我在 Google 计算引擎上有两台机器,我想通过 ssh 连接到另一台服务器。因此,在第一台机器(namenode)上,我为用户 hadoop 创建了一个无密码的 ssh 密钥,并执行了 cat id_rsa.pub >> authorized_keys。在第二台机器(datanode1)上也有一个名为 hadoop 的用户。第二台机器的 hadoop 用户有一个空的 ~/.ssh 目录。
当我尝试从第一台机器 ssh 到第二台机器时,我得到:
hadoop@namenode:~/.ssh$ ssh -v hadoop@datanode1
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to datanode1 [10.240.223.55] port 22.
debug1: Connection established.
debug1: identity file /home/hadoop/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/hadoop/.ssh/id_rsa-cert type -1
debug1: identity file /home/hadoop/.ssh/id_dsa type -1
debug1: identity file /home/hadoop/.ssh/id_dsa-cert type -1
debug1: identity file /home/hadoop/.ssh/id_ecdsa type -1
debug1: identity file /home/hadoop/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4
debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 10:54:3e:ec:07:58:48:85:28:40:90:43:e1:8f:3d:f0
debug1: Host 'datanode1' is known and matches the ECDSA host key.
debug1: Found key in /home/hadoop/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/hadoop/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/hadoop/.ssh/id_dsa
debug1: Trying private key: /home/hadoop/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
我不明白这里发生了什么。
更新:我确实将 id_rsa.pub 复制到目标服务器上的 authorized_keys 文件中。但是,现在我收到以下错误:
hadoop@namenode:~/.ssh$ ssh datanode1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for datanode1 has changed,
and the key for the corresponding IP address 10.240.226.88
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
9f:8d:07:09:a9:67:63:b4:b9:2b:f5:39:ed:ef:55:d6.
Please contact your system administrator.
Add correct host key in /home/hadoop/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/hadoop/.ssh/known_hosts:1
ECDSA host key for datanode1 has changed and you have requested strict checking.
Host key verification failed.
在 /etc/ssh/ssh_config 中添加“StrictHostKeyChecking=no”可修复此问题。
答案1
您的 SSH 公钥需要复制到目的地服务器,而不是源。
- 在你将要连接的服务器上创建 SSH 密钥从
~/.ssh/id_rsa.pub
将刚刚创建的文件- 复制将此密钥添加到
~/.ssh/authorized_keys
您将要连接的服务器上的文件到 - 检查权限
~/.ssh/authorized_keys
是否设置为0600
- 您还可以
ssh-copy-id
根据您的操作系统使用辅助应用程序(我没有直接使用 Google Compute 的经验,因此这可能不适合您)。
记住 SSH 密钥认证如何工作的一个好方法 (至少对我来说) 是这样的:
- 您正在连接的计算机读取私人的密钥(例如
~/.ssh/id_rsa
),并生成民众键转发至接收机器。 - 创建密钥时生成的密钥文件(例如
~/.ssh/id_rsa.pub
)仅供参考,如果您有私人的钥匙。 - 因此,您的私人的密钥绝不应该被共享。
- 该
~/.ssh/authorized_keys
文件是一种“白名单”。它列出了允许连接到该用户帐户的所有公钥签名。
答案2
我建议您更新主机指纹/home/hadoop/.ssh/known_hosts
(或删除该行并在再次登录时重新确认主机)并不是禁用StrictHostKeyChecking
。
(假设你的服务器不会改变 IP 并维持 DNS)