Ssh
為什麼我會收到 ssh Permission denied (publickey)?
我在 Google 計算引擎上有兩台機器,我想 ssh 另一台伺服器。因此,在第一台機器(namenode)上,我為使用者 hadoop 創建了一個無密碼 ssh 密鑰並執行了 cat id_rsa.pub >> authorized_keys。在第二台機器 (datanode1) 上還有一個名為 hadoop 的使用者。第二台機器的 hadoop 使用者有一個空的 ~/.ssh 目錄。
當我現在嘗試從第一台機器 ssh 到第二台機器時,我得到:
hadoop@namenode:~/.ssh$ ssh -v hadoop@datanode1 OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to datanode1 [10.240.223.55] port 22. debug1: Connection established. debug1: identity file /home/hadoop/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/hadoop/.ssh/id_rsa-cert type -1 debug1: identity file /home/hadoop/.ssh/id_dsa type -1 debug1: identity file /home/hadoop/.ssh/id_dsa-cert type -1 debug1: identity file /home/hadoop/.ssh/id_ecdsa type -1 debug1: identity file /home/hadoop/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4 debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 10:54:3e:ec:07:58:48:85:28:40:90:43:e1:8f:3d:f0 debug1: Host 'datanode1' is known and matches the ECDSA host key. debug1: Found key in /home/hadoop/.ssh/known_hosts:1 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/hadoop/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Trying private key: /home/hadoop/.ssh/id_dsa debug1: Trying private key: /home/hadoop/.ssh/id_ecdsa debug1: No more authentication methods to try. Permission denied (publickey).
我不明白這裡發生了什麼。
更新:我確實將 id_rsa.pub 複製到了目標伺服器上的 authorized_keys 文件中。但是,現在我收到以下錯誤:
hadoop@namenode:~/.ssh$ ssh datanode1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The ECDSA host key for datanode1 has changed, and the key for the corresponding IP address 10.240.226.88 is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is 9f:8d:07:09:a9:67:63:b4:b9:2b:f5:39:ed:ef:55:d6. Please contact your system administrator. Add correct host key in /home/hadoop/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/hadoop/.ssh/known_hosts:1 ECDSA host key for datanode1 has changed and you have requested strict checking. Host key verification failed.
將“StrictHostKeyChecking=no”添加到 /etc/ssh/ssh_config 修復了這個問題。
您的 SSH 公鑰需要復製到目標伺服器,而不是源伺服器。
- 在要連接的伺服器上創建 SSH密鑰
- Cat
~/.ssh/id_rsa.pub
剛剛創建的文件- 將此密鑰複製
~/.ssh/authorized_keys
到您將連接到的伺服器上的文件中- 檢查權限
~/.ssh/authorized_keys
設置為0600
- 您還可以
ssh-copy-id
根據您的作業系統使用幫助應用程序(我沒有使用 Google Compute 的直接經驗,因此這可能不適合您)。記住 SSH 密鑰身份驗證如何工作的一個好方法(至少對我來說)是這樣的:
- 您正在連接的電腦讀取私鑰(例如
~/.ssh/id_rsa
),並生成公鑰以轉發到接收機器。~/.ssh/id_rsa.pub
創建密鑰時生成的密鑰文件(例如)僅供參考,如果您擁有私鑰,則可以重新創建/計算。- 因此,您的私鑰不應該被共享。
- 該
~/.ssh/authorized_keys
文件是一種“白名單”。它列出了允許連接到該使用者帳戶的所有公鑰簽名。