有问题的服务器是一个运行器,它使用系统用户构建项目gitlab-runner。该用户用于通过 SSH 进入其他服务器以部署代码等。
在我们添加新服务器作为目标之前,该命令一直运行良好。SSH现在,该命令总是失败并显示错误“主机密钥验证失败。”。当我尝试其他之前可以正常工作的服务器时,也会抛出此错误。文件known_hosts已清除,但 SSH 不再要求添加服务器known_hosts,而是直接返回错误消息。
我检查了文件夹和文件的权限~/.ssh。这些是正确的(.ssh: 700、known_hosts: 600、id_rsa: 600、id_rsa.pub: 644)。还重新启动了服务器,但没有成功。
感觉 SSH 不能正常工作。这是通过 连接到服务器的调试输出SSH。
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to megatron.domain.com [10.139.20.204] port 22.
debug1: Connection established.
debug1: identity file /home/gitlab-runner/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gitlab-runner/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gitlab-runner/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gitlab-runner/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gitlab-runner/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gitlab-runner/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gitlab-runner/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gitlab-runner/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to megatron.achillescm.nl:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:/zgPQuuy6sG8UuLG9EHFSFAuY1QYNvQzKSyNYq//DJ0
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
有人有主意吗?
答案1
我找到了问题所在。问题是该known_hosts文件具有错误的权限。
它被设置为600并且应该是644。
答案2
debug1: identity file /home/gitlab-runner/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
以上几行表明.ssh/id_rsa存在(type 1),但其用户的公钥(.ssh/id_rsa.pub)不存在或存在一些问题(type -1)。
因此,请确保文件~/.ssh/id_rsa存在、具有600权限、由用户拥有。并且~/.ssh/id_rsa.pub匹配/属于同一身份(按照此邮政)。
这是一个简单的测试,可以作为须藤访问用户(例如root):
sudo -u gitlab-runner sh -c 'cd; wc -l .ssh/id_rsa; stat .ssh/id_rsa; head -n1 .ssh/id_rsa'
答案3
有时,如果 /dev/tty 权限太严格,也会出现同样的问题。然后您只能以 root 用户身份正确 ssh 到服务器,其他人则不能。解决方法是 chmod 777 /dev/tty,以便其他人可以执行此操作。
答案4
\n在调试类似的东西时,令人惊奇的问题是私钥文件末尾缺少换行符( )。
您可以使用以下方法检查不一致情况
cat ~/.ssh/identity_file
公钥文件 - 即~/.ssh/identity_file.pub- 不需要成功地对目标主机进行身份验证,假设它已经在目标主机内获得授权~/.ssh/authorized_keys。