代理承认未能使用密钥签名

代理承认未能使用密钥签名

代理承认未能使用密钥签名

我正在 centos6.5(32bit) 上工作,我尝试使用 ssh-keygen 和 ssh-copy-id 无需密码即可 ssh 登录?我已经完成的步骤:

首先我创建了密钥:

[root@dd ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
8f:48:0b:04:3a:e1:90:f4:9f:de:2a:33:63:ea:a8:82 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|+o.              |
|+o..             |
|o. ..            |
| . .. .          |
|    .o. S        |
|    .o.o o       |
|.    .o.. .      |
|E  *  .          |
|*oo =.           |
+-----------------+

然后我将密钥复制到远程主机:

[root@dd ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.1.3
[email protected]'s password: My_Password
Now try logging into the machine, with "ssh '[email protected]'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

然后我尝试登录但失败(使用密钥):

[root@dd ~]# ssh 192.168.1.3
Agent admitted failure to sign using the key.
[email protected]'s password: 

并作为详细日志记录:

[root@dd ~]# ssh -v [email protected]
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.3' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information 
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
Agent admitted failure to sign using the key.
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
[email protected]'s password: 

答案1

您正遭受以下失败:

特工承认未能使用密钥进行签名。

不幸的是,这是一条非诊断消息。它(至少)可以解决两类问题:

 

密钥未加载

对于大多数问题,这意味着您ssh-agent没有加载目标服务器上您的帐户接受的任何 ssh 密钥。在这种情况下,正如所指出的@网络达人的回答对于这个问题,解决方案相当简单:添加密钥:

ssh-add

如果密钥位于非默认位置,您需要告诉它ssh-add

ssh-add /path/to/key

 

代理无法理解密钥

这是GNOME 错误 754028,在 Seahorse 3.29.90 中解决(稳定 3.30发布2018-09-03, 包括在乌班图18.10,软呢帽29,可能还有 Red Hat/CentOS 9)。 3.29.90 之前的 Seahorse(以及 GNOME 密钥环)既不能创建也不能添加新的密钥类型,例如ed25519和生成的密钥ssh-keygen -o -a 100(如建议的安全 安全外壳教程)。

此问题的诊断:

  • ssh myserver失败并显示“ssh 代理承认失败”
  • SSH_AUTH_SOCK= ssh myserver工作得很好
  • 结论:gnome-keyring无法处理复杂的按键

因为我刚刚找到了这个错误的可行解决方法,而且它似乎没有在任何地方发布(除了评论我刚刚添加了一个 Ubuntu bug),我会把它放在这里。

解决方法:ssh-agent使用与以下位置相同的套接字启动一个新的套接字gnome-keyring

ssh-agent -a $SSH_AUTH_SOCK

这将启动一个新实例ssh-agent(覆盖 GNOME 功能较弱的实例),因此它不会有任何密钥(不管怎么说seahorse,因为它与旧代理相关)。您必须按照ssh-add以下方式添加它们密钥未加载上面的部分。

您每次登录时都必须运行它(或手动将其添加到启动脚本中)。如果你想保留旧的套接字,请先运行mv $SSH_AUTH_SOCK $SSH_AUTH_SOCK.broken

答案2

我只需在本地计算机上运行此命令(生成密钥后)即可解决问题:

$ ssh-add

答案3

我补充道:

Host github.com
  HostName github.com
  User YOURUSERNAME
  IdentityFile ~/.ssh/id_rsa.pub

到我的 ~/.ssh/config 文件来规避这个问题并且看起来正在工作。

相关内容