我正在使用提供 FTP 和 SSH 访问的 Web 托管服务,但对于 SSH,他们只允许通过 SSH 密钥进行身份验证。我使用 生成了自己的 SSH 密钥ssh-keygen,使用 将它们导入到我的 Ubuntu 系统中ssh-add,并将密钥上传到我的托管服务的 Web 控制面板。我的~/.ssh/config文件包含以下内容:
Host myhostname
Hostname ssh.myhostname.com
User myhostname
PubKeyAuthentication yes
IdentityFile /home/aaronfranke/.ssh/id_rsa
主机名和用户名相同,但我已将所有配置/终端片段的名称替换为“myhostname”。我第一次在终端中连接时,出现权限被拒绝(公钥):
$ ssh myhostname
The authenticity of host 'ssh.myhostname.com (23.217.138.110)' can't be established.
ECDSA key fingerprint is SHA256:6MJJtqKhTdHXF2yzH/0UqGN2o4RZ2PDEp2ttdA/IJR8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ssh.myhostname.com' (ECDSA) to the list of known hosts.
[email protected]: Permission denied (publickey).
此后,如果我尝试重新连接,我会收到一条错误消息,提示 ECDSA 主机密钥已更改:
$ ssh myhostname
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for ssh.myhostname.com has changed,
and the key for the corresponding IP address 23.202.231.169
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/aaronfranke/.ssh/known_hosts:1
remove with:
ssh-keygen -f "/home/aaronfranke/.ssh/known_hosts" -R "23.202.231.169"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:HnzBy7BAfkMCT4uIcdLrpoWiOrnhHhN8k7XMbbB2Epk.
Please contact your system administrator.
Add correct host key in /home/aaronfranke/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/aaronfranke/.ssh/known_hosts:3
remove with:
ssh-keygen -f "/home/aaronfranke/.ssh/known_hosts" -R "ssh.myhostname.com"
ECDSA host key for ssh.myhostname.com has changed and you have requested strict checking.
Host key verification failed.
我可以按照建议进行操作并从已知主机列表中删除密钥......
$ ssh-keygen -f "/home/aaronfranke/.ssh/known_hosts" -R "ssh.myhostname.com"
# Host ssh.myhostname.com found: line 3
/home/aaronfranke/.ssh/known_hosts updated.
Original contents retained as /home/aaronfranke/.ssh/known_hosts.old
...但如果我重新连接,我会收到与第一次连接时相同的消息,然后再次收到有关主机密钥更改的相同消息。如果我运行,也会发生完全相同的事情rm ~/.ssh/known_hosts。
奇怪的是,这些信息是精确的相同。每次,如果主机不在我的known_hosts文件中,服务器指纹就是SHA256:6MJJtqKhTdHXF2yzH/0UqGN2o4RZ2PDEp2ttdA/IJR8,每次主机已知时,服务器指纹就是SHA256:HnzBy7BAfkMCT4uIcdLrpoWiOrnhHhN8k7XMbbB2Epk
为什么指纹会根据主机是否已知而改变?如何才能阻止指纹改变?我的客户端或服务器出了问题吗?
有没有办法可以手动将第二次连接尝试提供的主机指纹插入到我的known_hosts文件中?有没有办法可以授权两个指纹?