我必须连接到我的工作电脑,并且我正在使用此配置,
Host work
User name
HostName 192.168.31.***
ProxyCommand ssh.exe p***@middle_host nc %h %p
这middle_host
是我在连接到实际桌面之前必须连接的组织网络。我已经成功完成了ssh-copy-id
.但是,当我尝试使用要求输入密码的ssh work
方式连接时middle_host
,但工作电脑却没有。我签authorized_keys
入了middle_host
,我的公钥就在那里。但如果没有密码提示,它仍然无法连接。
不同文件的权限middle_host
stat -c "%a" ~
>>700
stat -c "%a" ~/.ssh/
700
stat -c "%a" ~/.ssh/authorized_keys
600
我已经检查了这些答案并按照答案进行操作,但无法解决它
为什么使用公钥身份验证时,我仍然收到 ssh 密码提示?
ssh-copy-id成功,但仍提示输入密码
回答评论:
- 我在 middle_host (CentOs) 中没有 root 访问权限,所以我不知道如何检查 sshd 日志
- 我尝试使用 来连接到中间主机
ssh -v middle_host
。它抛出Unable to negotiate with ***** port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
.所以我尝试了-oKexAlgorithms=+diffie-hellman-group1-sha1
,现在输出显示为
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/koushik/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to ***.**.**.*** [***.**.**.***] port 22.
debug1: Connection established.
debug1: identity file /home/koushik/.ssh/id_rsa type 0
debug1: identity file /home/koushik/.ssh/id_rsa-cert type -1
debug1: identity file /home/koushik/.ssh/id_dsa type -1
debug1: identity file /home/koushik/.ssh/id_dsa-cert type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/koushik/.ssh/id_ed25519 type -1
debug1: identity file /home/koushik/.ssh/id_ed25519-cert type -1
debug1: identity file /home/koushik/.ssh/id_ed25519_sk type -1
debug1: identity file /home/koushik/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/koushik/.ssh/id_xmss type -1
debug1: identity file /home/koushik/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_2*,OpenSSH_3*,OpenSSH_4* compat 0x00000002
debug1: Authenticating to ***.**.**.***:22 as '****'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:mDzOdf7c6GdlUbdzYqOPpD23W1gyyixbjxeUxHU0YlE
debug1: Host '***.**.**.***' is known and matches the RSA host key.
debug1: Found key in /home/koushik/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/koushik/.ssh/id_rsa RSA SHA256:PqSSI5hAPS2zK9l+rOA7TZ01onuarhil6Fhee27+zG8
debug1: Will attempt key: /home/koushik/.ssh/id_dsa
debug1: Will attempt key: /home/koushik/.ssh/id_ecdsa
debug1: Will attempt key: /home/koushik/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/koushik/.ssh/id_ed25519
debug1: Will attempt key: /home/koushik/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/koushik/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Next authentication method: publickey
debug1: Offering public key: /home/koushik/.ssh/id_rsa RSA SHA256:PqSSI5hAPS2zK9l+rOA7TZ01onuarhil6Fhee27+zG8
debug1: Server accepts key: /home/koushik/.ssh/id_rsa RSA SHA256:PqSSI5hAPS2zK9l+rOA7TZ01onuarhil6Fhee27+zG8
debug1: Authentication succeeded (publickey).
Authenticated to ***.**.**.*** ([***.**.**.***]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = C.UTF-8
Last login: Sun Feb 14 14:18:00 2021 from -----
答案1
首先,您在 SSH 配置中声明了用户,但在 ProxyCommand 中使用了不同的用户名。
其次,middle_host 使用旧版本的 OpenSSH v4.3,而客户端使用 OpenSSH v8.2p1。旧版本的 OpenSSH 使用旧版本的 Diffie Hellman (DH) 密钥交换,更高版本不再支持。在中间系统支持的三个 DH 参数中,Group-14 较好,而 Group-1 最差。因此,执行以下命令,并指定 Group-14:
ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 middle_host
边注:
将 OpenSSH v4.3 服务器暴露到互联网上是一个坏主意。考虑使用 VPN。