突然间,所有谷歌云计算实例上的 SSH 都停止了 - 我无法修复它

tag-icon tag-icon ubuntu ssh google-cloud-platform google-compute-engine
突然间,所有谷歌云计算实例上的 SSH 都停止了 - 我无法修复它

我在连接 Google Cloud 上的 VM 实例时遇到了很大困难。一切都很好,突然 VM 被拒绝连接,我无法修复它。

我已经在云外壳中运行了这个命令:

gcloud beta compute ssh ceunix-ubuntu-server-instance -- -vvv

并收到以下消息:

Welcome to Cloud Shell! Type "help" to get started.
Your Cloud Platform project in this session is set to ceunix-wordpress-316703.
Use “gcloud config set project [PROJECT_ID]” to change to a different project.
ceunixcorporation@cloudshell:~ (ceunix-wordpress-316703)$ gcloud beta compute ssh ceunix-ubuntu-server-instance -- -vvv
Did you mean zone [asia-southeast1-b] for instance:
[ceunix-ubuntu-server-instance] (Y/n)?  n

No zone specified. Using zone [us-central1-a] for instance: [ceunix-ubuntu-server-instance].
Writing 3 keys to /home/ceunixcorporation/.ssh/google_compute_known_hosts
Updating project ssh metadata...⠶Updated [https://www.googleapis.com/compute/beta/projects/ceunix-wordpress-316703].
Updating project ssh metadata...done.
Waiting for SSH key to propagate.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:PIrntDXiIhagDRyAki+F9hgNMxtXDhbAUy2A+VsffSE.
Please contact your system administrator.
Add correct host key in /home/ceunixcorporation/.ssh/google_compute_known_hosts to get rid of this message.
Offending RSA key in /home/ceunixcorporation/.ssh/google_compute_known_hosts:3
  remove with:
  ssh-keygen -f "/home/ceunixcorporation/.ssh/google_compute_known_hosts" -R "compute.906058796356615757"
ECDSA host key for compute.906058796356615757 has changed and you have requested strict checking.
Host key verification failed.
ERROR: (gcloud.beta.compute.ssh) Could not SSH into the instance.  It is possible that your SSH key has not propagated to the instance yet. Try running this command again.  If you still cannot connect, verify that the firewall and instance are set to accept ssh traffic.
ceunixcorporation@cloudshell:~ (ceunix-wordpress-316703)

笔记:我检查了防火墙规则,它允许所有实例网络上的端口 22。然后,我清除了计算实例 > 元数据部分,然后添加一个新键。但它不起作用。

只有浏览器的 SSH 才能正常工作。如果我选​​择 Compute Engine > VM 实例 > 选择 V​​M 和 SSH 菜单 > 使用提供的私有 SSH 密钥在浏览器窗口中打开,然后选择我自己的私有 ppk 密钥,也永远不会让我允许!

以下是错误信息 >由于意外错误,您无法连接到 VM 实例。请稍等片刻,然后重试。

那么,我该怎么办?我有三个 Ubuntu 实例。全部都拒绝连接。请帮帮我。

笔记:我已经运行nmap <my vm's external IP Address>并得到以下结果:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-13 08:27 Azores Standard Time

Nmap scan report for 100.142.67.34.bc.googleusercontent.com (34.67.142.100)

The host is up (0.32s latency).

Not shown: 996 filtered ports

PORT     STATE  SERVICE

80/tcp   closed http

443/tcp  closed https

3389/tcp closed ms-wbt-server

8088/tcp open   radan-http



Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds

我也在 cloudshell 中运行这个命令gcloud compute firewall-rules list并得到以下输出:

NAME                              NETWORK  DIRECTION  PRIORITY  ALLOW                         DENY  DISABLED
default-allow-http                default  INGRESS    1000      tcp:80                              False
default-allow-https               default  INGRESS    1000      tcp:443                             False
default-allow-icmp                default  INGRESS    65534     icmp                                False
default-allow-internal            default  INGRESS    65534     tcp:0-65535,udp:0-65535,icmp        False
default-allow-rdp                 default  INGRESS    65534     tcp:3389                            False
default-allow-ssh                 default  INGRESS    65534     tcp:22                              False
machinecoderguy-allow-port-7080   default  INGRESS    1000      tcp:7080,udp                        False
machnicecoderguy-allow-port-8088  default  INGRESS    1000      tcp:8088,udp                        False

答案1

VM 的指纹已改变。

停止更改 VM 上的项目,因为这不是您的问题,除非您的 VM 已被黑客入侵。

问题在于您的桌面有一个 known_hosts 文件,其中包含 IP 地址和主机的指纹。由于指纹已更改,出于安全原因,您无法连接。

如果您确定您的系统没有被黑客入侵,请删除known_hosts位于的文件~/.ssh

现在,重要的问题是指纹为什么会改变?这可能是由一些正常原因和一些令人担忧的原因造成的。这些虚拟机是否有静态(而非临时)IP 地址?您是否对虚拟机的操作系统进行了重大升级?这些系统是否属于托管实例组,并且相同的 IP 地址是否被重新用于新实例?调查将留给您进行。

答案2

主机密钥验证失败“表明远程主机的主机密钥已被更改。

SSH 将远程主机的主机密钥存储在 ~/.ssh/known_hosts 中。您可以手动编辑该文本文件并删除旧密钥,或使用

ssh-keygen -R 主机名

手册页 “-R hostname” 从 known_hosts 文件中删除所有属于 hostname 的键。此选项对于删除散列主机很有用。

你可以参考这个案件了解详细信息。

答案3

最后,我解决了我的问题。我不知道它会如何工作,但它会自动修复。

我已经进行了全面的安全扫描,并在 Windows Defender 防火墙中添加了新的防火墙规则。

更换了我的路由器。问题已解决。

另外,我执行了一些命令来清除所有主机密钥,但我错过了所有虚拟机中的 known_hosts 文件,使用此命令我设法创建了一个新的文件:

ssh <hostname or External Static IP Address> -o "VerifyHostKeyDNS=yes"

然后,运行此命令来验证指纹:

ssh-keyscan <hostname or External Static IP Address> | ssh-keygen -lf -

然后:

systemctl restart ssh

据我了解,如果您尝试按照此处介绍的步骤进行故障排除:Google Cloud SSH 连接检查

但无法解决您的问题,您应该使用以下命令进行病毒扫描并清除所有已知主机列表:

ssh-keygen -R <hostname or External Static IP Address>

您还可以在 cloudshell 中运行此命令来检查 Google 防火墙是否未阻止端口 22

gcloud compute firewall-rules list

如果您没有看到端口 22 不在允许列表中,则需要添加新的防火墙规则来允许端口 22。

转到 VPC 网络 > 防火墙并创建新的防火墙规则以允许端口 22。为了获得帮助,您可以查看此链接:https://cloud.google.com/filestore/docs/configuring-firewall

如果您仍然不允许连接到 SSH,请尝试检查您的互联网提供商或路由器或本地防火墙规则是否阻止您!

您还可以清除以下位置的所有 SSH 公钥计算引擎 > 元数据 > SSH 密钥并添加一个新的公钥用于身份验证。

我希望您能够像我一样解决您的问题。

相关内容