Windows 10 2004,已设置 SSH 密钥对并加载到 SSH 代理服务上。
PS C:\Users\ferdi> ls .ssh
Directory: C:\Users\ferdi\.ssh
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/14/2020 10:14 AM 179 config
-a---- 7/23/2020 10:11 AM 1679 id_rsa
-a---- 7/23/2020 10:11 AM 404 id_rsa.pub
-a---- 8/13/2020 9:23 PM 3896 known_hosts
PS C:\Users\ferdi> cat .\.ssh\id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
PS C:\Users\ferdi> ssh-add
Identity added: C:\Users\ferdi/.ssh/id_rsa (C:\Users\ferdi/.ssh/id_rsa)
PS C:\Users\ferdi> ssh-add -l
2048 SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\Users\ferdi/.ssh/id_rsa (RSA)
我的 .ssh/config 文件为每个远程主机启用“ForwardAgent”。
PS C:\Users\ferdi> cat .ssh/config
Host *
StrictHostKeyChecking no
ForwardAgent yes
Host mgr
HostName 192.168.101.110
User ubuntu
Host sad
HostName 192.168.101.225
User admbvtech
我已经构建了一个 CentOS8 盒子(在我的 SSH 配置文件中名为“sad”)并将我的公钥放入 .ssh/authorized_keys
[admbvtech@localhost ~]$ ls -la .ssh
total 4
drwx------ 2 admbvtech sudo 29 Aug 13 18:54 .
drwx------ 6 admbvtech sudo 139 Aug 13 20:53 ..
-rw------- 1 admbvtech sudo 403 Aug 13 18:54 authorized_keys
[admbvtech@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
我已经构建了一个 Ubuntu 18.04 盒子(名为“mgr”),在 .ssh/authorized_keys 中有相同的公钥
ubuntu@mgr:~$ ls -la .ssh
total 20
drwx------ 2 ubuntu ubuntu 4096 Aug 13 21:24 .
drwxr-xr-x 13 ubuntu ubuntu 4096 Aug 13 15:01 ..
-rw------- 1 ubuntu ubuntu 403 Aug 3 20:57 authorized_keys
-rw-r--r-- 1 ubuntu ubuntu 6636 Aug 13 21:24 known_hosts
ubuntu@mgr:~$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
无密码 SSH 从 Windows 到 Ubuntu 都可以正常工作。
PS C:\Users\ferdi> ssh mgr
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
....
Last login: Fri Aug 14 09:43:40 2020 from 192.168.101.1
失败从 Windows 到 CentOS
PS C:\Users\ferdi> ssh -v sad
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\ferdi/.ssh/config
debug1: C:\\Users\\ferdi/.ssh/config line 1: Applying options for *
debug1: C:\\Users\\ferdi/.ssh/config line 9: Applying options for sad
debug1: Connecting to 192.168.101.225 [192.168.101.225] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.101.225:22 as 'admbvtech'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qsdGbspZWINmoYKa62+Y6qFpQhH5ruIyo6IKCrapi3c
debug1: Host '192.168.101.225' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\ferdi/.ssh/known_hosts:15
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_xmss
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
成功从 Ubuntu 到 CentOS使用转发的身份。
PS C:\Users\ferdi> ssh mgr
...
Last login: Fri Aug 14 10:19:53 2020 from 192.168.101.1
ubuntu@mgr:~$ ssh -v [email protected]
...
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.101.225 ([192.168.101.225]:22).
...
Last login: Fri Aug 14 07:43:44 2020 from 192.168.101.110
[admbvtech@localhost ~]$
有什么想法吗?我记得在 Hetzner Cloud 上构建的 Ubuntu 20.04 盒子也遇到过同样的问题(我不得不销毁它并恢复到 18.04)。
提前致谢。
答案1
我已经成功使用 ECDSA、ED25519 连接到 CentOS8 盒子(以及 Hetzner Ubuntu 20.04 盒子),甚至 RSA键(密钥大小为 4096)。
也许我以前的密钥大小太小:唯一持久的问题是
为什么我以前的弱 RSA 密钥在直接连接时被认为是不值得的,但在中间的另一台主机通过 ForwardAgent 进行时则不然?