的了

你看看虚拟机里的 /var/log/auth 或者 journalctl -xe

yuyueMJ

2016-12-19 20:37:32 +08:00

@ooxxcc 非常感谢！我在日志里发现了一条消息（ userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]），其实上午排错的时候就发现了，不知为什么没有谷歌到正确结果，刚才找到了了解决方案，在 ssh7 以后已经不支持 dsa 加密方式了，所以建议使用 rsa ！

yuyueMJ

2016-12-19 20:39:50 +08:00

这里同意回复一下，问题解决了！在做了之前的工作都失败的情况下， tail -20 /var/Log/auto.log 发现 userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] 。。
然后 http://unix.stackexchange.com/questions/247612/ssh-keeps-skipping-my-pubkey-and-asking-for-a-password 这里说的很明白。
> The new openssh version (7.0+) deprecated DSA keys and is not using DSA keys by default (not on server or client). The keys are not preferred to be used anymore, so if you can, I would recommend to use RSA keys where possible.

If you really need to use DSA keys, you need to explicitly allow them in your client config using
``` shell
PubkeyAcceptedKeyTypes +ssh-dss
```
Should be enough to put that line in ~/.ssh/config, as the verbose message is trying to tell you.

yuyueMJ

2016-12-19 20:45:47 +08:00

@hadoop 恩，使用 rsa 加密方式就可以了，原来是已经不支持 dsa 了。好蛋疼。我就是看的国内的摸个博客上用的 dsa 就用的。唉，弄了一天

julyclyde

2016-12-20 21:30:57 +08:00

最新版本 openssh 禁用了 dsa
在 GnuPG 里， dsa 也属于不受待见的算法
估计快淘汰了