我正在學習 Kubernetes,並希望透過 KOPS 工具在 AWS 中配置一個這樣的叢集。遵循官方教程,然後簡稱這一個 https://medium.com/andcloudio/kubernetes-kops-cluster-on-aws-f55d197d8304
我還確保在嘗試連接到堡壘主機之前添加 ssh 密鑰,如此處所述 https://kops.sigs.k8s.io/bastion/#using-the-bastion
一切順利,節點、工作、負載平衡器等都已創建,堡壘主機也已創建。
唯一的問題是我無法使用金鑰 ssh 進入堡壘主機。我使用 -vvv 運行 ssh 以查看詳細輸出,日誌如下。我不明白出了什麼問題
ssh -A admin@${bastion_elb_url} -vvv
Warning: Permanently added 'bastion-single-k8s-local-noarfe-151938406.eu-central-1.elb.amazonaws.com,3.121.65.83' (ECDSA) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /root/.ssh/id_rsa (0x55d6af4ea570), agent
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug2: key: /root/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
我還發布了關鍵結果來幫助排除故障:
root@vagrant:/srv# ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq9cN3EAEy0WiASY/IBkF9SPIpLv/bZt1tpLc95cb5fG++ac5VX36rA4XukJFtCAk6I4P82ysuqfZGUQNsB57yibz9rbKZ1bFfxRPyGZS22/1Omqb/8B2NlNpJx42sK4odyUj3G+KLCGCmID/AEDhbjeY7d99ZuE6g8aqrtSo0fwsmNHnpvDS8Dt0IjbLxg41Sms9tmYDLlc/tncAs9BmRvuhPbg+BDw+z7ecLneI7+TexDfhXbnZkYfjFLsfI8vWivOu8ptuGVvPkQz/MJo+MokZEzoGbVCAZP5mYSIz+LIFnnCoh5WOMsB3OZuwvelR5bBgWjQhvOaWOX8BuSU5v /root/.ssh/id_rsa
答案1
正如您在詳細輸出中看到的,根據publickey嘗試身份驗證時使用的存取被拒絕:
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
您可以在上面看到預設情況下檢查的所有檔案(如果未使用標誌指定特定檔案)在您的目錄-i中找不到。/root/.ssh/
正如評論中已經討論的那樣,事實證明您使用了admin遠端主機上未定義的使用者。您確認ubuntu您已成功登入使用者:“現在嘗試使用 ubuntu 用戶並成功登入堡壘主機”由於它已得到充分澄清,我將只專注於回答您在評論中發布的附加問題:
然後必須重複從主機 -> 堡壘複製金鑰的過程,然後從堡壘 ssh 到 kubernetes master。現在這有效了,但我預計 -A 標誌將正式以某種方式轉發給主人,但沒有發生。必須手動雙重 ssh 並將金鑰複製到堡壘 – Kristi Jorgji 2020-12-31 19:35
您所描述的登入程序ssh稱為透過所謂的跳轉主機進行 ssh-ing。請記住,它不能以這種方式開箱即用,並且需要額外的配置。看一眼本文,因為它清楚地解釋了一切,你需要了解設定 SSH 代理轉發如果您想使用本地密鑰不僅可以ssh訪問堡壘主機(這恰好是一個跳轉主機在這種情況下)而且還可以自動ssh從那裡到另一個遠端主機。
簡而言之,您需要~/.ssh/config在本機上建立檔案(如果不存在),並設定您想要允許本機 ssh 金鑰轉送至的主機並設定ForwardAgent為yes:
Host example.com # it can be either domain name or IP address
ForwardAgent yes
另外請確保您的跳轉主機允許 SSH 代理程式在入站連線上轉發:
您的伺服器上也可能會阻止代理轉發。您可以透過 SSH 連接到伺服器並執行來檢查是否允許代理轉發
sshd_config。此命令的輸出應表明已AllowAgentForwarding設定。
現在,您應該能夠使用ssh命令直接從本機電腦透過跳轉主機直接 ssh 到目標遠端主機。描述得很好這裡:
動態跳轉主機列表
您可以使用 -J 選項來跳轉主機:
user $ ssh -J host1 host2如果電腦上的使用者名稱或連接埠不同,請指定它們:
多次跳躍user $ ssh -J user1@host1:port1 user2@host2:port2可以使用相同的語法來跳過多台機器:
user $ ssh -J user1@host1:port1,user2@host2:port2 user3@host3