rsync -a /tmp/test postgres@server2:/tmp/test
但我得到错误:
Permission denied (publickey).
我在server1上运行ssh-keygen eval`ssh-agent`和ssh-add作为postgres用户. keygen创建了/var/lib/postgresql/.ssh/id_rsa和id_rsa.pub,我可以看到它是通过使用ssh -vvv postgres @ server2发送的.
在server2上,我创建了/var/lib/postgresql/.ssh/authorized_keys,将id_rsa.pub格式的server1的内容放入其中.它由postgres用户和组以及chmod 600拥有.ss目录也归postgres和chmod 700所有.
我可以从服务器2上的详细sshd登录中看到postgres失败的publickey …
两个服务器上的postgres用户:postgres:x:106:114:Postgresql管理员,:/ var / lib / postgresql:/ bin / bash
ssh -vvv postgres @ server2
... debug1: Found key in /var/lib/postgresql/.ssh/known_hosts:1 debug1: ssh_ecdsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /var/lib/postgresql/.ssh/id_rsa (0x7f468e434000) debug2: key: /var/lib/postgresql/.ssh/id_dsa ((nil)) debug2: key: /var/lib/postgresql/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey debug3: start over,passed a different list publickey debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /var/lib/postgresql/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet,wait for reply debug1: Authentications that can continue: publickey debug1: Trying private key: /var/lib/postgresql/.ssh/id_dsa debug3: no such identity: /var/lib/postgresql/.ssh/id_dsa debug1: Trying private key: /var/lib/postgresql/.ssh/id_ecdsa debug3: no such identity: /var/lib/postgresql/.ssh/id_ecdsa debug2: we did not send a packet,disable method debug1: No more authentication methods to try. Permission denied (publickey).
server2 sshd_config(删除了注释行)
Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel VERBOSE LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes
server2 auth log
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Set /proc/self/oom_score_adj to 0 Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Connection from 10.28.123.97 port 49377 Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Failed publickey for postgres from 10.28.123.97 port 49377 ssh2 Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Connection closed by 10.28.123.97 [preauth]
我错过了什么?我猜测sshd没有查看server2上的authorized_keys文件
解决方法
除此之外,只需ssh-keygen(保留私钥密码为空),然后将〜/ .ssh / authorized_keys目录/文件添加到从属服务器. postgres的主目录是/ var / lib / postgresql,但是如果你作为postgres用户进行这些操作,你可以使用〜,更不用说你不需要任何东西,因为postgres将拥有主服务器上生成的ssh密钥,postgres将在从服务器上拥有创建的目录/文件.
确保在主服务器和从属服务器上安全地设置文件权限:
# On master chmod 700 ~/.ssh chmod 600 ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa.pub chmod 600 ~/.ssh/known_hosts # this one won't exist until you SSH once # On slave chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
