我有许多服务器,我已正确生成密钥、设置权限,并且能够无需密码进行 ssh/scp。但是有一台机器略有不同,我认为我已经找到了区别。
区别在于,在没有密码的情况下我无法连接的机器上,因为 ssh 正在接受密钥:
debug1: Server accepts key: pkalg ssh-rsa blen 279
并且我的所有其他机器都接受:
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
在创建 ssh 密钥时,我总是设置参数“-t rsa”,但我不确定会生成哪种密钥。您能帮我创建 ssh-rsa 密钥而不是 rsa-sha2-512 密钥吗?最后一件事 - 我无法修改 /etc/ssh/sshd_config 来更改某些内容。
ssh 日志的完整转储如下:我可以连接到的日志:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to HOSTNAME [IP] port 22.
debug1: Connection established.
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to HOSTNAME:22 as 'SOMEUSER'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:###HASH###
debug1: Host 'HOSTNAME' is known and matches the ECDSA host key.
debug1: Found key in /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/known_hosts:2
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to HOSTNAME ([IP]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
我无法连接的第二个:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to HOSTNAME [IP] port 22.
debug1: Connection established.
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.8
debug1: no match: Sun_SSH_1.1.8
debug1: Authenticating to HOSTNAME:22 as 'USERNAME'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:###HASH###
debug1: Host 'HOSTNAME' is known and matches the RSA host key.
debug1: Found key in /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/known_hosts:13
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa
debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa
debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
我用来生成密钥的命令:
ssh-keygen -b 2048 -t rsa -E sha256 -f filename
我也尝试过:
使用不同的参数创建密钥:
-t rsa1;-t ecdsa;-b 1024;-b 2048;
答案1
RSA 密钥本身既不是“SHA1”,也不是“SHA2”– 密钥格式根本不涉及任何哈希算法。私钥仅由两个大数字组成,并且与证书不同,没有附加签名。
但是,SSH 并没有为每种公钥算法使用哪种哈希算法留下太多灵活性——例如,最初规定,每当使用“ssh-rsa”密钥进行签名时,它都会与 SHA1 一起使用,而不会使用其他任何算法。因此,为了让人们能够使用现有的 RSA 密钥,必须创建新的签名算法名称纯粹为了连接握手–pkalg rsa-sha2-512仍然意味着使用相同的 ssh-rsa 密钥,仅使用 SHA2 进行签名。
通常,当客户端和服务器都声称支持此功能时,会通过协议启用此功能。如果您想为错误地声称支持 rsa-sha2 的服务器禁用此功能,您可以在 OpenSSH 客户端中自定义PubkeyAcceptedKeyTypes:
ssh -o "PubkeyAcceptedKeyTypes=ssh-rsa" [...]
但这对你的案例没有帮助,因为客户端已经正确检测到服务器不支持带 SHA2 的 RSA。你的问题很可能完全出在其他地方。
答案2
尝试
ssh-keygen -t rsa -b 2048 -E sha512
答案3
我遇到过类似的情况。
因为这不是如何生成密钥的答案,而是导致 sshd 拒绝公钥身份验证并仅接受密码的原因。我想对你们中的一些人来说这可能有用。
一些防火墙(例如 Palo Alto、Fortigate、CheckPoint 等)能够作为透明 SSH 代理工作并拦截流量,但它们无法使用私钥进行身份验证。
因此,如果您不知道,那么询问您的管理员他是否没有做任何恶意的事情也不会有什么坏处。
这是启用防火墙的输出:
52:~ laimis$ ssh -v mem
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/laimis/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to mem port 22.
debug1: Connection established.
debug1: identity file /Users/laimis/.ssh/id_rsa type 0
debug1: identity file /Users/laimis/.ssh/id_rsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_dsa type 1
debug1: identity file /Users/laimis/.ssh/id_dsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519 type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/laimis/.ssh/id_xmss type -1
debug1: identity file /Users/laimis/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2
debug1: no match: PaloAltoNetworks_0.2
debug1: Authenticating to mem:22 as 'laimis'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:S0MWqGuhCYBUQq4T9evKCHomiPHxLw/Sdda41XmAg3g
debug1: Host 'mem' is known and matches the RSA host key.
debug1: Found key in /Users/laimis/.ssh/known_hosts:521
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Skipping ssh-dss key /Users/laimis/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:B26Tg4YaV+VsS1Ou0wcKY/jD5sBh7IWIFw19DCdZhw0 /Users/laimis/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/laimis/.ssh/id_ecdsa
debug1: Trying private key: /Users/laimis/.ssh/id_ed25519
debug1: Trying private key: /Users/laimis/.ssh/id_xmss
debug1: Next authentication method: password
laimis@mem's password:
debug1: Authentication succeeded (password).
Authenticated to mem ([10.130.10.65]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = lt_LT.UTF-8
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)
这是禁用防火墙的输出:
52:~ laimis$ ssh -v mem
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/laimis/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to mem port 22.
debug1: Connection established.
debug1: identity file /Users/laimis/.ssh/id_rsa type 0
debug1: identity file /Users/laimis/.ssh/id_rsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_dsa type 1
debug1: identity file /Users/laimis/.ssh/id_dsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519 type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/laimis/.ssh/id_xmss type -1
debug1: identity file /Users/laimis/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to mem:22 as 'laimis'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:QG8mC4gGXfD8CmWA71LTOs8yqeKhFP3Jz2pf1AYLw7s
debug1: Host 'mem' is known and matches the ECDSA host key.
debug1: Found key in /Users/laimis/.ssh/known_hosts:521
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Skipping ssh-dss key /Users/laimis/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:B26Tg4YaV+VsS1Ou0wcKY/jD5sBh7IWIFw19DCdZhw0 /Users/laimis/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 149
debug1: Authentication succeeded (publickey).
Authenticated to mem ([10.130.10.65]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = lt_LT.UTF-8
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)