V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
killerv
V2EX  ›  SSH

SSH 无法连接,提示 Permission denied (keyboard-interactive)

  •  
  •   killerv · 2015-01-03 21:36:34 +08:00 · 14980 次点击
    这是一个创建于 3611 天前的主题,其中的信息可能已经有所发展或是发生改变。

    在conoha买的vps,远程服务器的时候出现了错误,弄了好久,没有解决,还望大家能帮忙分析一下:
    执行ssh -vvv serverip命令,下面是详细信息:
    OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to serverip port 22.
    debug1: Connection established.
    debug1: identity file /home/killer/.ssh/id_rsa type -1
    debug1: identity file /home/killer/.ssh/id_rsa-cert type -1
    debug1: identity file /home/killer/.ssh/id_dsa type -1
    debug1: identity file /home/killer/.ssh/id_dsa-cert type -1
    debug1: identity file /home/killer/.ssh/id_ecdsa type -1
    debug1: identity file /home/killer/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/killer/.ssh/id_ed25519 type -1
    debug1: identity file /home/killer/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
    debug1: match: OpenSSH_6.1 pat OpenSSH* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug3: load_hostkeys: loading entries for host serverip from file "/home/killer/.ssh/known_hosts"
    debug3: load_hostkeys: found key type RSA in file /home/killer/.ssh/known_hosts:1
    debug3: load_hostkeys: loaded 1 keys
    debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
    debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,[email protected],zlib
    debug2: kex_parse_kexinit: none,[email protected],zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,[email protected]
    debug2: kex_parse_kexinit: none,[email protected]
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_setup: setup hmac-md5
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug2: mac_setup: setup hmac-md5
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: RSA 73:fd:66:03:e5:72:75:35:71:e7:f9:dc:fa:46:38:b6
    debug3: load_hostkeys: loading entries for host "console1001.cnode.jp" from file "/home/killer/.ssh/known_hosts"
    debug3: load_hostkeys: found key type RSA in file /home/killer/.ssh/known_hosts:1
    debug3: load_hostkeys: loaded 1 keys
    debug3: load_hostkeys: loading entries for host "203.189.102.197" from file "/home/killer/.ssh/known_hosts"
    debug3: load_hostkeys: found key type RSA in file /home/killer/.ssh/known_hosts:2
    debug3: load_hostkeys: loaded 1 keys
    debug1: Host 'console1001.cnode.jp' is known and matches the RSA host key.
    debug1: Found key in /home/killer/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /home/killer/.ssh/id_rsa ((nil)),
    debug2: key: /home/killer/.ssh/id_dsa ((nil)),
    debug2: key: /home/killer/.ssh/id_ecdsa ((nil)),
    debug2: key: /home/killer/.ssh/id_ed25519 ((nil)),
    debug1: Authentications that can continue: keyboard-interactive
    debug3: start over, passed a different list keyboard-interactive
    debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_lookup keyboard-interactive
    debug3: remaining preferred: password
    debug3: authmethod_is_enabled keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    debug2: userauth_kbdint
    debug2: we sent a keyboard-interactive packet, wait for reply
    debug1: Authentications that can continue: keyboard-interactive
    debug3: userauth_kbdint: disable: no info_req_seen
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    Permission denied (keyboard-interactive).

    以上是错误日志,下面贴一下配置文件sshd_config:

    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

    This is the sshd server system-wide configuration file. See

    sshd_config(5) for more information.

    This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

    The strategy used for options in the default sshd_config shipped with

    OpenSSH is to specify options with their default value where

    possible, but leave them commented. Uncommented options change a

    default value.

    Port 22

    AddressFamily any

    ListenAddress 0.0.0.0

    ListenAddress ::

    Disable legacy (protocol version 1) support in the server for new

    installations. In future the default will change to require explicit

    activation of protocol 1

    Protocol 2

    HostKey for protocol version 1

    HostKey /etc/ssh/ssh_host_key

    HostKeys for protocol version 2

    HostKey /etc/ssh/ssh_host_rsa_key

    HostKey /etc/ssh/ssh_host_dsa_key

    Lifetime and size of ephemeral version 1 server key

    KeyRegenerationInterval 1h

    ServerKeyBits 1024

    Logging

    obsoletes QuietMode and FascistLogging

    SyslogFacility AUTH

    SyslogFacility AUTHPRIV

    LogLevel INFO

    Authentication:

