我确实使用openssl pkcs8 -topk8 -in id_rsa -out id_rsa_new -v2 des3
(http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html)
但现在,ssh-agent 将不再起作用。当我尝试使用 ssh 连接到计算机时:
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.178.38 [192.168.178.38] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/damon/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/damon/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/damon/.ssh/id_rsa-cert type -1
debug1: identity file /home/damon/.ssh/id_dsa type -1
debug1: identity file /home/damon/.ssh/id_dsa-cert type -1
debug1: identity file /home/damon/.ssh/id_ecdsa type -1
debug1: identity file /home/damon/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1
debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.168.178.38" from file "/home/damon/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/damon/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA d0:42:c3:a4:bb:2e:f0:cd:38:c1:32:d5:a5:ac:4c:d5
debug3: load_hostkeys: loading entries for host "192.168.178.38" from file "/home/damon/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/damon/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '192.168.178.38' is known and matches the ECDSA host key.
debug1: Found key in /home/damon/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/damon/.ssh/id_rsa (0x7f15643f1e30)
debug2: key: /home/damon/.ssh/id_dsa ((nil))
debug2: key: /home/damon/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/damon/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp ee:e0:8c:60:ee:9f:05:4c:cd:0e:45:85:e2:91:64:95
debug3: sign_and_send_pubkey: RSA ee:e0:8c:60:ee:9f:05:4c:cd:0e:45:85:e2:91:64:95
Agent admitted failure to sign using the key.
debug1: Trying private key: /home/damon/.ssh/id_dsa
debug3: no such identity: /home/damon/.ssh/id_dsa
debug1: Trying private key: /home/damon/.ssh/id_ecdsa
debug3: no such identity: /home/damon/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
我在新安装的 Linux Mint 15 x64 VM 和其他几个 Linux Mint 安装上运行此程序,均无法连接。
这是一个 pkcs8 加密私钥的示例(我生成只是为了分享,不用担心):
damon@DamonVirtual ~/.ssh $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/damon/.ssh/id_rsa): id_rsa_test
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_test.
Your public key has been saved in id_rsa_test.pub.
The key fingerprint is:
f6:58:aa:43:c4:08:51:54:34:e5:5a:76:ae:ed:bd:30 damon@DamonVirtual
The key's randomart image is:
+--[ RSA 2048]----+
| .+oo+.. |
| . o |
| . o + . |
| . o+ o |
| .. S o |
| .. B |
| . + E |
| .. . + |
damon@DamonVirtual ~/.ssh $ openssl pkcs8 -topk8 -in id_rsa_test -out id_rsa_test_enc -v2 des3
Enter Encryption Password:
Verifying - Enter Encryption Password:
damon@DamonVirtual ~/.ssh $ chmod id_rsa_test_enc 600
chmod: Ungültiger Modus: »id_rsa_test_enc“
„chmod --help“ liefert weitere Informationen.
