我正在学习 Kubernetes,并希望通过 KOPS 工具在 AWS 中配置一个这样的集群。遵循官方教程,然后简称这个 https://medium.com/andcloudio/kubernetes-kops-cluster-on-aws-f55d197d8304
我还确保在尝试连接堡垒主机之前添加了 ssh 密钥,如此处所述 https://kops.sigs.k8s.io/bastion/#using-the-bastion
一切顺利,节点、工作、负载均衡器等都已创建,堡垒主机也已创建。
唯一的问题是我无法使用密钥 ssh 进入堡垒主机。我使用 -vvv 运行 ssh 以查看详细输出,日志如下。我不明白问题是什么
ssh -A admin@${bastion_elb_url} -vvv
Warning: Permanently added 'bastion-single-k8s-local-noarfe-151938406.eu-central-1.elb.amazonaws.com,3.121.65.83' (ECDSA) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /root/.ssh/id_rsa (0x55d6af4ea570), agent
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug2: key: /root/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
我还发布了关键结果以帮助解决问题:
root@vagrant:/srv# ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq9cN3EAEy0WiASY/IBkF9SPIpLv/bZt1tpLc95cb5fG++ac5VX36rA4XukJFtCAk6I4P82ysuqfZGUQNsB57yibz9rbKZ1bFfxRPyGZS22/1Omqb/8B2NlNpJx42sK4odyUj3G+KLCGCmID/AEDhbjeY7d99ZuE6g8aqrtSo0fwsmNHnpvDS8Dt0IjbLxg41Sms9tmYDLlc/tncAs9BmRvuhPbg+BDw+z7ecLneI7+TexDfhXbnZkYfjFLsfI8vWivOu8ptuGVvPkQz/MJo+MokZEzoGbVCAZP5mYSIz+LIFnnCoh5WOMsB3OZuwvelR5bBgWjQhvOaWOX8BuSU5v /root/.ssh/id_rsa
答案1
正如您在详细输出中看到的,根据publickey尝试进行身份验证时使用的条件,访问被拒绝:
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
您可以在上面看到,默认情况下检查的所有文件(如果没有用-i标志指定特定文件)均未在您的/root/.ssh/目录中找到。
正如评论中已经讨论的那样,事实证明您使用了admin远程主机上未定义的用户。您确认使用ubuntu用户成功登录:“现在尝试使用 ubuntu 用户并成功登录到堡垒主机”由于已经讲得足够清楚,我将只集中回答您在评论中提出的其他问题:
然后,必须重复从主机 -> 堡垒复制密钥的过程,然后从堡垒 ssh 到 kubernetes 主服务器。现在这个方法有效了,但我期望官方记录的 -A 标志会以某种方式转发到主服务器,但没有发生。必须手动双击 ssh 并将密钥复制到堡垒 — Kristi Jorgji 20 年 12 月 31 日 19:35
您描述的登录过程ssh称为通过所谓的跳转主机进行 ssh 连接。请记住,它不是开箱即用的,需要额外的配置。请查看本文因为它清楚地解释了你需要知道的一切设置 SSH 代理转发如果你想使用本地密钥,而ssh不仅仅是堡垒主机(恰好是跳转主机在这个场景中)而且还可以自动ssh从那里转移到另一个远程主机。
简而言之,您需要~/.ssh/config在本地机器上创建文件(如果不存在),并设置您想要允许本地 ssh 密钥转发到的主机并设置ForwardAgent为yes:
Host example.com # it can be either domain name or IP address
ForwardAgent yes
另外确保你的跳跃主机允许在入站连接上转发 SSH 代理:
您的服务器上也可能阻止了代理转发。您可以通过 SSH 进入服务器并运行 来检查是否允许代理转发
sshd_config。此命令的输出应表明AllowAgentForwarding已设置。
现在,您应该能够使用一个命令直接从本地计算机通过 jumphost 直接 ssh 到目标远程主机ssh。它描述得很好这里:
动态跳转主机列表
您可以使用 -J 选项跳转主机:
user $ ssh -J host1 host2如果机器上的用户名或端口不同,请指定它们:
多次跳跃user $ ssh -J user1@host1:port1 user2@host2:port2可以使用相同的语法来跨多台机器进行跳转:
user $ ssh -J user1@host1:port1,user2@host2:port2 user3@host3