    LoginGraceTime 2m

    PermitRootLogin yes

    StrictModes yes

    MaxAuthTries 6

    MaxSessions 10

    RSAAuthentication yes

    PubkeyAuthentication yes

    AuthorizedKeysFile .ssh/authorized_keys

    AuthorizedKeysCommand none

    AuthorizedKeysCommandRunAs nobody

    For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

    RhostsRSAAuthentication no

    similar for protocol version 2

    HostbasedAuthentication no

    Change to yes if you don't trust ~/.ssh/known_hosts for

    RhostsRSAAuthentication and HostbasedAuthentication

    IgnoreUserKnownHosts no

    Don't read the user's ~/.rhosts and ~/.shosts files

    IgnoreRhosts yes

    To disable tunneled clear text passwords, change to no here!

    PasswordAuthentication yes

    PermitEmptyPasswords no

    PasswordAuthentication yes

    Change to no to disable s/key passwords

    ChallengeResponseAuthentication yes

    ChallengeResponseAuthentication no

    Kerberos options

    KerberosAuthentication no

    KerberosOrLocalPasswd yes

    KerberosTicketCleanup yes

    KerberosGetAFSToken no

    KerberosUseKuserok yes

    GSSAPI options

    GSSAPIAuthentication no

    GSSAPIAuthentication yes

    GSSAPICleanupCredentials yes

    GSSAPICleanupCredentials yes

    GSSAPIStrictAcceptorCheck yes

    GSSAPIKeyExchange no

    Set this to 'yes' to enable PAM authentication, account processing,

    and session processing. If this is enabled, PAM authentication will

    be allowed through the ChallengeResponseAuthentication and

    PasswordAuthentication. Depending on your PAM configuration,

    PAM authentication via ChallengeResponseAuthentication may bypass

    the setting of "PermitRootLogin without-password".

    If you just want the PAM account and session checks to run without

    PAM authentication, then enable this but set PasswordAuthentication

    and ChallengeResponseAuthentication to 'no'.

    UsePAM no

    UsePAM yes

    Accept locale-related environment variables

    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS

    AllowAgentForwarding yes

    AllowTcpForwarding yes

    GatewayPorts no

    X11Forwarding no

    X11Forwarding yes

    X11DisplayOffset 10

    X11UseLocalhost yes

    PrintMotd yes

    PrintLastLog yes

    TCPKeepAlive yes

    UseLogin no

    UsePrivilegeSeparation yes

    PermitUserEnvironment no

    Compression delayed

    ClientAliveInterval 0

    ClientAliveCountMax 3

    ShowPatchLevel no

    UseDNS no

    PidFile /var/run/sshd.pid

    MaxStartups 10:30:100

    PermitTunnel no

    ChrootDirectory none

    no default banner path

    Banner none

    override default of no subsystems

    Subsystem sftp /usr/libexec/openssh/sftp-server

    Example of overriding settings on a per-user basis

    Match User anoncvs

    X11Forwarding no

    AllowTcpForwarding no

    ForceCommand cvs server

    7 条回复    2016-07-09 14:34:42 +08:00
    haozhang
        1
    haozhang  
       2015-01-03 21:44:48 +08:00
    你在自己的机子上用ssh-keygen生成rsa,把公钥复制到远程的linux的某个账户下的~/.ssh/authorized_keys里面就可以了吧
    killerv
        2
    killerv  
    OP
       2015-01-03 21:49:13 +08:00
    @haozhang 我现在用的是password方式验证,以前尝试过使用公钥的方式登陆,但是还是会有这个提示,而且服务器上的/var/log/secure也没有失败记录。
    haozhang
        3
    haozhang  
       2015-01-03 23:26:40 +08:00 via iPad   ❤️ 1
    那不知道了,你把情况往baidu里送送。看看能不能搜索到。
    churchmice
        4
    churchmice  
       2015-01-04 00:24:17 +08:00 via Android
    1.公钥登录用ssh-keygen,拷贝可以用ssh-copyid
    2.你试试看用默认的sshd_config
    信得过我的,可以开个账号给我我试试看
    002jnm
        5
    002jnm  
       2015-01-04 09:30:33 +08:00
    key 600
    killerv
        6
    killerv  
    OP
       2015-01-05 21:15:36 +08:00
    @churchmice 感谢你的热心帮助,貌似IP被墙掉了,国外可以ping通,国内无法ping通。
    lancegin
        7
    lancegin  
       2016-07-09 14:34:42 +08:00
    hi 你这个问题最后解决了吗?
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2703 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 05:36 · PVG 13:36 · LAX 21:36 · JFK 00:36
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.