Linux 服務器配置證書登陸

一、背景
項目需要，研究了使用ossec ，其中有一個ossec agentless的功能，可以實現遠程的文件完整性校驗 。為方便使用， 決定采用證書模式來處理登陸。


二、配置過程

以下直接抄了  http://praetorianprefect.com/archives/2009/11/ossec-agentless-to-save-the-day/

obsd46# sudo -u ossec ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/var/ossec/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/ossec/.ssh/id_rsa. Your public key has been saved in /var/ossec/.ssh/id_rsa.pub. The key fingerprint is: b8:c3:47:9a:33:09:5c:eb:54:a0:82:39:a6:06:63:08 ossec@obsd45.ptnsecurity.com   The key's randomart image is: +--[ RSA 2048]----+ |E     .          | |oo   . .         | |Bo. . . .        | |=o o . +         | |..  o + S        | |.    = *         | |      @ .        | |       =         | |                 | +-----------------+ 

Now that the SSH keys are present, we can add the host without a password. The special command line argument used with register_host.sh is NOPASS in all capitals, which will tell OSSEC supplied scripts to make use of SSH keys.

obsd46# /var/ossec/agentless/register_host.sh add root@172.17.20.20   NOPASS 

Enabling SSH key on the host to be monitored.

You will now need to securely get the contents of /var/ossec/.ssh/id_rsa.pub to 172.17.20.20.

Using SSH and the password for a single time will make this simple. This will create the /root/.ssh if it is not already created, but might throw an error as it does if the directory is already present. This is not a problem and can be ignored.

obsd46# cat /var/ossec/.ssh/id_rsa.pub | ssh root@172.17.20.20   "( mkdir /root/.ssh/;  cat - >> /root/.ssh/authorized_keys )" root@172.17.20.20  's password: mkdir: cannot create directory `/root/.ssh/': File exists obsd46# ssh root@172.17.20.20   "cat  /root/.ssh/authorized_keys " root@172.17.20.20  's password: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzyTBo7CqkI0TISR9S+KPS/gYY60nkD7Qe8wTTXrAEFvPNFJ NJJpVVKsij6zw86lvTZ6hx9ib1M+MXvt+70uF/z1hYwnYrczR2TR03Z5nwOUA9OK61nBWXVwCi9GsQs6Oeo mY9vkBDoKzB52+TKKSk9ZoC+HYPiT5SaiHZvMOV7kWuwF67lnYwlG5FdkRdOiXp7DcRjje4/Hixg7RLLl7o dEXpIakzGfalt3yQDmwvSUZhyg3OuoKimTeNiKU/jlHlmEPuDZpiQe6QhFH38EeEIZTdHsYITodl8sY+n9I eNMalGIHPs+bph+qcK+6cOb1RGaeGqJBFjaqPUyismz0bw== ossec@obsd45.ptnsecurity.com   

We can also verify that it worked with the following command.

obsd46# sudo -u ossec ssh root@172.17.20.20   The authenticity of host '172.17.20.20 (172.17.20.20)' can't be established. RSA key fingerprint is 14:cd:f2:e9:c3:5b:07:28:68:75:a7:b5:88:c2:6b:77. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.17.20.20' (RSA) to the list of known hosts. Last login: Tue Oct  6 12:40:05 2009 from 172.17.20.154 [linux26.ptnsecurity.com ~]# exit 

三、問題
在以上各種折騰完成后，使用root賬號已經可以正常登陸使用了
但在使用普通賬號的mytest時卻一直失敗。 經網上搜索有以下版本的信息

http://www.2cto.com/os/201206/137286.html
http://serverfault.com/questions/230771/ssh-configuration-publickeys-permission-denied-publickey-password-error 
另外還有一個網址一時忘記了。

中途試著將密碼鑒權關閉，直接報錯：Permission denied (publickey,gssapi-keyex,gssapi-with-mic).  

最終查看 /var/log/secure    Authentication refused: bad ownership or modes for directory /home/mytest/.ssh

想起來我忘記的那個網址上有一句話： .ssh 目錄需要是 755 不能是775 。。。然后修改就搞定了！！??！完成收工。

posted on 2014-04-01 14:20 易寶@byhh 閱讀(524) 評論(0)  編輯 收藏 引用