我正在尝试通过堡垒机 ssh 连接到主机。我已为 ssh 和 ProxyCommand 设置了 StrictHostKeyChecking=no
ssh -i ~/mykey.pem-prod [email protected] -o "UserKnownHostsFile=/dev/null" -o StrictHostKeyChecking=no -o ProxyCommand="ssh -o StrictHostKeyChecking=no -W %h:%p -i ~/mykey.pem-prod [email protected]
有时它可以工作,但有时我会收到此消息:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:
Please contact your system administrator.
Add correct host key in /Users/myname/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/myname/.ssh/known_hosts:7
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Error: forwarding disabled due to host key check failure
ssh_exchange_identification: Connection closed by remote host
我认为 StrictHostKeyChecking=no 应该可以避免这个问题。
答案1
我遇到了同样的错误,这是由于配置引起的ExitOnForwardFailure yes。将其设置为no(或删除它,因为no这是默认值)允许 SSH 连接成功。
看https://github.com/openssh/openssh-portable/blob/0121aa87bab9ad2365de2d07f2832b56d5ff9871/sshconnect.c#L1355-L1357在源代码中完成此检查的位置。