基于 SSH 密钥的身份验证间歇性工作

基于 SSH 密钥的身份验证间歇性工作

我们有一个运行 jenkins 的开发服务器,其中有各种作业,运行通过 SSH(使用基于密钥的身份验证)连接到我们的实时服务器的 shell 脚本。

这似乎不太可靠。

如果我通过以“jenkins”用户身份登录到开发服务器,然后通过 SSH 连接到实时服务器来自行测试 SSH 连接,则身份验证将有效并且无需输入密码即可登录。

如果我手动运行其中一个詹金斯作业,它大多数时候都会有效(虽然今天早上有一个作业失败了,促使我写了这张票)但如果我自动执行该作业以在夜间运行,它大多数时候都会失败(我认为它曾经成功过一次)。

每次失败的点都在 SSH 连接上:

> ssh -T nepton@xxx
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied (publickey,password).

任何帮助都将不胜感激,因为我完全陷入困境,而且 Linux 绝对不是我的专业领域。

附加信息:

  • 我在 Dev 上生成了公钥(以“jenkins”用户身份登录),使用方法如下: ssh-keygen -t rsa
  • 我使用以下命令将密钥复制到实时服务器:ssh-copy-id -i ~/.ssh/id_rsa.pub nepton@xxx

Dev 上的 /var/lib/jenkins/.ssh/ 的权限是:

drwx------  2 jenkins jenkins 4096 Apr  4 13:31 .
drwxr-xr-x 13 jenkins jenkins 4096 Apr  4 13:38 ..
-rw-------  1 jenkins jenkins 1679 Apr  4 13:31 id_rsa
-rw-r--r--  1 jenkins jenkins  400 Apr  4 13:31 id_rsa.pub
-rw-r--r--  1 jenkins jenkins 1338 Apr  4 13:33 known_hosts

Live 服务器上 /home/nepton/.ssh/ 的权限为:

drwx------ 2 nepton nepton 4096 Mar 20 17:37 .
drwx------ 4 nepton nepton 4096 Apr  2 10:52 ..
-rw------- 1 nepton nepton 2005 Apr  8 10:23 authorized_keys
-rw-r--r-- 1 nepton nepton 1106 Apr  1 10:39 known_hosts
  • 我在两台服务器上运行着 Ubuntu 的最新 LTS 版本和标准 SSH 包。

调试信息

ssh -v -T -i /var/lib/jenkins/.ssh/id_rsa nepton@xxx
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to xxx [xx.xxx.xx.xxx] port 22.
debug1: Connection established.
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA xxx
debug1: Host 'xxx' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:7
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/jenkins/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).
Build step 'Execute shell' marked build as failure

答案1

正如您在评论中所说,它没有使用您想要的键。您可以像这样指出正确的键:

ssh -T -i /path/to/real/id_rsa nepton@xxx

答案2

我遇到了同样的问题,并找到了可能与此相关的解决方案。如果您尝试通过 SSH 连接到的系统位于负载平衡器(或类似设备)后面,则可能有时您的 SSH 可以成功,但如果正在进行负载平衡的机器没有共享主目录(或者至少没有您的 .ssh 信息,例如公钥),有时它会失败。

从您的角度来看,您似乎正在登录到单个主机,但实际上它间歇性地是一个不同的实际主机,这可以解释这种奇怪的行为。

相关内容