在本地机器上

tag-icon tag-icon networking ssh security
在本地机器上

SSH 密钥已损坏,我已阅读许多帖子试图修复此问题。有什么建议吗?

我使用 [REMOTE_IP_ADDRESS]、[LOCAL_IP_ADDRESS] 和 XXXXXXXXXXXXXX 屏蔽了可能的敏感信息,例如 IP 地址和 SSH 密钥。

在本地机器上

SELinux 已关闭

getenforce Disabled
sestatus 
SELinux status:                 disabled

标准密钥传输

cat .ssh/id_rsa.pub | ssh jnowacki@[REMOTE_IP_ADDRESS] 'cat >> .ssh/authorized_keys' 
ssh jnowacki@[REMOTE_IP_ADDRESS] "chmod 700 .ssh; > chmod 640 .ssh/authorized_keys" 
ssh jnowacki@[REMOTE_IP_ADDRESS] "chmod > 700 .ssh; chmod 640 .ssh/authorized_keys" 
ssh jnowacki@[REMOTE_IP_ADDRESS]

失败。它仍然要求输入密码。尝试了多次。

我这样做了,但没有帮助:

ssh-agent bash 
ssh-add ~/.ssh/id_rsa

替代密钥传输

ssh-copy-id -i jnowacki@[REMOTE_IP_ADDRESS] 
ssh jnowacki@[REMOTE_IP_ADDRESS] ssh '[email protected]'

失败:要求输入密码

本地服务器 SSH 密钥权限

ls -ltrh ~/.ssh/  | awk '{print $1 "\t" $9}' 
-rw-r--r--      id_rsa.pub
-rw-------      id_rsa
-rw-------      known_hosts.old
-rw-------      known_hosts
-rw-r-----      authorized_keys

远程机器

我运行了这个 ssh-agent bash ssh-add ~/.ssh/id_rsa

本地服务器 SSH 密钥权限

ls -ltrh ~/.ssh/  | awk '{print $1 "\t" $9}'
-rw-r--r--      id_rsa.pub
-rw-------      id_rsa
-rw-------      known_hosts.old
-rw-------      known_hosts
-rw-r-----      authorized_keys

每次检查以确保文件中只有 1 个密钥。

cat authorized_keys  | grep ssh-rsa | wc -l 
1

cat id_rsa.pub  | grep ssh-rsa | wc -l 
1

在远程服务器上调试

root@Ubuntu-Z800F:/etc/ssh# /usr/sbin/sshd -d -p 2222
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2g  1 Mar 2016
debug1: private host key #0: ssh-rsa SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug1: private host key #1: ssh-dss SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug1: private host key #3: ssh-ed25519 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2222'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3Connection from [LOCAL_IP_ADDRESS] port 41850 on [REMOTE_IP_ADDRESS] port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: permanently_set_uid: 105/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 [preauth]
debug1: kex: host key algorithm: ssh-rsa [preauth]
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none [preauth]
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_REQUEST [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
debug1: rekey after 4294967296 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: rekey after 4294967296 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user jnowacki service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "jnowacki"
debug1: PAM: setting PAM_RHOST to "[LOCAL_IP_ADDRESS]"
debug1: PAM: setting PAM_TTY to "ssh"

然后它会要求在本地服务器上输入密码。这是我看到的最后一行。提供屏幕截图作为证明。

最后一行

本地服务器上的 SSH -VV

ssh -vv -p 2222 jnowacki@[REMOTE_SERVER]
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to [LOCAL_SERVER} [[LOCAL_SERVER}] port 2222.
debug1: Connection established.
debug1: identity file /home/bckadm/nowackj1/.ssh/id_dsa type -1
debug1: identity file /home/bckadm/nowackj1/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 159/320
debug2: bits set: 1030/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host '[LOCAL_SERVER}' is known and matches the RSA host key.
debug1: Found key in /home/bckadm/nowackj1/.ssh/known_hosts:2
debug1: found matching key w/out port
debug2: bits set: 1008/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/bckadm/nowackj1/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bckadm/nowackj1/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
jnowacki@[LOCAL_SERVER}'s password:

答案1

线路

debug1:身份文件/home/bckadm/nowackj1/.ssh/id_d

表示你的 ssh 客户端只查找并使用dsa 键,其中所有其他命令都引用rsa 键。

自 OpenSSH 7.0 起,dss (dsa) 算法默认处于禁用状态1 (我认为后续的调试行暗示了这一点):

debug1:尝试私钥:/home/bckadm/nowackj1/.ssh/id_dsa
debug2:我们没有发送数据包,禁用方法

所以恕我直言,这解释了为什么您无法登录,但至于为什么会发生这种情况......我无法告诉您。

答案2

我必须输入这个命令:

vim /etc/ssh/ssh_config

然后通过取消注释来激活 id_rsa。非常感谢你们!你们太棒了!

破碎的:

 # IdentityFile ~/.ssh/identity
 # IdentityFile ~/.ssh/id_rsa 
 IdentityFile ~/.ssh/id_dsa

在职的:

#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa

日志文件中的关键错误:

debug1: Trying private key: /home/bckadm/nowackj1/.ssh/id_dsa debug2: we did not send a packet, disable method

相关内容