我剛剛使用以下命令生成了 ECDSA 密鑰ssh-keygen:
ssh-keygen -t ecdsa -b 521
然後我繼續將此密鑰複製到我的伺服器:
cat .ssh/id_ecdsa.pub | ssh myserver "tee -a .ssh/authorized_keys"
我已經驗證我的密鑰在文件中。
但是,當我嘗試連線時,我的連線被拒絕:
ssh -v -i .ssh/id_ecdsa myserver
紀錄:
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to myserver [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file .ssh/id_ecdsa type 3
debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-521
debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-521
debug1: identity file .ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 10:27:b8:78:2c:e1:e3:42:8e:e3:66:c4:cc:4e:f1:c0
debug1: Host 'myserver' is known and matches the RSA host key.
debug1: Found key in /home/naftuli/.ssh/known_hosts:73
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering ECDSA public key: .ssh/id_ecdsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
在伺服器日誌中發現了這一點:
auth.info sshd[13874]: userauth_pubkey: unsupported public key algorithm: ecdsa-sha2-nistp521 [preauth]
我的客戶端和伺服器都使用 OpenSSH。伺服器的OpenSSH版本是OpenSSH 6.1,我的客戶端的OpenSSH版本是OpenSSH 5.9。
如何知道我的伺服器支援哪些關鍵演算法?
答案1
答案2
ecdsa支持來自openssh 伺服器版本 5.7。您正在運行什麼版本的 openssh-server?運行dpkg -l | grep openssh-server | awk '{print $3}' | cut -d: -f2查找版本。
答案3
如果您的系統是紅帽企業 Linux 6.4(或更老)或軟呢帽 19(或更舊),請注意 ECDSA 已從那裡刪除。我不知道為什麼會這樣(也許是法律原因):https://www.mail-archive.com/[電子郵件受保護]/msg00755.html
答案4
把這個留在這裡是因為這件事發生在我身上:
第一天:設定一台新機器,我複製了密鑰 - 首先是我的 - 並且能夠正常登入。
第 2 天:我無法使用 ed25519 密鑰登入。啊?我新增一個 RSA 金鑰;有用。我產生一個新的 ed25519 密鑰並它可以用...但我的舊的不行。搞什麼?
事實證明,經過測試,我將金鑰安裝到 root 的 .ssh/authorized_keys 中作為備份......並且忘記修復該檔案的權限。所以 openssh 將我的金鑰列入黑名單,使我無法登入。作為我的用戶。