damon@DamonVirtual ~/.ssh $ chmod 600 id_rsa_test_enc
damon@DamonVirtual ~/.ssh $ cat id_rsa_test_enc
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIsRD8OicdxA0CAggA
MBQGCCqGSIb3DQMHBAhpBxvnSmEyaQSCBMj1vvjrx3KiEa++l1xtDDimOPXDqrh6
AAQBZGBBgDNX7OqmqDK6gvbliZUsYEBdbxA8g53tQe168tmXw6RbpDUqwRT0N8MU
an5pBJkOd1nT9TGFivhvBVRLeoCko9jmrcia38/Cc4D088rirYbTOdi47qB88zin
WVxNVCXTAB2IXAvgSVuYlbzRku++OCZAY4YI+4Q8diY1pnY5rMVNc1eTknMp2Gyc
s+37nVpc2Xz3kI1T/2yiJEkOucyyNxbvKfDdmkhxYnflghjQAIFZXhALgGwTAeD+
SkuCpHCyQ6Rw+X/lSvsyj9RNpioF51iTMazy1NbDSyv8FaB+cF8QLC9wz9hHZ3yV
xiNVy38yVwMDr4OudXB+qjc8nDSjQdK5Ade8OWQZS7KXiT0K0wdGYn6NSGuoJTU3
UI9m+Glwv5JI5WE9nUm2GyZzUTujhH7lzJKw/20/IhosrS78/TVWUJ5MW5jNrDz+
raKG9jTLjEirhQFvCowh2oYJUxq0Fmh5d2Iskq19rVdL8iDMyZMJxfsiKTxd6TcK
uGtFkX+IS80Is6r2ZnDsQwlMiKw1pZ223JAQvLHX6baBvoDGr7vSeb4m91G4DYOK
gzdAICHuX0bIXbPhNxfkpstakdvrR2Fz1QNpInTO8K4fQ9dqnCyeiferbzpEkhVD
BVVNRcBVynGPWs6SwBTkRW7D5tWNdFA/ngVkqDDnYaw+/xiaKPF3T/gtOzjEvkgA
CYxBrO+Y1Y6eVA4wD+U9f/6mfA55xf95P+BQ31GT8NoGv0F+3fuY/NGdTkWP0bg7
yhihlRshdt7it+AycDj+cKATjqOcFJpP5nDu0wSciSWAaHAakZl1aK6+qaCUnzGy
9nYZUrTyYk2dLSBP7XI5aVvmk4tzT5Rq9XxV/6Gi48lfe+uqGi2Q46IMxLqxaC1Q
pwNEMlDAiK3zMrxvhQ6YXbTROFEgjeZArzoYwDkbwv9ra8nOslmkXcAz2pYQQQJc
Jv49rtL4kS+L44/koekIk22GMajbSpTdskkieKewQVYhrPbgaBXZfyYvobshCGI9
3qwNEg3ZWhkvAtypMcXX3oflVm54NYXnQ8INk8MPqABrTZtM4VGrKunNa0rCOo8e
ULxgAcsBcZMbe6iI1lB3v+fP7hq8ceQW7oi0/8LS3inz2f3iz7SDKF0c1B1obr0l
u9dJcv6ijXU9Vvv0kejo/C1jx7vsl9q7lp0GLDer003htYNOqrc9GHc7laCh7JlB
R9Lf9IlZjEFTGD6UOJw+2L14j3QTKyLoXwQS+hTXVI7GBBaJq1SuPcCxieSjK5d4
HlkrkO7/iMKEDCwPv8Wp6ZPUowywrP5j4IH51Nk9vuN+DhmCONMjHlJLZLgCJWtm
cfpSlwRI9E86zQlZR2vrlKeHChXtm1kOGp3mkpvRwmu4gZLAQZhNo8TRCNWfQZuj
YhoYdewQJnoemHGk0bKoDA6IqQZMhlfKP2KcnmDWwLQn/rb1VudbbnHSNMF1vCt0
X/lXverUxO8PlNnmhY/D6omah53laGloGHZo/7NHnaa468rNEZyIPYw14XbZaI5A
RlNo9uT2IhJOtSKWqiBioD4YZtjciSkvmUYfC8x4cVqVWd69VuzfxaKpEjp3OzlG
bQw=
-----END ENCRYPTED PRIVATE KEY-----
damon@DamonVirtual ~/.ssh $ cat id_rsa_test.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNms5/HhVr903+uIFM1BTQwOz8lYWyKQsnttkyvxtrfdnJe3EEwBjKjXlipTMYgLl2gi5Lt63f3esHYT0IBwN4DPz9BdYkb3vqsPSdouV2N45/S7w6dwwx2BJ/yP35r2G91ckOiHQSioDWFDbWQMYNrHrbAAtk6QbZthwMyKFK59iGCRltAxyq2/EPU6dkoyq8AWDZao+i65AQjIfDQ5vqHhPPZo80j5q8XNWP6E8oVx+hwUiYZ/hEHLR5KWMZyG0MVzDZICs9qMruIDA9YASl9DTNc72+5L5b1Ct5rTYGeq+5bMue9w7GVCFu/6ahPUwyNI17SW8Fsu6hF/HxbgnR damon@DamonVirtual
这个加密通行证是 123456789。有人能发现我在生成和加密密钥时犯的错误吗?
