使用 pubkey 从 Windows 到 CentOS8 的 SSH 失败，但通过 Ubuntu 盒子通过 AgentForwarding 成功

Windows 10 2004，已设置 SSH 密钥对并加载到 SSH 代理服务上。

PS C:\Users\ferdi> ls .ssh
    Directory: C:\Users\ferdi\.ssh
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/14/2020  10:14 AM            179 config
-a----         7/23/2020  10:11 AM           1679 id_rsa
-a----         7/23/2020  10:11 AM            404 id_rsa.pub
-a----         8/13/2020   9:23 PM           3896 known_hosts
PS C:\Users\ferdi> cat .\.ssh\id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
PS C:\Users\ferdi> ssh-add
Identity added: C:\Users\ferdi/.ssh/id_rsa (C:\Users\ferdi/.ssh/id_rsa)
PS C:\Users\ferdi> ssh-add -l
2048 SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\Users\ferdi/.ssh/id_rsa (RSA)

我的 .ssh/config 文件为每个远程主机启用“ForwardAgent”。

PS C:\Users\ferdi> cat .ssh/config
Host *
    StrictHostKeyChecking no
    ForwardAgent yes

Host mgr
    HostName 192.168.101.110
    User ubuntu

Host sad
    HostName 192.168.101.225
    User admbvtech

我已经构建了一个 CentOS8 盒子（在我的 SSH 配置文件中名为“sad”）并将我的公钥放入 .ssh/authorized_keys

[admbvtech@localhost ~]$ ls -la .ssh
total 4
drwx------ 2 admbvtech sudo  29 Aug 13 18:54 .
drwx------ 6 admbvtech sudo 139 Aug 13 20:53 ..
-rw------- 1 admbvtech sudo 403 Aug 13 18:54 authorized_keys
[admbvtech@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744

我已经构建了一个 Ubuntu 18.04 盒子（名为“mgr”），在 .ssh/authorized_keys 中有相同的公钥

ubuntu@mgr:~$ ls -la .ssh
total 20
drwx------  2 ubuntu ubuntu 4096 Aug 13 21:24 .
drwxr-xr-x 13 ubuntu ubuntu 4096 Aug 13 15:01 ..
-rw-------  1 ubuntu ubuntu  403 Aug  3 20:57 authorized_keys
-rw-r--r--  1 ubuntu ubuntu 6636 Aug 13 21:24 known_hosts
ubuntu@mgr:~$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744

无密码 SSH 从 Windows 到 Ubuntu 都可以正常工作。

PS C:\Users\ferdi> ssh mgr
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
....
Last login: Fri Aug 14 09:43:40 2020 from 192.168.101.1

失败从 Windows 到 CentOS

PS C:\Users\ferdi> ssh -v sad
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\ferdi/.ssh/config
debug1: C:\\Users\\ferdi/.ssh/config line 1: Applying options for *
debug1: C:\\Users\\ferdi/.ssh/config line 9: Applying options for sad
debug1: Connecting to 192.168.101.225 [192.168.101.225] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.101.225:22 as 'admbvtech'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qsdGbspZWINmoYKa62+Y6qFpQhH5ruIyo6IKCrapi3c
debug1: Host '192.168.101.225' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\ferdi/.ssh/known_hosts:15
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_xmss
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

成功从 Ubuntu 到 CentOS使用转发的身份。

PS C:\Users\ferdi> ssh mgr
...
Last login: Fri Aug 14 10:19:53 2020 from 192.168.101.1
ubuntu@mgr:~$ ssh -v [email protected]
...
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.101.225 ([192.168.101.225]:22).
...
Last login: Fri Aug 14 07:43:44 2020 from 192.168.101.110
[admbvtech@localhost ~]$

有什么想法吗？我记得在 Hetzner Cloud 上构建的 Ubuntu 20.04 盒子也遇到过同样的问题（我不得不销毁它并恢复到 18.04）。

提前致谢。