直到上周我还在愉快地运行 Ubuntu 20.04,然后在周末决定备份所有内容并安装 22.04。我遇到了一些初期问题,我已经解决了,但是我在 SSH 方面遇到了真正的问题。我有两个第一代 WD MyCloud 驱动器,它们可以处理我在家和外出时的所有备份和文件。我仍然可以毫无问题地连接到共享,但是我需要通过 SSH 连接到两个驱动器才能运行维护、在云驱动器之间备份等。
最初升级后我根本无法获得 SSH 访问权限,但是这个网站上的修复方法奏效了。我现在可以通过 SSH 连接并输入密码。
但是,在 Ubuntu 20.04 中,我设置了一个密码,这样我使用 rsync 的各种自动脚本就可以在云驱动器之间以及 Ubuntu 和云驱动器共享之间进行复制。在我升级之前,这一直有效,现在脚本不断询问我的密码,我不知道如何阻止它。
我原本要做的是跑步
ssh-keygen -b 4096
生成密码,然后
ssh-copy-id root@server
复制密码
如果我随后进入
ssh root@server
它只是简单地连接,而不需要我的密码。
我知道这是因为我的云驱动器仅支持现在不安全的 SSH,但我无法将其升级到更安全的 SSH(除非有人知道如何升级 - 说实话我更愿意这样做)。我的维护脚本可以在几个小时内建立多达 20 个连接,而坐下来不断输入密码变得越来越麻烦。
有人能帮助我让我的远程 rsync 命令再次工作,这样他们就不会一直要求我输入密码
当我运行这些时,终端输出是
colin@colin-desktop:~/.ssh$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/colin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/colin/.ssh/id_rsa
Your public key has been saved in /home/colin/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx colin@colin-desktop
The key's randomart image is:
+---[RSA 4096]----+
...
+----[SHA256]-----+
colin@colin-desktop:~/.ssh$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
colin@colin-desktop:~/.ssh$ ssh [email protected]
[email protected]'s password:
Linux NASServer 3.2.26 #1 SMP Thu Jul 9 11:14:15 PDT 2015 wd-2.4-rel armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
NASServer:~# cd ~/.ssh
NASSERVER:~/.ssh# ls -al
total 12
drwx------ 2 root root 4096 May 17 23:32 .
drwx------ 7 root root 4096 Apr 28 19:02 ..
-rw------- 1 root root 742 May 17 23:32 authorized_keys
NASServer:~/.ssh# exit
logout
Connection to xxx.xxx.xxx.xxx closed.
colin@colin-desktop:~$ rsync --verbose --archive -e 'ssh -p 22' ~/Files/ [email protected]:/shares/Files/
[email protected]'s password:
最初出现这种情况的原因是我需要能够与远程位置进行 rsync 操作,而无需人工干预以确保安全。我收到的说明是使用 ssh-keygen 生成公钥/私钥,然后使用 ssh-copy-id 将公钥复制到远程主机。我刚刚在另一台机器上重新安装了 20.04,并成功使用了它,rsync 无需密码即可运行。但是,如果我清除服务器上的密钥,重新安装 22.04 并执行相同操作,它仍然会提示我输入密码。我已更新我的问题以显示命令的输出,因为它们是在 Ubuntu 22.04 上运行时的,出于显而易见的原因,服务器名称被隐藏。
rsync -vvv 的终端输出如下
colin@colin-desktop:~$ ssh -vvv [email protected]
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/colin/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,[email protected],[email protected]]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname xxx.xxx.xxx.xxx is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/colin/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/colin/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/colin/.ssh/id_rsa type 0
debug1: identity file /home/colin/.ssh/id_rsa-cert type -1
debug1: identity file /home/colin/.ssh/id_ecdsa type -1
debug1: identity file /home/colin/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/colin/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/colin/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/colin/.ssh/id_ed25519 type -1
debug1: identity file /home/colin/.ssh/id_ed25519-cert type -1
debug1: identity file /home/colin/.ssh/id_ed25519_sk type -1
debug1: identity file /home/colin/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/colin/.ssh/id_xmss type -1
debug1: identity file /home/colin/.ssh/id_xmss-cert type -1
debug1: identity file /home/colin/.ssh/id_dsa type -1
debug1: identity file /home/colin/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4
debug1: compat_banner: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.xxx:22 as 'root'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,[email protected],[email protected],ext-info-c
