信息:
[foo@mysql01 .ssh]$ cat /etc/centos-release ;pwd ;ls -al
CentOS release 6.9 (Final)
/home/foo/.ssh
total 20
drwx------ 2 foo foo 4096 Oct 3 11:00 .
drwx------ 3 foo foo 4096 Oct 3 11:09 ..
-rw------- 1 foo foo 3311 Oct 3 10:54 id_rsa-foo
-rw------- 1 foo foo 742 Oct 3 10:54 id_rsa-foo.pub
-rw-r--r-- 1 foo foo 403 Oct 3 10:55 known_hosts
常规 ssh 使用密钥可以正常工作:
[foo@mysql01 .ssh]$ ssh -v bar@sftp01 -i ./id_rsa-foo
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to sftp01 [192.168.10.104] port 22.
debug1: Connection established.
debug1: identity file ./id_rsa-foo type 1
debug1: identity file ./id_rsa-foo-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sftp01' is known and matches the RSA host key.
debug1: Found key in /home/foo/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_500' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_500' not found
debug1: Next authentication method: publickey
debug1: Offering public key: ./id_rsa-foo
debug1: Server accepts key: pkalg ssh-rsa blen 533
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key './id_rsa-foo':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
Last login: Tue Oct 3 10:58:21 2017 from 192.168.10.109
[bar@sftp01 ~]$
SFTP 似乎没有使用我指定的密钥文件 - 而是尝试所有默认值(Mac OSX 上的类似行为):
[foo@mysql01 .ssh]$ sftp -v bar@sftp01 -oIdentityFile=./id_rsa-foo
Connecting to sftp01...
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to sftp01 [192.168.10.104] port 22.
debug1: Connection established.
debug1: identity file /home/foo/.ssh/id_rsa type -1
debug1: identity file /home/foo/.ssh/id_rsa-cert type -1
debug1: identity file /home/foo/.ssh/id_dsa type -1
debug1: identity file /home/foo/.ssh/id_dsa-cert type -1
debug1: identity file /home/foo/.ssh/id_ecdsa type -1
debug1: identity file /home/foo/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sftp01' is known and matches the RSA host key.
debug1: Found key in /home/foo/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_500' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_500' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /home/foo/.ssh/id_rsa
debug1: Trying private key: /home/foo/.ssh/id_dsa
debug1: Trying private key: /home/foo/.ssh/id_ecdsa
debug1: Next authentication method: password
bar@sftp01's password:
注意:如果我将密钥重命名为默认值(如“id_rsa”和“id_rsa.pub”),sftp 工作正常,但我试图避免这种情况。
答案1
@sato_katsura 你是对的!我不得不转移争论(奇怪):
[foo@mysql01 .ssh]$ sftp -v -oIdentityFile=./id_rsa-foo bar@sftp01
Connecting to sftp01...
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to sftp01 [192.168.10.104] port 22.
debug1: Connection established.
debug1: identity file ./id_rsa-foo type 1
debug1: identity file ./id_rsa-foo-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sftp01' is known and matches the RSA host key.
debug1: Found key in /home/foo/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_500' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_500' not found
debug1: Next authentication method: publickey
debug1: Offering public key: ./id_rsa-foo
debug1: Server accepts key: pkalg ssh-rsa blen 533
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key './id_rsa-foo':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending subsystem: sftp
sftp>