简短的摘要:
我正在尝试通过 SSH 从 Windows PC 连接到 Mac mini,以在 Mac mini 上执行 shell 脚本。我不想将用户密码存储在脚本中。我宁愿使用保护私钥的密码。
我已按照这些教程中的描述设置好一切:
https://www.techrepublic.com/article/how-to-generate-ssh-keys-on-macos-mojave/
这里(因为ssh-copy-id没用)
https://www.techrepublic.com/article/how-to-manually-add-ssh-keys-for-key-authentication/
流程:
在客户端上使用以下方式生成密钥
ssh-keygen -t rsa输入密码并验证
在主机上的 /Users/Username/.ssh 中创建文件“authorized_keys”,并将客户端的公钥复制到其中
chmod 640 authorized_keys 和 chmod 700 .ssh
还:
- 在 Mac mini 上启用远程连接
结果:
我可以连接给我的客户端,但 shell 要求我提供用户密码而不是私钥密码。
ssh -vv 结果:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\Developer>ssh -vv [email protected]
OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 139.22.224.52 is address
debug2: ssh_connect_direct
debug1: Connecting to 139.22.224.52 [139.22.224.52] port 22.
debug1: Connection established.
debug1: identity file /c/Users/Developer/.ssh/id_rsa type 0
debug1: identity file /c/Users/Developer/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/Developer/.ssh/id_dsa type -1
debug1: identity file /c/Users/Developer/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/Developer/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/Developer/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/Developer/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/Developer/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/Developer/.ssh/id_xmss type -1
debug1: identity file /c/Users/Developer/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9
debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to 139.22.224.52:22 as 'systemtest'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-
group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sh
a2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sh
a2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],umac-1
[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],umac-1
[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-
group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],umac-1
[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],umac-1
[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:BAHjy5hPVFMIB7JF+rwobrjLgXQ30C5zgoNlBC5ENRw
debug1: Host '139.22.224.52' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/Developer/.ssh/known_hosts:3
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /c/Users/Developer/.ssh/id_rsa RSA SHA256:M7GM7bLi357XePOpkX+E6AhGD7Ay/JZ0xSBwSgan9kY
debug1: Will attempt key: /c/Users/Developer/.ssh/id_dsa
debug1: Will attempt key: /c/Users/Developer/.ssh/id_ecdsa
debug1: Will attempt key: /c/Users/Developer/.ssh/id_ed25519
debug1: Will attempt key: /c/Users/Developer/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /c/Users/Developer/.ssh/id_rsa RSA SHA256:M7GM7bLi357XePOpkX+E6AhGD7Ay/JZ0xSBwSgan9kY
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /c/Users/Developer/.ssh/id_dsa
debug1: Trying private key: /c/Users/Developer/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/Developer/.ssh/id_ed25519
debug1: Trying private key: /c/Users/Developer/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
在 mac 中 .ssh 目录中 ls -al 结果
systemtestsmini:.ssh systemtest$ ls -al
total 24
drwx------ 5 systemtest staff 160 28 Aug 04:42 .
drwxr-xr-x+ 20 systemtest staff 640 28 Aug 04:03 ..
-rw------- 1 systemtest staff 1896 28 Aug 04:05 id_rsa
-rw-r--r-- 1 systemtest staff 419 28 Aug 04:05 id_rsa.pub
-rw-r--r-- 1 systemtest staff 175 28 Aug 04:20 known_hosts
答案1
听起来你可能在心里交换了客户端和服务器的角色,因此不小心在服务器上执行了客户端步骤,在客户端执行了服务器步骤。听起来你在想要连接的机器上生成了密钥对到(Mac mini),然后将公钥复制到要连接的机器从(Windows PC)。
根据您提供的附加日志和信息,似乎您的 Windows PC 上已经有一对 RSA 密钥C:\Users\Developer\.ssh\id_rsa(并且在同一位置应该有一个 id_rsa.pub)
您应该将 id_rsa.pub 从 Windows 框复制到 Mac,然后将其附加到~/.ssh/authorized_keys您想要在 Mac 上登录的用户帐户的主目录下的文件中。
根据您的后续问题进行了编辑以添加更多解释:
可以这样想:您的私钥是私密的。您只将其保留给自己。您只将其保留在您使用的主机上。您甚至可以通过使用密码加密来“保护”它(即在本地磁盘上),这样即使有人窃取了文件,他们也无法使用您的私钥。
您的公钥是公开的。您将公钥分发给所有想要登录的服务器,并将其标记为有权登录的服务器。但是当您尝试登录时,您仍然必须证明您确实是您,因此您必须证明您拥有与授权公钥匹配的私钥。(这是以数学方式完成的,不会泄露私钥。)
即使密钥设置不正确,您仍可以登录 Mac,这是因为您根本不使用这些密钥。您使用老旧的用户名+密码凭据进行身份验证:与 Mac 的 GUI 登录窗口接受的凭据相同。