关于SSH 空密码登陆solaris10的问题

Question

请兄弟们费心看下我的这东西。。。

# ssh-keygen -b 2048 -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (//.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in //.ssh/id_dsa.
Your public key has been saved in //.ssh/id_dsa.pub.
The key fingerprint is:
85:e0:5c:82:5b:d9:79:89:ad:7a:a0:7a:99:eb:72:04 root@asm1
# ls
id_dsa      id_dsa.pub
# cat id_dsa.pub > authorized_keys
# ls
authorized_keys  id_dsa           id_dsa.pub
# vi authorized_keys 保证2个机器的迷匙都有

# ssh asm1
The authenticity of host 'asm1 (10.0.0.71)' can't be established.
RSA key fingerprint is b6:6f:48:ad:41:03:3c:79:32:f6:d2:ca:b2:93:14:86.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'asm1,10.0.0.71' (RSA) to the list of known hosts.
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
#

。。出这错误。
我个人觉得是不是应该把配置文件里的。PermitEmptyPasswords no 改成yes

#
# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)sshd_config        1.9     09/04/30 SMI"
#
# Configuration file for sshd(1m)

# Protocol versions supported
#
# The sshd shipped in this release of Solaris has support for major versions
# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
# that sites run only v2 if possible. Support for v1 is provided to help sites
# with existing ssh v1 clients/servers to transition.
# Support for v1 may not be available in a future release of Solaris.
#
# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
# do not already exist, RSA1 keys for protocol v1 are not automatically created.

# Uncomment ONLY ONE of the following Protocol statements.

# Only v2 (recommended)
Protocol 2

# Both v1 and v2 (not recommended)
#Protocol 2,1

# Only v1 (not recommended)
#Protocol 1

# Listen port (the IANA registered port number for ssh is 22)
Port 22

# The default listen address is all interfaces, this may need to be changed
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.

# IPv4 only
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::

# Port forwarding
AllowTcpForwarding no

# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
#Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level
SyslogFacility auth
LogLevel info

#
# Authentication configuration
#

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 768

# sshd regenerates the key every KeyRegenerationInterval seconds.
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries    6
MaxAuthTriesLog 3

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).

PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Use PAM via keyboard interactive method for authentication.
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin yes

# sftp subsystem
Subsystem       sftp    /usr/lib/ssh/sftp-server

# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh.  Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes
#

Answer 1

Apr 19 12:57:59 asm1 sshd[857]: [ID 800047 auth.error] error: key_read: uudecode AAAAB3NzaC1kc3MAAAEBAPtZYLG88FrJ4AVlirvWFxB/UXOiAMB2TkizScxzVH7aJJMifmyKTj8wb/lpV2VsP2IsKhAtJL/Rg8HOGO8hxajWMVvuAS0xJgmUM/bK7JWhztzGDr0UozmzbZf96dNF4
Apr 19 12:57:59 asm1  failed
Apr 19 12:58:17 asm1 sshd[872]: [ID 800047 auth.error] error: key_read: uudecode AAAAB3NzaC1kc3MAAAEBAPtZYLG88FrJ4AVlirvWFxB/UXOiAMB2TkizScxzVH7aJJMifmyKTj8wb/lpV2VsP2IsKhAtJL/Rg8HOGO8hxajWMVvuAS0xJgmUM/bK7JWhztzGDr0UozmzbZf96dNF4
Apr 19 12:58:17 asm1  failed

Answer 2

最好还是密码不为空好些，你可以做到不需要输入密码实现登录

把在客户端机器某用户产生的id_dsa.pub 拷贝到服务器端，并且追加到相应账户的$home下的authorized_keys中。这样就可以直接登录了

Answer 3

学习了

Answer 4

晕。。看到回复赶紧跑来看。。。关于三楼的兄弟，这个做法是必须的。。LINUX 百试百爽。。solaris 就是不好使。。。

Answer 5

啥叫空密码登录？？？  免密码验证吧？

如果是这样的话，应该是rsa，而不是dsa

Answer 6

回楼上，dsa 用于产生用户key 的算法，这里的RSA是产生主机key 的算法，可信任的host 的key放到本机的“known hosts” file里

配置文件中的 PermitEmptyPasswords no 是指如果通过口令方式进行身份验证的话，用户的的登录口令不得为空。

而LZ 的操作试图产生用户的密钥对，通过密钥方式来进行身份验证，这样跟password 就没有关系了吧？

对LZ的操作我不太理解的是，用户在本机产生的公钥为什么要放到本机的authorized_keys中,而且是覆盖不是追加？

Answer 7

ssh无密码登录本版有精华贴可查

Answer 8

放弃了。直接用RSH。谢谢兄弟们。。。

Answer 9

6楼兄弟说的可能有那么点靠近了。我抽空再研究研究。其实我发贴之前2台机器的authorized_keys 里面包含的都有2台机器秘匙