我们在 Google Cloud Platform 上运行少量 Debian 服务器。我们设置的新服务器,我们能够在创建时添加 SSH 密钥,并通过 SSH 毫无问题地访问机器。旧机器(在过去 1-3 个月内创建)我们在通过 SSH 访问它们时遇到问题。
作为测试用例,我使用本地 Mac 创建了一个全新的 id_rsa 密钥对,ssh-keygen
并将公钥添加到 GCP。我的 IP 被允许访问该盒子,并且我的用户位于AllowUsers
ssh_config 中。
$ ssh -i ~/.ssh/*KEY* *USER*@*IP* -p *PORT* -v
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/me/.ssh/config
debug1: /Users/me/.ssh/config line ****: Applying options for ****IP****
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line ****: Applying options for *
debug1: /etc/ssh/ssh_config line ****: Applying options for *
debug1: Connecting to ****IP**** [****IP****] port ****PORT****.
debug1: Connection established.
debug1: identity file /Users/me/.ssh/gcp type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/gcp-cert type -1
debug1: identity file /Users/me/.ssh/gcp type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/gcp-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1
debug1: match: OpenSSH_6.7p1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ****IP****:****PORT**** as '****USERNAME****'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client [email protected] <implicit> none
debug1: kex: client->server [email protected] <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: xxx
debug1: Host '[****IP****]:****PORT****' is known and matches the ECDSA host key.
debug1: Found key in /Users/me/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
********************************************************************
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
********************************************************************
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/me/.ssh/gcp
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /Users/me/.ssh/gcp
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
尽管找到了我的密钥,但我的本地客户端似乎在连接后并未尝试进行身份验证。我不确定这是否是 GCP 未正确将我的公钥添加到服务器的问题,或者我的本地计算机是否做错了什么。
谷歌似乎在过去几个月改变了他们处理密钥的方式(管理元数据中的 SSH 密钥)但我似乎一切都正确,但无法连接。
答案1
经过一番挖掘,谷歌云平台在将 SSH 密钥应用到我们的 Debian 机器上时似乎存在问题。在项目级别全局添加密钥,或者手动将用户添加到 Debian 盒子,手动将密钥添加到每个用户的authorized_keys,它可以工作。在实例级别添加它们不起作用。我将向 Google 报告该错误。