(再一次,这不是我的个人私钥,我只是出于测试目的生成了这个私钥,这不在我的任何authorized_keys文件中,调试输出来自与以相同方式生成的另一个密钥的使用)
是我失败了,还是ssh-agent失败了?我没有收到密码提示,因此 ssh-agent 似乎无法识别密钥已加密...但我可以使用将其添加到代理中ssh-add id_rsa
,系统会提示我输入密码,它就可以工作了.. 。
编辑
我想我知道发生了什么:
ssh-agent 尝试自动向其添加 ssh-keys。当这样做时,它会严重失败。此故障由不可删除的身份指示。尝试ssh-add -D && ssh-add -l
。如果这返回任何剩余的身份,则 ssh-agent 做错了什么:我认为 ssh-agent 在自动添加密钥时会搞砸解密。
我的解决方案是防止这种情况发生:
- 将所有私钥移出 ot
~/.ssh
- 重启
- 生成 ssh 密钥对,不要存放在
~/.ssh
! - 使用 openssl 加密私钥,“像往常一样”
- 将加密的私钥移至
~/.ssh
ssh-add /path/to/file
你的私钥
现在应该提示您输入加密密码。
重要的:
- 不要使用 ssh-agent 中已有的密钥文件名。它似乎一次又一次地尝试自动添加已知的文件名,导致了这个可怕的失败。
- 不要使用具有已知指纹的私钥。 ssh-agent 不知何故也自动添加了那些......
~/.ssh
在执行这些步骤之前,请确保绝对没有私钥- 确保 ssh-agent 绝对没有缓存私钥
如果 ~/.ssh 或 ssh-agent 中留有任何密钥,则会失败。一旦使用 ssh-add 正确添加了密钥,系统会提示您输入加密密码,并且 ~/.ssh 或 ssh-agent 中没有其他密钥,那么添加其他密钥似乎就可以了。
有时我只是讨厌 Linux,因为一些特殊的(有时是遗留的)数据包做这种事情:(
答案1
好的,回顾一下我认为添加 pkcs#8 私钥时会发生的情况,这会导致失败:
ssh-keygen
使用(无密码)生成密钥对- 加密使用
openssl pkcs8 -topk8
~/.ssh
如果加密的身份文件与匹配的公钥一起存储,ssh-agent 会将其添加到其密钥环中- ssh-agent 不会提示您解密密钥,也许认为它未加密?
- 尝试连接时,ssh-agent 无法使用私钥签署任何内容,因为它仍然是加密的
ssh-agent 的自动密钥添加功能似乎搞砸了。当 ssh-agent 自动添加 pkcs#8 加密私钥时,它不会解密它。
解决方法
对于新钥匙:
- 使用 ssh-keygen 生成密钥对,不要把它们保存在
~/.ssh
! - 使用加密密钥
openssl pkcs8 -topk8 -in ~/id_rsa -out ~/id_rsa_enc -v2 des3
要修复现有密钥:
- 移动所有私有的和公钥出自
~/.ssh
- 检查
ssh-add -l
,如果需要,使用 -d 删除
无论哪种方式:
- 仅移动私钥:
mv ~/id_rsa_enc ~/.ssh/id_rsa
- 将其添加到 ssh-agent:
ssh-add
- 现在系统将提示您输入密码,请输入
- 使用以下命令检查私钥是否已成功添加
ssh-add -l
- 移动您的公钥:
mv ~/id_rsa.pub ~/.ssh/id_rsa.pub
- 检查公钥
ssh-add -L
额外的ssh-agent -k
或重新启动可能会有用。请告诉我这是否适合您。
答案2
在理论您如何加密密钥并不重要,因为代理存储未加密的密钥,这在两种情况下都应该相同。
用于ssh-add -L
在添加两个不同加密的密钥后检查正确的公钥。
两个输出是否相同并与服务器上存储的公钥匹配?