Ubuntu

使用 DNS 名稱而不是 IP 地址時,無法使用 SSH 登錄,並且 SSH 主機密鑰不同

  • May 21, 2017

我剛剛重新啟動了我的 Ubuntu 16.04 伺服器並開始收到錯誤“警告:遠端主機標識已更改!” 嘗試使用 DNS 名稱 ssh 時ssh me@myserver.lan。我最初只是從 known_hosts 中刪除了條目並再次嘗試,但我意識到它實際上根本不接受我的密碼。

使用ssh me@192.168.1.2IP 地址仍然有效,甚至我的無密碼登錄仍然有效。

這是 的輸出nslookup myserver.lan,顯示 DNS 正在返回正確的地址:

Server:     192.168.1.2
Address:    192.168.1.2#53

Name:   myserver.lan
Address: 192.168.1.2

這是 `ssh me@192.168.1.2’ 的詳細輸出,它成功了:

OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 192.168.1.2 [192.168.1.2] port 22.
debug1: Connection established.
debug1: identity file /Users/jimbo/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.1.2:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ZOO3YXwox2kHpLokBRXzPvuUFPOrposhAgnpQCaZ5+I
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
ECDSA key fingerprint is SHA256:ZOO3YXwox2kHpLokBRXzPvuUFPOrposhAgnpQCaZ5+I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (ECDSA) to the list of known hosts.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jimbo/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.2 ([192.168.1.2]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-78-generic x86_64)

這是 的詳細輸出ssh me@myserver.lan,它失敗了,並且無法辨識我的密碼:

OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to myserver.lan [::1] port 22.
debug1: Connection established.
debug1: identity file /Users/jimbo/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jimbo/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9
debug1: match: OpenSSH_6.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to myserver.lan:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WDp/1JiHcWk6Lpcgfrl+/pDbSmdFxVTZFDfVhTEqBCg
debug1: Host 'myserver.lan' is known and matches the ECDSA host key.
debug1: Found key in /Users/jimbo/.ssh/known_hosts:5
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jimbo/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/jimbo/.ssh/id_dsa
debug1: Trying private key: /Users/jimbo/.ssh/id_ecdsa
debug1: Trying private key: /Users/jimbo/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:

如您所見,返回的主機密鑰不同。在使用主機名與 IP 地址時期望不同的密鑰是否正確。我可以採取哪些下一步措施?

看起來 ssh 正在將主機名解析為 localhost,因為我在 ssh 到 localhost 時獲得了相同的主機密鑰。

我的主機文件基本上是空的:

127.0.0.1   localhost
255.255.255.255 broadcasthost
::1             localhost 

但是host myserver.lan返回這個。這與 IPv6 配置有關嗎?

host myserver.lan
myserver.lan has address 192.168.1.2
myserver.lan has IPv6 address ::1

這是的輸出dig @192.168.1.2 myserver.lan

; <<>> DiG 9.8.3-P1 <<>> @192.168.1.2 myserver.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32577
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;myserver.lan.          IN  A

;; ANSWER SECTION:
myserver.lan.       604800  IN  A   192.168.1.2

;; AUTHORITY SECTION:
myserver.lan.       604800  IN  NS  ns.myserver.lan.

;; ADDITIONAL SECTION:
ns.myserver.lan.    604800  IN  A   192.168.1.2

;; Query time: 21 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Sun May 21 13:34:41 2017
;; MSG SIZE  rcvd: 79

以及伺服器上的綁定配置文件:

;
; BIND data file for myserver

$TTL    604800
@       IN      SOA     myserver.lan. root.myserver.lan. (
                             3         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
       IN      A       192.168.1.2
;
@       IN      NS      ns.myserver.lan.
@       IN      A       192.168.1.2
@       IN      AAAA    ::1
ns      IN      A       192.168.1.2

PS我有一台帶有cygwin的Windows筆記型電腦,它仍然能夠使用主機名登錄伺服器。只有我的 Mac 似乎受到了影響。

該問題是由不正確的 DNS 配置引起的。ssh 客戶端使用 IPv6 並且“myserver.lan”被解析為

$$ ::1 $$. 您需要從區域配置文件中刪除 AAAA ::1 記錄並重新啟動命名。

引用自:https://serverfault.com/questions/851383