GPDB：SSH 权限被拒绝（公钥）

Posted 2023-03-31

【中文标题】GPDB：SSH 权限被拒绝（公钥）

【英文标题】：GPDB : SSH permission denied (public key)

【发布时间】：2017-11-09 06:41:28

【问题描述】：

当尝试 ssh（来自 greenplum 系统用户）来自 Master gpdb 主机的数据节点之一时。

env - gpdb 4.3.10

出现错误

[gpadmin@mdw ~]$ ssh 数据节点

权限被拒绝（公钥、gssapi-keyex、gssapi-with-mic）。 [gpadmin@mdw ~]$

我们试过了 尝试过关键文档 https://discuss.pivotal.io/hc/en-us/articles/203777546-gpssh-exkeys-Fails-with-Error-Permission-denied-During-Local-Key-Exchange

此外，观察到的节点无法通过 SSH 连接任何数据节点/主控主机。

**Here is verbose mode  -v with SSH info**

debug1: Host 'datanode01' is known and matches the ECDSA host key.
debug1: Found key in /home/gpadmin/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure.  Minor code may provide more information
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/gpadmin/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/gpadmin/.ssh/id_dsa
debug1: Trying private key: /home/gpadmin/.ssh/id_ecdsa
debug1: Trying private key: /home/gpadmin/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

【问题讨论】：

我会重试那个 Pivotal 文档。它会正确引导您解决问题。

当然。打算再试一次。我在这里发布的相同链接

我刚刚试了一下。仍然面临同样的错误

@JonRoberts 我尝试检查 ssh config 。值得注意的是 datanode 和除此节点之外的其他备用节点之一能够正确连接。

我想手动将公钥从源系统复制到目标系统上的 ~/.ssh/authorized_keys。那样可以么？因为 SSH 复制 pub 密钥是不可能的或者你能建议可能的方法吗？

【参考方案1】：

我认为问题不在于该文档建议的 root 登录，而是禁用了密码身份验证。尝试在所有节点上运行：

sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sudo service sshd restart
echo "gpadmin:changeme" | sudo chpasswd

然后以 gpadmin 身份重试 gpssh-exkeys。

gpssh-exkey -f all_hosts

交换密钥后，您可以再次禁用密码验证。

sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config