问题
如何从 Ubuntu16.04 客户端设置无密码(基于密钥)的 ssh 到 Dropbear SSH 服务器?
- 我的私钥没有密码保护。
- 我无法使用基于密钥的身份验证从 Ubuntu16.04 ssh 到 DropbearSSH,但我可以从 PeppermintOS 11 进行此操作。
- 两个客户端上都有相同的私钥/公钥对(在 Ubuntu16.04 上生成,然后将该对复制到 PeppermintOS 11)。
- (无法升级Ubuntu16.04)。
- 两个客户端都可以使用带密码的 ssh
服务器
服务器是运行Dropbear SSH的嵌入式系统:
root@server:# uname -a
Linux server 5.10.9-v2.15-rc2 #1 PREEMPT Thu Sep 15 01:16:32 EDT 2022 armv7l GNU/Linux
root@server:# /usr/sbin/dropbear -V
Dropbear v2020.80
当客户端 1 尝试登录时,Dropbear 记录日志:
Sep 19 23:33:23 server authpriv.info dropbear[10329]: Child connection from 192.168.1.101:59206
Sep 19 23:33:23 server authpriv.info dropbear[10329]: Exit before auth from <192.168.1.101:59206>: (user 'root', 0 fails): Non-matching signing type
当 client2 尝试登录时 Dropbear 记录:
Sep 19 23:36:42 server authpriv.info dropbear[10410]: Child connection from 192.168.1.102:59218
Sep 19 23:36:42 server authpriv.notice dropbear[10410]: Pubkey auth succeeded for 'root' with key sha1!! he:x_:va:lu:es:_r:em:ov:ed:_f:or:se:cu:ri:ty:__:__:__:_:__ from 192.168.1.102:59218
# Successful login
# Now, when client2 logs out:
Sep 19 23:39:25 server authpriv.info dropbear[10410]: Exit (root) from <192.168.1.102:59218>: Disconnect received
客户端1
Client1是Ubuntu16.04:
user@client1:~$ uname -a
Linux client1 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:27:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
user@client1:~$ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g 1 Mar 2016
user@client1:~$ ssh -vvvv user@server
debug1: Authentication succeeded (publickey).
Authenticated to server ([192.168.1.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 5/6 cc -1)
Connection to server closed by remote host.
Connection to server closed.
Transferred: sent 2536, received 1592 bytes, in 0.0 seconds
Bytes per second: sent 20815567.4, received 13067185.8
debug1: Exit status -1
客户端2
Client2 是 PeppermintOS 11:
user@client2:~$ uname -a
Linux client2 5.10.0-15-amd64 #1 SMP Debian 5.10.120-1 (2022-06-09) x86_64 GNU/Linux
user@client2:~$ ssh -V
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1n 15 Mar 2022
user@client2 ssh -vvvv user@server
debug1: Authentication succeeded (publickey).
Authenticated to server ([192.168.1.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
...
...
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32759
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
root@server:~# echo Logged in successfully
Logged in successfully
答案1
客户端 1 的问题的关键在于错误Non-matching signing type。
当客户端 2 连接时,您会收到警告with key sha1。
客户端 1 不支持 Dropbear 支持的签名算法之一。因此连接失败。
客户端 1 的 ssh 客户端版本为 7.2p2,非常旧。升级客户端需要从源代码构建客户端。
最简单的解决方案是切换到另一个 SSH 密钥类型,例如 Ed25519。您的其他选择是升级 SSH 客户端(这在 Ubuntu Xenial 上非常困难)或ssh-rsa在 Dropbear 中启用(我认为这是不可能的)。
注意:客户端 2 使用的是 ssh 版本 8.4p1,这个版本要好得多,但也比较旧。在 OpenSSH 8.8 中,对 ssh-rsa (RSA+SHA1) 的支持已被禁用。替代版本是 rsa-sha2-256 和 rsa-sha2-512。
鉴于客户端 1 的错误和客户端 2 的警告,两者都需要升级才能正确修复客户端,我建议切换到 SSH 密钥类型 Ed25519。