我继承了一个安装了 OpenSSH 5.3 的旧 CentOS-6 系统。OpenSSH 的行为很奇怪:目前守护进程需要使用公钥和密码才能登录。(我记得一直都是这样。)现在我只需要密码就可以登录或者一把钥匙 - 但是不是两个都!
我已经验证守护进程上配置了这些设置:
[root@cp ~]# grep -v '#' /etc/ssh/sshd_config | grep -v ^$
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowUsers eric@*
AllowUsers techsup@*
我检查了 /var/log/secure。登录成功后发现以下两行:
Feb 6 22:33:21 cp sshd[28717]: Accepted keyboard-interactive/pam for root from X.X.X.X port 25075 ssh2
Feb 6 22:33:21 cp sshd[28717]: pam_unix(sshd:session): session opened for user root by (uid=0)
我尝试调试登录过程。但没有什么发现:
eric@cp2:~$ ssh -v [email protected]
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to cp.EXAMPLE.com [X.X.X.X] port 22.
debug1: Connection established.
debug1: identity file /home/eric/.ssh/id_rsa type -1
debug1: identity file /home/eric/.ssh/id_rsa-cert type -1
debug1: identity file /home/eric/.ssh/id_ecdsa type -1
debug1: identity file /home/eric/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/eric/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/eric/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/eric/.ssh/id_ed25519 type -1
debug1: identity file /home/eric/.ssh/id_ed25519-cert type -1
debug1: identity file /home/eric/.ssh/id_ed25519_sk type -1
debug1: identity file /home/eric/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/eric/.ssh/id_xmss type -1
debug1: identity file /home/eric/.ssh/id_xmss-cert type -1
debug1: identity file /home/eric/.ssh/id_dsa type -1
debug1: identity file /home/eric/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to cp.EXAMPLE.com:22 as 'root'
debug1: load_hostkeys: fopen /home/eric/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
我如何禁用此行为,以便我可以使用密码登录或者关键?
短暂性脑缺血发作,
艾瑞克·普雷托里厄斯
内华达州里诺
答案1
调试显示所有身份文件都返回了错误(类型 -1),并且没有执行公钥认证。您是否对 中的任何文件具有读取权限/home/eric/.ssh/
?
也有一个错误no matching host key type found. Their offer: ssh-rsa,ssh-dss
。使用ssh -o HostKeyAlgorithms=+ssh-rsa
答案2
更明确地说:你还未尝试“登录”
这个错误并不意味着你的 ssh 客户端正在尝试使用公钥进行身份验证(通常称为登录)。它说no matching host key type
因为你的客户不接受来自服务器/主机的密钥。这种情况至少会在 6 条消息后尝试任何客户端/用户身份验证类型,可以是公钥或者密码。请参阅其中的内容Their offer: ssh-rsa,ssh-dss
- ssh-rsa 和 ssh-dss 现已过时且不安全,并且在最新版本的 OpenSSH(分别自 7.0 和 8.8 起)中默认被禁用。
看SSH 未找到匹配的主机密钥类型
https://unix.stackexchange.com/questions/699192/unable-to-negotiate-with-ip-address-port-22-no-matching-host-key-type-found
https://unix.stackexchange.com/questions/707663/old-linux-rejects-my-ssh-id-rsa-key-from-newly-installed-windows
https://unix.stackexchange.com/questions/693370/can-no-longer-ssh-after-local-os-update-reinstall-no-matching-host-key-type-found
https://unix.stackexchange.com/questions/704177/scp-command-getting-failed-unable-to-negotiate-with-10-100-10-10-port-55-no-matching-host-key-type-found
并指定或配置[-o]HostKeyAlgorithms={ssh-rsa|ssh-dss|ssh-rsa,ssh-dss}
。一旦服务器密钥被接受,如果您想要使用 RSA 密钥进行身份验证/登录,您还需要[-o]PubkeyAcceptedKeyTypes=ssh-rsa
或在 8.5 中设置较新且首选的名称PubkeyAcceptedAlgorithms
,如其中几个重复项中所述。
答案3
正如@AlexD 指出的那样:远程 ssh 是旧的 OpenSSH_5.3,并且在 OpenSSH_8.9p1 中默认没有更安全的密码。
放弃密码是有原因的,所以除非您的 Centos 6 机器位于防火墙后面,否则优先考虑升级 openssh。您需要对机器进行物理访问,这样如果出现问题,您就不会被锁定。
您正在连接到:这意味着远程盒应该在中寻找您的发言。ssh -v [email protected]
id_rsa.pub
eric@???
/root/.ssh/
答案4
我不确定 CentOS 6 是否支持它,但我会尝试设置
RequiredAuthentications2 publickey
在 sshd_config 中。