我为每台我经常访问的服务器设置了带有单独公钥/私钥对的 SSH,并且在 SSH 配置中配置这些身份。
然而,第一次连接到新的私人服务器时,我需要使用密码将我的公钥复制到authorized_keys文件中。
目前,如果启用了 PubkeyAuthentication,运行时ssh -v <new-server>
我会看到它尝试使用我的默认私钥三次,然后失败,并出现错误“失败次数过多”。为什么在失败一次后它会第二次或第三次尝试 SSH 密钥,这让我无法理解——这不像是密码输入错误。
我该如何配置它,以便它只尝试使用身份文件一次,然后恢复到密码验证?
我当前的(相当手动的)解决方案是:
- 使用以下命令将服务器添加到配置文件中
PubkeyAuthentication no
- 复制公钥
- 编辑配置文件并设置
PubkeyAuthentication
为yes
日志
根据一些评论,以下是我尝试连接到新服务器时的日志(在执行此操作之前,我从该服务器中删除了 authorized_keys 文件以强制出现错误)
{11:48}|~/s/qos >ssh -v sbarnett.vm
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /home/sbarnett/.ssh/config
debug1: /home/sbarnett/.ssh/config line 30: Applying options for sbarnett.vm
debug1: /home/sbarnett/.ssh/config line 62: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh -q -W sbarnett.vm.domain.com:22 jumphost
debug1: key_load_public: No such file or directory
debug1: permanently_drop_suid: 1000
debug1: identity file /home/sbarnett/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sbarnett/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sbarnett/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sbarnett/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sbarnett/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sbarnett/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sbarnett/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sbarnett/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to sbarnett.vm.domain.com:22 as 'sbarnett'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:m9EW13TUteWcf/0vkNdFRFjwRhoe28neqN77B71DX8M
debug1: Host 'sbarnett.vm.domain.com' is known and matches the ECDSA host key.
debug1: Found key in /home/sbarnett/.ssh/known_hosts:16
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
WARNING. You have accessed a private computer system. Unauthorized access,
use, connection, or entry is not permitted and constitutes a crime
punishable by law. We reserve the right to fully pursue criminal and civil
legal penalties. All individuals using this computer system with or without
proper authority are subject to having all their activities monitored and
recorded. Anyone using this system implicitly consents to this monitoring.
Any evidence of suspected criminal activity revealed by such monitoring may
be provided to law enforcement officials
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: sbarnett@Gimli
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: sbarnett@Gimli
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: sbarnett@Gimli
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: sbarnett@Gimli
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: sbarnett@Gimli
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: sbarnett@Gimli
Received disconnect from UNKNOWN port 0:2: Too many authentication failures
debug1: Authentication succeeded (publickey).
Authenticated to sbarnett.vm.domain.com (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: proc
packet_write_wait: Connection to UNKNOWN port 0: Broken pipe
答案1
看到它尝试使用我的默认私钥三次,然后失败,并出现错误“尝试失败次数过多”。
这是不可能的。如果被拒绝,它不会多次使用同一个密钥。但它可能会使用其他默认密钥...
我该如何配置它,以便它只尝试使用身份文件一次,然后恢复到密码验证?
您可以通过以下方式配置客户端以忽略公钥
ssh -oPubkeyAuthentication=no <new-server>