Windows 10 2004 mit eingerichtetem und auf den SSH-Agent-Dienst geladenem SSH-Schlüsselpaar.
PS C:\Users\ferdi> ls .ssh
Directory: C:\Users\ferdi\.ssh
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/14/2020 10:14 AM 179 config
-a---- 7/23/2020 10:11 AM 1679 id_rsa
-a---- 7/23/2020 10:11 AM 404 id_rsa.pub
-a---- 8/13/2020 9:23 PM 3896 known_hosts
PS C:\Users\ferdi> cat .\.ssh\id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
PS C:\Users\ferdi> ssh-add
Identity added: C:\Users\ferdi/.ssh/id_rsa (C:\Users\ferdi/.ssh/id_rsa)
PS C:\Users\ferdi> ssh-add -l
2048 SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\Users\ferdi/.ssh/id_rsa (RSA)
Meine .ssh/config-Datei aktiviert „ForwardAgent“ für jeden Remote-Host.
PS C:\Users\ferdi> cat .ssh/config
Host *
StrictHostKeyChecking no
ForwardAgent yes
Host mgr
HostName 192.168.101.110
User ubuntu
Host sad
HostName 192.168.101.225
User admbvtech
Ich habe eine CentOS8-Box gebaut (in meiner SSH-Konfigurationsdatei mit dem Namen "sad") und meinen öffentlichen Schlüssel in .ssh/authorized_keys abgelegt.
[admbvtech@localhost ~]$ ls -la .ssh
total 4
drwx------ 2 admbvtech sudo 29 Aug 13 18:54 .
drwx------ 6 admbvtech sudo 139 Aug 13 20:53 ..
-rw------- 1 admbvtech sudo 403 Aug 13 18:54 authorized_keys
[admbvtech@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
Ich habe eine Ubuntu 18.04-Box (mit dem Namen "mgr") gebaut, mit dem gleichen öffentlichen Schlüssel in .ssh/authorized_keys
ubuntu@mgr:~$ ls -la .ssh
total 20
drwx------ 2 ubuntu ubuntu 4096 Aug 13 21:24 .
drwxr-xr-x 13 ubuntu ubuntu 4096 Aug 13 15:01 ..
-rw------- 1 ubuntu ubuntu 403 Aug 3 20:57 authorized_keys
-rw-r--r-- 1 ubuntu ubuntu 6636 Aug 13 21:24 known_hosts
ubuntu@mgr:~$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
Passwortloses SSH funktioniert von Windows bis Ubuntu einwandfrei.
PS C:\Users\ferdi> ssh mgr
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
....
Last login: Fri Aug 14 09:43:40 2020 from 192.168.101.1
Fehlschlägtvon Windows zu CentOS
PS C:\Users\ferdi> ssh -v sad
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\ferdi/.ssh/config
debug1: C:\\Users\\ferdi/.ssh/config line 1: Applying options for *
debug1: C:\\Users\\ferdi/.ssh/config line 9: Applying options for sad
debug1: Connecting to 192.168.101.225 [192.168.101.225] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.101.225:22 as 'admbvtech'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qsdGbspZWINmoYKa62+Y6qFpQhH5ruIyo6IKCrapi3c
debug1: Host '192.168.101.225' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\ferdi/.ssh/known_hosts:15
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_xmss
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Gelingt esvon Ubuntu zu CentOSunter Verwendung der weitergeleiteten Identität.
PS C:\Users\ferdi> ssh mgr
...
Last login: Fri Aug 14 10:19:53 2020 from 192.168.101.1
ubuntu@mgr:~$ ssh -v [email protected]
...
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.101.225 ([192.168.101.225]:22).
...
Last login: Fri Aug 14 07:43:44 2020 from 192.168.101.110
[admbvtech@localhost ~]$
Irgendwelche Ideen? Ich erinnere mich, dass ich mit einer Ubuntu 20.04-Box, die auf Hetzner Cloud basiert, identische Probleme hatte (ich musste sie zerstören und auf 18.04 zurückkehren).
Dank im Voraus.
Antwort1
Ich habe es geschafft, eine Verbindung zur CentOS8-Box (und auch zur Hetzner Ubuntu 20.04-Box) über ECDSA, ED25519 herzustellen.und sogar RSASchlüssel (mit Schlüsselgröße 4096).
Vielleicht war meine bisherige Schlüsselgröße zu klein: Die einzige bleibende Frage ist
warum wird mein vorheriger, schwacher RSA-Schlüssel bei einer direkten Verbindung als ungültig erachtet, jedoch nicht, wenn er über ForwardAgent von einem anderen Host in der Mitte weitergeführt wird?