我使用的是 OS X Yosemite 10.10.5,并且我的 SSH 客户端的行为方式我无法解释或解决。
我的目标只是通过以下方式连接到服务器:
ssh -A [email protected]
当我添加-v
此内容时,我可以看到我的 SSH 客户端无法尝试除我的~/.ssh/id_rsa
密钥之外的任何密钥。我已经确认 ssh-agent 正在运行,并用于ssh-add -l
确认我想要的密钥已添加。
这是我在本地 bash 提示符中运行的内容:
# Run ssh-agent
bash-3.2$ eval $(ssh-agent)
Agent pid 7786
# Confirm it's running
bash-3.2$ sudo ps aux | grep ssh-agent
josh 7794 0.0 0.0 2432772 676 s000 S+ 1:32PM 0:00.00 grep ssh-agent
josh 7786 0.0 0.0 2480640 2180 ?? Us 1:31PM 0:00.04 ssh-agent
# Login successfully by explicitly specifying a key
bash-3.2$ ssh -i sandbox [email protected]
Last login: Tue Aug 18 20:13:31 2015 from X.Y.189.46
CoreOS stable (723.3.0)
core@ip-10-200-4-138 ~ $ exit
logout
Connection to 12.34.56.78 closed.
# Now attempt to connect using ssh-agent
bash-3.2$ ssh-add sandbox
Identity added: sandbox (sandbox)
bash-3.2$ ssh -A [email protected]
# My just-added key isn't tried, so I'm prompted for a password
[email protected]'s password:
任何帮助将非常感激!
更新: 根据要求,这是详细输出:
bash-3.2$ ssh -v -A [email protected]
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/josh/.ssh/config
debug1: /Users/josh/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 102: Applying options for *
debug1: Connecting to 12.34.56.78 [12.34.56.78] port 22.
debug1: Connection established.
debug1: identity file /Users/josh/.ssh/id_rsa type 1
debug1: identity file /Users/josh/.ssh/id_rsa-cert type -1
debug1: identity file /Users/josh/.ssh/id_dsa type -1
debug1: identity file /Users/josh/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA a8:d9:fb:07:a6:71:de:99:76:9e:55:9c:bd:68:87:55
debug1: Host '12.34.56.78' is known and matches the RSA host key.
debug1: Found key in /Users/josh/.ssh/known_hosts:164
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/josh/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/josh/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
答案1
正如您所提到的,该ssh
命令需要一个名为 的密钥id_rsa
。
当你这样做时:
$ ssh-add sandbox
您添加一个名为sandbox
您的代理的密钥。
所以存在差异。
SSH 命令行上的解决方案是使用识别文件选项:
ssh -i ~/.ssh/other_keys/sandbox ...
笔记: 我对其他密钥使用子文件夹,因为有严格的限制,这是有道理的,但如果您访问许多服务器,每个服务器都有自己的密钥,那么它会咬住您;看https://askubuntu.com/questions/419546/ssh-never-ask-for-a-password了解更多详情。
为了避免一直使用该-i
选项,您可以将该信息添加到您的~/.ssh/config
文件中:
Host example.com
Hostname example.com
User YourUserName
PasswordAuthentication no
HostbasedAuthentication no
IdentitiesOnly yes
IdentityFile /home/<your-user-name>/.ssh/other_keys/sandbox
现在将自行ssh
找到该选项。IdentifyFile
搜索基于Host
.您实际上可以在该行上使用任何名称,例如:
Host remote-sandbox
...
让您能够使用
$ ssh remote-sandbox
在您的命令行上,无需remote-sandbox
在您的/etc/hosts
.
您根本不必使用该ssh-add
命令。第一次运行该ssh
命令时,它会询问您的密码,如果您有可用的代理,它会自动将其保存在那里。如果命令要在您不在计算机上运行(或者,如果您使用 Docker 等系统,则预加载密钥,因为会杀死输入 shell),则使用ssh-add
可能会很有用。ssh
docker build ...
答案2
详细输出表明您的密钥是被提供。只是不被接受。这里最常见的问题是权限。
在远程服务器上,运行:
ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
您将看到如下输出:
wwalker@serenity:~$ ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
drwx------. 66 wwalker wwalker 36864 2016-08-28 12:31:03.241 /home/wwalker
drwx------. 2 wwalker wwalker 32768 2016-08-28 11:57:52.282 /home/wwalker/.ssh
-rw-------. 1 wwalker wwalker 3182 2015-09-27 12:07:58.000 /home/wwalker/.ssh/authorized_keys
修复具有组或其他写入权限的任何事物。
答案3
sandbox
密钥是版本 1 还是版本 2?如果它是旧密钥,则它可能仅适用于 ssh 协议的版本 1。您可以通过运行来解决这个问题。ssh -A -1 [email protected]