Ssh

SSH 公鑰登錄失敗,沒有模式

  • July 7, 2016

(以前在stackoverflow上錯誤發布)

我正在執行一堆帶有 Ubuntu 14.04.1(sun、hyperion、…)的伺服器,所有這些伺服器都使用公鑰(OpenSSH_6.6.1,OpenSSL 1.0.1f 6 Jan 2014 在所有機器上)進行 rsync 沒有問題。幾乎所有的…

一個連接失敗,而配置或密鑰沒有任何更改。然後我會嘗試重新添加密鑰,檢查 ECDSA,重新啟動/重新啟動 ssh,它會再次工作。或者它沒有。在這種情況下,我只是等待隨機的時間(1 小時到 3 個月)然後做同樣的事情。這次它解決了問題 - 一段時間。

ssh -vvv diff 的相關部分:

連接成功

debug1: Host 'hyperion.internal' is known and matches the ECDSA host key.
debug1: Found key in /home/bar/.ssh/known_hosts:20
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/bar/.ssh/id_rsa (0x7f..),
debug2: key: /home/bar/.ssh/id_dsa ((nil)),
debug2: key: /home/bar/.ssh/id_ecdsa ((nil)),
debug2: key: /home/bar/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/bar/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 95:...
debug3: sign_and_send_pubkey: RSA 95:...
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to hyperion.internal ([172.16.0.10]:22).

連接失敗

debug1: Host 'hyperion.internal' is known and matches the ECDSA host key.
debug1: Found key in /home/bar/.ssh/known_hosts:20
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/bar/.ssh/id_rsa (0x7f..),
debug2: key: /home/bar/.ssh/id_dsa ((nil)),
debug2: key: /home/bar/.ssh/id_ecdsa ((nil)),
debug2: key: /home/bar/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/bar/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/bar/.ssh/id_dsa
debug3: no such identity: /home/bar/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/bar/.ssh/id_ecdsa
debug3: no such identity: /home/bar/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/bar/.ssh/id_ed25519
debug3: no such identity: /home/bar/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

我檢查過幾次的事情:

  • 所有機器上 .ssh/ 和 id_rsa 的權限
  • 我正在使用正確的鍵
  • ssh-copy-id -i /home/bar/.ssh/id_rsa europa@hyperion.internal正確的密鑰複製到正確的 authorized_hosts 文件

什麼並沒有真正幫助,但添加到 vodoo/heisenbug 效果:

  • 重新啟動機器
  • 重新啟動 ssh 服務
  • 擺弄全域 ssh 選項

我已經在 pastebin 粘貼了帶有一些編輯資訊的完整日誌:日誌牆

問題已解決,根本與 ssh 無關:

hyperion.internal 有一個加密的 home,所以當它沒有掛載到/home/europe.

事後看來相當明顯,但它解釋了在觀察機器上的日誌時不會失敗的 heisenbug 效果(當然是在登錄時……)

希望這至少有助於其他一些。

debug1: Offering RSA public key: /home/bar/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password

這表明伺服器不接受您的私鑰。不幸的是,伺服器沒有向客戶端提供關於它為什麼不接受密鑰的更多細節,所以你真的需要在伺服器上解決這個問題。

我將首先檢查/var/log伺服器上的系統日誌,以獲取任何sshd指示它拒絕身份驗證嘗試的原因的消息。

如果您在遠端伺服器上具有 root 訪問權限,則可以執行調試實例,sshd然後使用客戶端連接到它。在遠端伺服器上,成為 root 並執行/path/to/sshd -d -p 2222. 這將啟動一個偵聽埠 2222 的 sshd 實例。它將接受一個連接,並將調試資訊列印到您的終端。

然後,在客戶端上,ssh正常執行,但包括-p 2222連接到正確的埠。如果登錄失敗,請查看伺服器列印的調試輸出。

引用自:https://serverfault.com/questions/641127