EC2 SSH / SFTP 問題
我在這個問題上做了很多搜尋,但找不到任何特別相關的東西。
我有許多跨區域分佈的實例並分組到各種負載均衡器中。其中一組是由各種不同應用程序用於常見和安全任務的“API”。
在 API 組中,我們有一個使用彈性 IP 的實例,因此我們可以可靠地將 crons 用於 rsync 等任務。在我之前的某個人也認為將這個 IP 硬編碼到典型意大利麵條中的各種應用程序中是個好主意程式碼 if else 森林時尚……長話短說,非常重要的例子。
兩天前,我突然無法通過 SSH 連接到這個人(它是一年多前創建的)。pem 密鑰適用於所有其他實例,這些實例已經存在了相對相同的時間。
這是家用機器(昨天)嘗試使用ssh -v -i path/file.pem user@ip連接失敗的輸出
ssh -v -i <path>/<file>.pem <user>@<ip> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to <ip> [<ip>] port 22. debug1: Connection established. debug1: identity file /home/<user>/.ssh/id_rsa type -1 debug1: identity file /home/<user>/.ssh/id_rsa-cert type -1 debug1: identity file /home/<user>/.ssh/id_dsa type -1 debug1: identity file /home/<user>/.ssh/id_dsa-cert type -1 debug1: identity file /home/<user>/.ssh/id_ecdsa type -1 debug1: identity file /home/<user>/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26 debug1: Host '<ip>' is known and matches the ECDSA host key. debug1: Found key in /home/<user>/.ssh/known_hosts:78 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: .ssh/<file>.pem debug1: Authentications that can continue: publickey debug1: Trying private key: /home/<user>/.ssh/id_rsa debug1: Trying private key: /home/<user>/.ssh/id_dsa debug1: Trying private key: /home/<user>/.ssh/id_ecdsa debug1: No more authentication methods to try. Permission denied (publickey).
最後,在搜尋了幾個小時後,我執行了ssh -Tvvv -i path/file.pem user@ip並神奇地與實例建立了調試連接。
這是在家裡的一台機器上完成的。我終止了連接,並正常連接。沒問題。從辦公室的伺服器連接沒有問題。
今天我無法從辦公室的機器上通過 SSH 連接到實例,所有轉換後的密鑰也不能在這個實例上工作(例如,用於 filezilla 的 ppk 密鑰等)
這是來自工作機器(家用機器)的 -v 調試輸出
ssh -v -i <path>/<file>.pem <user>@<ip> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to <ip> [<ip>] port 22. debug1: Connection established. debug1: identity file /home/<user>/.ssh/<file>.pem type -1 debug1: identity file /home/<user>/.ssh/<file>.pem-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26 debug1: Host '<ip>' is known and matches the ECDSA host key. debug1: Found key in /home/<user>/.ssh/known_hosts:78 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: .ssh/<file>.pem debug1: Authentications that can continue: publickey debug1: Trying private key: /home/<user>/.ssh/<file>.pem debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to <ip> ([<ip>]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/<user> debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Welcome to blah...
在實例和連接到實例的機器上,密鑰的所有權限都是相同的。
有誰知道可以做些什麼來糾正這個問題?
謝謝,-大衛
- 編輯 -
這是仍然無法建立 SSH 連接的工作機器的 -v 調試輸出。
我最近還清除了這台機器上的已知主機。
ssh -v -i <path>/<file>.pem <user>@<ip> OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to <ip> [<ip>] port 22. debug1: Connection established. debug1: identity file /home/<user>/.ssh/<file>.pem type -1 debug1: identity file /home/<user>/.ssh/<file>.pem-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH_5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26 debug1: Host '<ip>' is known and matches the ECDSA host key. debug1: Found key in /home/<user>/.ssh/known_hosts:1 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/<user>/.ssh/<file>.pem debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. Permission denied (publickey).
我想重申,儘管是否可以建立 ssh 連接,但所有轉換後的密鑰都不適用於 sftp。特別是 .ppk 密鑰轉換為在 filezilla 中使用。同樣,.ppk 適用於除問題子項之外的所有其他實例……並且以前也適用。
–編輯2–
我能夠連接的機器已重新啟動,但我無法再連接。
這是你的問題:
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/<user>
您的使用者的主目錄可能不是組或全域可寫的,並且該
.ssh
目錄.ssh/authorized_keys
可能只能由使用者讀取。修復權限後,您應該會發現您的登錄名再次正常工作。
根據我的經驗,我學會了以極端的偏見殺死行為不端的 ec2 實例。由於您的密鑰適用於您的其他實例而不是此特定實例,因此我會將其歸為一個混亂的實例。如果您確實需要該伺服器上的數據,您可以隨時將其關閉並將 ebs 卷安裝到另一個實例上,然後從那裡執行恢復。