ssh设置私钥登录后还是提示需要输入密码

问题描述

在客户机器上配置好使用key免密登录后，尝试使用私钥登录，却被提示还是需要密码。
检查了一圈服务器上~/.ssh/, ~/.ssh/authorized_keys的权限, 权限设置都没有问题。
可登录时还是提示需要输入密码。只能一步一步来检查调试

解决步骤

• 首先尝试在客户端ssh时加上-vv参数来输出debug信息, 看是否有明显的错误信息。
  debug输出如下

  1 2 3 4 5 6 7 8 9

  debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/deployer/.ssh/id_rsa_sync debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive

  在正常情况下，Trying private key: /home/deployer/.ssh/id_rsa_sync之后，应该是提示密钥验证成功Authentication succeeded (publickey).并登录到服务器上。
  这边是直接提示Authentications that can continue: publickey,password,keyboard-interactive，表示没有成功。

• client侧没有得到有效线索，转而到服务器侧查看日志
  查看了/var/log/secure和/var/log/messages后，发现/var/log/messages中有一处关键信息User deployer not allowed because account is locked。

  1 2	... sshd[14230]: User deployer not allowed because account is locked ... sshd[14230]: Connection closed by invalid user deployer 192.168.101.192 port 44832 [preauth]

  发现客户服务器的sshd_config中配置了UsePAM no, 而建立deployer用户时也没有设置密码，导致了拒绝ssh链接。

• 两个解决方法

1. 修改sshd_config中UsePAM为yes
2. 为账号deployer加一个密码passwd deployer

限于不能修改客户机器的配置，采用了方法2.为deployer设置密码后，就可以使用私钥无密码登录了。

总结几个免密登录失败的可能情况

1. 权限问题: ~/.ssh需要设为700，.ssh/authorized_keys需要设为600
2. 用户被锁定了。查看sshd_config的PAM配置和/etc/shadow中用户密码设置
3. SELINUX权限限制

Reference

• User username not allowed because account is locked
• How to unlock account for public key ssh authorization, but not for password authorization?