SSH 完全忽略了我在我的.ssh/config
文件中指定的身份文件,并且不会使用该密钥对我的工作服务器进行身份验证。这是我的config
文件:
Host *
# This is to fix check_host_cert: certificate signature algorithm ssh-rsa: signature algorithm not supported
# I tried putting this under *.work but it didn't work, so I put it under *
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Host *.work
ProxyJump bastion.work.com
User myusername
IdentityFile ~/.ssh/work
Compression yes
这个完全相同的配置适用于我的 Ubuntu 18.04 安装,但根本无法在我的 Ubuntu 20.04 Windows 10 子系统上运行。我运行ssh
后-vvv
发现它读取了配置文件并识别了密钥,但没有尝试:
debug1: Reading configuration data /home/myusername/.ssh/config
debug1: /home/myusername/.ssh/config line 1: Applying options for *
debug1: /home/myusername/.ssh/config line 4: Applying options for *.work
debug1: Reading configuration data /etc/ssh/ssh_config
...
debug1: identity file /home/myusername/.ssh/work type 0
debug1: identity file /home/myusername/.ssh/work-cert type -1
...
debug1: Next authentication method: publickey
debug1: Trying private key: /home/myusername/.ssh/id_rsa
debug3: no such identity: /home/myusername/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_dsa
debug3: no such identity: /home/myusername/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ecdsa
debug3: no such identity: /home/myusername/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ecdsa_sk
debug3: no such identity: /home/myusername/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ed25519
debug3: no such identity: /home/myusername/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ed25519_sk
debug3: no such identity: /home/myusername/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_xmss
debug3: no such identity: /home/myusername/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
它从不尝试/home/myusername/.ssh/work
。我怎样才能明确要求 ssh 使用它?
编辑:从今天(20 年 1 月 7 日)开始,我的 Ubuntu 18.04 安装也开始出现完全相同的问题。OpenSSL 有什么变化吗?
编辑(17/06/21):我应该提到,这个问题过了一段时间就自行消失了,但也许这个问题对其他人有用。
答案1
https://help.okta.com/en/prod/Content/Topics/Adv_Server_Access/docs/sftd-ubuntu.htm
对于运行 Ubuntu 20.04 的服务器,您必须允许证书颁发机构 (CA) 使用 ssh-rsa 算法来签署证书。为此,请将以下行添加到 OpenSSH 守护程序文件(即 /etc/ssh/sshd_config 或 /etc/ssh/sshd_config.d/ 下的插入文件)
要修复此问题,请将以下两行添加到 /etc/ssh/sshd_config
受信任用户 CAKeys /etc/ssh/xxxxxxx
CASignatureAlgorithms +ssh-rsa
将 xxxxxxx 替换为您在 /etc/ssh 中找到的公钥
答案2
您还需要IdentitiesOnly yes
在主机的配置文件中启用。这将确保ssh
使用该密钥,并且只使用该密钥。否则,它将尝试其他密钥,并且远程计算机可能会在多次密钥失败后拒绝授权。
您还可以通过将以下内容放在文件底部来为所有主机启用此功能.ssh/config
:
Host *
IdentitiesOnly yes
如果您查看/etc/ssh/ssh_config
被拉入并显示在详细日志中的,我们可以看到它有默认键可以尝试:
$ cat /etc/ssh/ssh_config | grep Identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
您可能会发现更多或更少,但如果拉入任何其他键,则IdentitiesOnly
主机的设置会有所帮助。
每台机器都应生成并使用自己的密钥,而不是将密钥复制到另一台机器。务必在主机上删除旧密钥并添加新密钥,并查看主机日志以进行调试。
答案3
对于 AWS LightSail:
- 要修复此问题,请将以下两行添加到 /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub
CASignatureAlgorithms +ssh-rsa
- 重新开始
/etc/init.d/ssh restart
问题 登录失败。如果此实例刚刚启动,请过一两分钟再试。
客户端未授权 [769]