debug2: host key algorithms: ssh-ed25519,[email protected],[email protected],[email protected],ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
debug2: ciphers ctos: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: ciphers stoc: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: MACs ctos: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug2: bits set: 515/1024
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: record_hostkey: found key type RSA in file /home/colin/.ssh/known_hosts:1
debug3: load_hostkeys_file: loaded 1 keys from xxx.xxx.xxx.xxx
debug1: load_hostkeys: fopen /home/colin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /home/colin/.ssh/known_hosts:1
debug2: bits set: 495/1024
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/colin/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent
debug1: Will attempt key: /home/colin/.ssh/id_ecdsa
debug1: Will attempt key: /home/colin/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/colin/.ssh/id_ed25519
debug1: Will attempt key: /home/colin/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/colin/.ssh/id_xmss
debug1: Will attempt key: /home/colin/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/colin/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/colin/.ssh/id_ecdsa
debug3: no such identity: /home/colin/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/colin/.ssh/id_ecdsa_sk
debug3: no such identity: /home/colin/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/colin/.ssh/id_ed25519
debug3: no such identity: /home/colin/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/colin/.ssh/id_ed25519_sk
debug3: no such identity: /home/colin/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/colin/.ssh/id_xmss
debug3: no such identity: /home/colin/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /home/colin/.ssh/id_dsa
debug3: no such identity: /home/colin/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:
答案1
原因
由于各种安全漏洞,RSA SHA-1 哈希算法正在操作系统和 SSH 客户端中迅速被弃用,其中许多技术现在完全拒绝使用该算法。
Ubuntu 22.04 的客户端似乎也出现了这种情况ssh。RSA 公钥-私钥对被视为不再安全。
解决方案
使用更现代、更安全的密钥类型,例如ed25519。使用以下命令在您的 Ubuntu 22.04 计算机中生成新的密钥对:
ssh-keygen -t ed25519 -C "colin@colin-desktop"
笔记:后面的字符串-C是注释,通常在此处输入您的电子邮件地址。由于您可能只在家中使用此密钥,因此输入电子邮件地址可能没有意义。我会输入“colin@colin-desktop”之类的内容,以便您知道密钥属于您家中的哪个用户和计算机。
交替你可以使用 SHA2 哈希算法创建一个新的 RSA 密钥,如下所示:
ssh-keygen -t rsa-sha2-512 -b 4096
无论哪种方式您都需要再次使用该ssh-copy-id命令:
ssh-copy-id [email protected]
此命令将识别有新的公钥并将新密钥复制到/root/.ssh/authorized_keys文件中。
现在它应该可以工作了。
远程服务器解决方法
如果您无法在本地计算机上更改任何内容,或者不想使用新密钥,并且想要在本地计算机上重新启用 RSA,请/etc/ssh/sshd_config在远程计算机上编辑文件并添加以下行:
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
这将允许使用您已有的不安全的 RSA 密钥。
请记住通过以下方式重新启动 sshd 服务:
sudo systemctl restart sshd
否则你将不得不重启你的电脑使更改生效。
参考
希望这可以帮助
答案2
当我需要重新启用已弃用的方法以连接到无法升级的服务器(例如嵌入式旧设备,如旧路由器)时,我更喜欢根据每个设备而不是常规设置执行此操作。我没有使用 /etc/ssh/ssh_config 或 /etc/ssh/ssh_config.d/somefile.conf,而是将其放在 ~/.ssh/config 文件中的专用“Host ...”部分(请参阅 ssh_config man),如下所示:
...
Host my.remote.server
PubkeyAcceptedKeyTypes +ssh-rsa
KexAlgorithms +diffie-hellman-group14-sha1
HostKeyAlgorithms +ssh-rsa
Port 32579
OtherKeyword ...
Host otherserver
...
注意我必须添加Kex算法和主机密钥算法带有相关参数的关键字以及 user68186 建议的关键字公钥接受密钥类型这还不够。这是使用 Ubuntu 22.04 OpenSSH v8.9...
答案3
类似的问题,从 Debian 11 上的 symfony PHP 脚本到 SSH Ubuntu 22 服务器...我不得不添加以下内容二线
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa
没有 HostKeyAlgorithms 它就无法工作。
答案4
添加以下行:
PubkeyAcceptedKeyTypes +ssh-rsa
到 /etc/ssh/sshd_config 的末尾并重新启动 ssh.service 为我解决了这个问题。