SSH 客户端未在 ssh-agent 中尝试我的密钥

SSH 客户端未在 ssh-agent 中尝试我的密钥

我使用的是 OS X Yosemite 10.10.5,并且我的 SSH 客户端的行为方式我无法解释或解决。

我的目标只是通过以下方式连接到服务器:

ssh -A [email protected]

当我添加-v此内容时,我可以看到我的 SSH 客户端无法尝试除我的~/.ssh/id_rsa密钥之外的任何密钥。我已经确认 ssh-agent 正在运行,并用于ssh-add -l确认我想要的密钥已添加。

这是我在本地 bash 提示符中运行的内容:

# Run ssh-agent
bash-3.2$ eval $(ssh-agent)
Agent pid 7786

# Confirm it's running
bash-3.2$ sudo ps aux | grep ssh-agent
josh             7794   0.0  0.0  2432772    676 s000  S+    1:32PM   0:00.00 grep ssh-agent
josh             7786   0.0  0.0  2480640   2180   ??  Us    1:31PM   0:00.04 ssh-agent

# Login successfully by explicitly specifying a key
bash-3.2$ ssh -i sandbox [email protected]
Last login: Tue Aug 18 20:13:31 2015 from X.Y.189.46
CoreOS stable (723.3.0)
core@ip-10-200-4-138 ~ $ exit
logout
Connection to 12.34.56.78 closed.

# Now attempt to connect using ssh-agent
bash-3.2$ ssh-add sandbox
Identity added: sandbox (sandbox)
bash-3.2$ ssh -A [email protected]

# My just-added key isn't tried, so I'm prompted for a password
[email protected]'s password:

任何帮助将非常感激!

更新: 根据要求,这是详细输出:

bash-3.2$ ssh -v -A [email protected]
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/josh/.ssh/config
debug1: /Users/josh/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 102: Applying options for *
debug1: Connecting to 12.34.56.78 [12.34.56.78] port 22.
debug1: Connection established.
debug1: identity file /Users/josh/.ssh/id_rsa type 1
debug1: identity file /Users/josh/.ssh/id_rsa-cert type -1
debug1: identity file /Users/josh/.ssh/id_dsa type -1
debug1: identity file /Users/josh/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA a8:d9:fb:07:a6:71:de:99:76:9e:55:9c:bd:68:87:55
debug1: Host '12.34.56.78' is known and matches the RSA host key.
debug1: Found key in /Users/josh/.ssh/known_hosts:164
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/josh/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/josh/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password

答案1

正如您所提到的,该ssh命令需要一个名为 的密钥id_rsa

当你这样做时:

$ ssh-add sandbox

您添加一个名为sandbox您的代理的密钥。

所以存在差异。

SSH 命令行上的解决方案是使用识别文件选项:

ssh -i ~/.ssh/other_keys/sandbox ...

笔记: 我对其他密钥使用子文件夹,因为有严格的限制,这是有道理的,但如果您访问许多服务器,每个服务器都有自己的密钥,那么它会咬住您;看https://askubuntu.com/questions/419546/ssh-never-ask-for-a-password了解更多详情。

为了避免一直使用该-i选项,您可以将该信息添加到您的~/.ssh/config文件中:

Host example.com
  Hostname example.com
  User YourUserName
  PasswordAuthentication no
  HostbasedAuthentication no
  IdentitiesOnly yes
  IdentityFile /home/<your-user-name>/.ssh/other_keys/sandbox

现在将自行ssh找到该选项。IdentifyFile搜索基于Host.您实际上可以在该行上使用任何名称,例如:

Host remote-sandbox
  ...

让您能够使用

$ ssh remote-sandbox

在您的命令行上,无需remote-sandbox在您的/etc/hosts.

您根本不必使用该ssh-add命令。第一次运行该ssh命令时,它会询问您的密码,如果您有可用的代理,它会自动将其保存在那里。如果命令要在您不在计算机上运行(或者,如果您使用 Docker 等系统,则预加载密钥,因为会杀死输入 shell),则使用ssh-add可能会很有用。sshdocker build ...

答案2

详细输出表明您的密钥被提供。只是不被接受。这里最常见的问题是权限。

在远程服务器上,运行:

ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys

您将看到如下输出:

wwalker@serenity:~$ ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
drwx------. 66 wwalker wwalker 36864 2016-08-28 12:31:03.241 /home/wwalker
drwx------.  2 wwalker wwalker 32768 2016-08-28 11:57:52.282 /home/wwalker/.ssh
-rw-------.  1 wwalker wwalker  3182 2015-09-27 12:07:58.000 /home/wwalker/.ssh/authorized_keys

修复具有组或其他写入权限的任何事物。

答案3

sandbox密钥是版本 1 还是版本 2?如果它是旧密钥,则它可能仅适用于 ssh 协议的版本 1。您可以通过运行来解决这个问题。ssh -A -1 [email protected]

相关内容