Linux

EC2 SSH / SFTP 問題

  • February 2, 2013

我在這個問題上做了很多搜尋,但找不到任何特別相關的東西。

我有許多跨區域分佈的實例並分組到各種負載均衡器中。其中一組是由各種不同應用程序用於常見和安全任務的“API”。

在 API 組中,我們有一個使用彈性 IP 的實例,因此我們可以可靠地將 crons 用於 rsync 等任務。在我之前的某個人也認為將這個 IP 硬編碼到典型意大利麵條中的各種應用程序中是個好主意程式碼 if else 森林時尚……長話短說,非常重要的例子。

兩天前,我突然無法通過 SSH 連接到這個人(它是一年多前創建的)。pem 密鑰適用於所有其他實例,這些實例已經存在了相對相同的時間。

這是家用機器(昨天)嘗試使用ssh -v -i path/file.pem user@ip連接失敗的輸出

ssh -v -i <path>/<file>.pem <user>@<ip>                                                                                             
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011                                                        
debug1: Reading configuration data /etc/ssh/ssh_config                                                      
debug1: Applying options for *                                                                                      
debug1: Connecting to <ip> [<ip>] port 22.                                              
debug1: Connection established.                                                                                     
debug1: identity file /home/<user>/.ssh/id_rsa type -1                                                          
debug1: identity file /home/<user>/.ssh/id_rsa-cert type -1                                                 
debug1: identity file /home/<user>/.ssh/id_dsa type -1                                                          
debug1: identity file /home/<user>/.ssh/id_dsa-cert type -1
debug1: identity file /home/<user>/.ssh/id_ecdsa type -1
debug1: identity file /home/<user>/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26
debug1: Host '<ip>' is known and matches the ECDSA host key.
debug1: Found key in /home/<user>/.ssh/known_hosts:78
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/<file>.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/<user>/.ssh/id_rsa
debug1: Trying private key: /home/<user>/.ssh/id_dsa
debug1: Trying private key: /home/<user>/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

最後,在搜尋了幾個小時後,我執行了ssh -Tvvv -i path/file.pem user@ip並神奇地與實例建立了調試連接。

這是在家裡的一台機器上完成的。我終止了連接,並正常連接。沒問題。從辦公室的伺服器連接沒有問題。

今天我無法從辦公室的機器上通過 SSH 連接到實例,所有轉換後的密鑰也不能在這個實例上工作(例如,用於 filezilla 的 ppk 密鑰等)

這是來自工作機器(家用機器)的 -v 調試輸出

ssh -v -i <path>/<file>.pem <user>@<ip>
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to <ip> [<ip>] port 22.
debug1: Connection established.
debug1: identity file /home/<user>/.ssh/<file>.pem type -1
debug1: identity file /home/<user>/.ssh/<file>.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26
debug1: Host '<ip>' is known and matches the ECDSA host key.
debug1: Found key in /home/<user>/.ssh/known_hosts:78
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/<file>.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/<user>/.ssh/<file>.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to <ip> ([<ip>]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/<user>
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to blah...

在實例和連接到實例的機器上,密鑰的所有權限都是相同的。

有誰知道可以做些什麼來糾正這個問題?

謝謝,-大衛

  • 編輯 -

這是仍然無法建立 SSH 連接的工作機器的 -v 調試輸出。

我最近還清除了這台機器上的已知主機。

ssh -v -i <path>/<file>.pem <user>@<ip>
OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <ip> [<ip>] port 22.
debug1: Connection established.
debug1: identity file /home/<user>/.ssh/<file>.pem type -1
debug1: identity file /home/<user>/.ssh/<file>.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26
debug1: Host '<ip>' is known and matches the ECDSA host key.
debug1: Found key in /home/<user>/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/<user>/.ssh/<file>.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

我想重申,儘管是否可以建立 ssh 連接,但所有轉換後的密鑰都不適用於 sftp。特別是 .ppk 密鑰轉換為在 filezilla 中使用。同樣,.ppk 適用於除問題子項之外的所有其他實例……並且以前也適用。

–編輯2–

我能夠連接的機器已重新啟動,但我無法再連接。

這是你的問題:

debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/<user>

您的使用者的主目錄可能不是組或全域可寫的,並且該.ssh目錄.ssh/authorized_keys可能只能由使用者讀取。修復權限後,您應該會發現您的登錄名再次正常工作。

根據我的經驗,我學會了以極端的偏見殺死行為不端的 ec2 實例。由於您的密鑰適用於您的其他實例而不是此特定實例,因此我會將其歸為一個混亂的實例。如果您確實需要該伺服器上的數據,您可以隨時將其關閉並將 ebs 卷安裝到另一個實例上,然後從那裡執行恢復。

引用自:https://serverfault.com/questions/474821