ssh – 如何让一台服务器上的用户“postgres”rsync到另一台服务器?

前端之家收集整理的这篇文章主要介绍了ssh – 如何让一台服务器上的用户“postgres”rsync到另一台服务器?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我试图让这个命令作为用户postgres工作(所以我可以发送wal文件):
rsync -a /tmp/test postgres@server2:/tmp/test

但我得到错误

Permission denied (publickey).

我在server1上运行ssh-keygen eval`ssh-agent`和ssh-add作为postgres用户. keygen创建了/var/lib/postgresql/.ssh/id_rsa和id_rsa.pub,我可以看到它是通过使用ssh -vvv postgres @ server2发送的.

在server2上,我创建了/var/lib/postgresql/.ssh/authorized_keys,将id_rsa.pub格式的server1的内容放入其中.它由postgres用户和组以及chmod 600拥有.ss目录也归postgres和chmod 700所有.

我可以从服务器2上的详细sshd登录中看到postgres失败的publickey …

两个服务器上的postgres用户:postgres:x:106:114:Postgresql管理员,:/ var / lib / postgresql:/ bin / bash

ssh -vvv postgres @ server2

...
debug1: Found key in /var/lib/postgresql/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/lib/postgresql/.ssh/id_rsa (0x7f468e434000)
debug2: key: /var/lib/postgresql/.ssh/id_dsa ((nil))
debug2: key: /var/lib/postgresql/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over,passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/postgresql/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet,wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /var/lib/postgresql/.ssh/id_dsa
debug3: no such identity: /var/lib/postgresql/.ssh/id_dsa
debug1: Trying private key: /var/lib/postgresql/.ssh/id_ecdsa
debug3: no such identity: /var/lib/postgresql/.ssh/id_ecdsa
debug2: we did not send a packet,disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

server2 sshd_config(删除了注释行)

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel VERBOSE
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

server2 auth log

Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Set /proc/self/oom_score_adj to 0
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Connection from 10.28.123.97 port 49377
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Failed publickey for postgres from 10.28.123.97 port 49377 ssh2
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Connection closed by 10.28.123.97 [preauth]

我错过了什么?我猜测sshd没有查看server2上的authorized_keys文件

解决方法

假设您的从服务器允许密钥验证,如果您设置了AllowedUsers,则只需要更新/ etc / ssh / sshd_config,在这种情况下,您需要确保postgres在该列表中.

除此之外,只需ssh-keygen(保留私钥密码为空),然后将〜/ .ssh / authorized_keys目录/文件添加到从属服务器. postgres的主目录是/ var / lib / postgresql,但是如果你作为postgres用户进行这些操作,你可以使用〜,更不用说你不需要任何东西,因为postgres将拥有主服务器上生成的ssh密钥,postgres将在从服务器上拥有创建的目录/文件.

确保在主服务器和从属服务器上安全地设置文件权限:

# On master
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/known_hosts  # this one won't exist until you SSH once

# On slave
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
原文链接:https://www.f2er.com/linux/397907.html

猜你在找的Linux相关文章