问题:堡垒主机 IP 不匹配~/.ssh/known_hosts

问题:堡垒主机 IP 不匹配~/.ssh/known_hosts

我从我的 Mac 创建了到远程服务器的无密码 ssh 连接。它起作用了(!)然后我关闭了我的终端,重新打开它,再次尝试,并得到以下结果(用户名,my_ip 不是真实的):

ssh -vvv username@my_ip
OpenSSH_7.2p2, LibreSSL 2.4.1
debug1: Reading configuration data /Users/Me/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 53: Applying options for *
debug2: resolving "my_ip" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to my_ip [my_ip] port 22.
debug1: Connection established.
debug1: identity file /Users/Me/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Me/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Me/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Mes/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Me/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Me/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Me/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Me/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
ssh_exchange_identification: read: Connection reset by peer

当我检查我的.ssh文件夹时,id_rsa它在那里,但其他的都没有。从错误来看,我似乎需要以某种方式创建这些文件,但不确定如何执行此操作。

任何帮助,将不胜感激。

答案1

debug1: key_load_public: No such file or directory

上面这一行不是错误,只是简单的调试日志,表示ssh客户端无法找到单独的公钥(名为~/.ssh/id_rsa.pub)。此文件不需要连接到远程服务器,但它很有用。

实际错误

ssh_exchange_identification: read: Connection reset by peer

指向服务器配置错误。服务器正在运行,但无法接受 SSH 连接。检查服务器日志以获取更多信息。类似问题

答案2

问题:堡垒主机 IP 不匹配~/.ssh/known_hosts

我的known_hosts文件很旧,因为堡垒的 IP 地址发生了变化......

$ ssh 10.82.49.24
ssh_exchange_identification: Connection closed by remote host

没有给我任何信息。查看详细的输出会导致同样的结果:

$ ssh -v 10.82.49.24
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/mdesales/.ssh/config
debug1: /Users/mdesales/.ssh/config line 1: Applying options for 10.82.*.*
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Executing proxy command: exec ssh -q -W 10.82.49.24:22 [email protected] -i ~/.ssh/xxxconfig-xxxx.pem
debug1: key_load_public: No such file or directory
debug1: identity file ~/.ssh/xxxconfig-xxxx.pem
debug1: key_load_public: No such file or directory
debug1: identity file ~/.ssh/xxxconfig-xxxx.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: permanently_drop_suid: 1647059022
ssh_exchange_identification: Connection closed by remote host

此时,由于它是通过堡垒到另一台主机的代理,因此我可以看到堡垒存在问题:

$ ssh [email protected] -i ~/.ssh/xxxconfig-xxxx.pem
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:Z8X1UlIgQ94BKJ7NA/oQi7v0NL4IlFeO7Ou4j76Zphk.
Please contact your system administrator.
Add correct host key in /Users/mdesales/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/mdesales/.ssh/known_hosts:238
ECDSA host key for [email protected] has changed and you have requested strict checking.
Host key verification failed.

解决方案

删除第 238 行上的条目解决了问题...我可以 ssh 到堡垒,也可以 ssh 到主机。

$ vim /Users/mdesales/.ssh/known_hosts

$ ssh [email protected] -i ~/.ssh/xxxconfig-xxxx.pem
The authenticity of host '[email protected] (34.x.x.y)' can't be established.
ECDSA key fingerprint is SHA256:Z8X1UlIgQ94BKJ7NA/oQi7v0NL4IlFeO7Ou4j76Zphk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[email protected] -i ~/.ssh/xxxconfig-xxxx.pem,34.213.y.x' (ECDSA) to the list of known hosts.
********************************************************************************
This is a private computer system containing information that is proprietary
and confidential to the owner of the system.  Only individuals or entities
authorized by the owner of the system are allowed to access or use the system.
Any unauthorized access or use of the system or information is strictly
prohibited.

All violators will be prosecuted to the fullest extent permitted by law.
********************************************************************************
Last login: Wed Aug  2 20:35:55 2017 from 10.81.31.115
[ec2-user@ip-10-82-50-142 ~]$ 

答案3

也有同样的问题。她这样决定:

chmod 0600 /home/<user>/.ssh/*

答案4

今天发生在我身上。

通过断开 WLAN 并重新连接来修复。是的,这听起来很愚蠢,而且确实很愚蠢,但至少在一个 WLAN 上,这种情况毫无理由地发生了。

相关内容