在一台服务器上生成新的 ssh 私钥(id_rsa
)并将其分发到服务器网络中后,一台服务器无法使用新密钥,而是回退到密码认证。
将 id_rsa 复制到新文件并使用它可以。
$ ssh -i id_rsa user@server
user@server's password:
$ cp id_rsa id_rsa.copy
$ chmod --reference=id_rsa id_rsa.copy
$ ssh -i id_rsa.copy user@server
Last login: Wed Apr 2 06:30:36 2014 from otherhost
[user@server ~]$
运行ssh -vvv
调试:
id_rsa:
debug3: Not a RSA1 key file id_rsa.
...
debug1: identity file id_rsa type 1
...
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
id_rsa.复制:
debug3: Not a RSA1 key file id_rsa.copy.
...
debug1: identity file id_rsa.copy type -1
...
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa.copy
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug1: Authentication succeeded (publickey).
因此,出于某种原因,OpenSSH 以不同的方式处理密钥文件。但为什么呢?
答案1
原来出现问题的服务器两个都 id_rsa
以及id_rsa.pub
之前复制的密钥文件。复制新密钥文件时,我只覆盖了id_rsa
原文件id_rsa.pub
。这导致 ssh 使用id_rsa
不正确。
删除id_rsa.pub
或更新为正确的版本解决了问题。