pubkey를 사용하여 Windows에서 CentOS8로의 SSH가 실패했지만 Ubuntu 상자를 통한 AgentForwarding을 통해 성공했습니다.

pubkey를 사용하여 Windows에서 CentOS8로의 SSH가 실패했지만 Ubuntu 상자를 통한 AgentForwarding을 통해 성공했습니다.

Windows 10 2004에서는 SSH 키 쌍이 SSH 에이전트 서비스에 설정 및 로드되었습니다.

PS C:\Users\ferdi> ls .ssh
    Directory: C:\Users\ferdi\.ssh
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/14/2020  10:14 AM            179 config
-a----         7/23/2020  10:11 AM           1679 id_rsa
-a----         7/23/2020  10:11 AM            404 id_rsa.pub
-a----         8/13/2020   9:23 PM           3896 known_hosts
PS C:\Users\ferdi> cat .\.ssh\id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744
PS C:\Users\ferdi> ssh-add
Identity added: C:\Users\ferdi/.ssh/id_rsa (C:\Users\ferdi/.ssh/id_rsa)
PS C:\Users\ferdi> ssh-add -l
2048 SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\Users\ferdi/.ssh/id_rsa (RSA)

내 .ssh/config 파일은 각 원격 호스트에 대해 "ForwardAgent"를 활성화합니다.

PS C:\Users\ferdi> cat .ssh/config
Host *
    StrictHostKeyChecking no
    ForwardAgent yes

Host mgr
    HostName 192.168.101.110
    User ubuntu

Host sad
    HostName 192.168.101.225
    User admbvtech

CentOS8 상자(SSH 구성 파일에 "sad"라는 이름)를 만들고 공개 키를 .ssh/authorized_keys에 넣었습니다.

[admbvtech@localhost ~]$ ls -la .ssh
total 4
drwx------ 2 admbvtech sudo  29 Aug 13 18:54 .
drwx------ 6 admbvtech sudo 139 Aug 13 20:53 ..
-rw------- 1 admbvtech sudo 403 Aug 13 18:54 authorized_keys
[admbvtech@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744

.ssh/authorized_keys에 동일한 공개 키가 있는 Ubuntu 18.04 상자("mgr"이라는 이름)를 만들었습니다.

ubuntu@mgr:~$ ls -la .ssh
total 20
drwx------  2 ubuntu ubuntu 4096 Aug 13 21:24 .
drwxr-xr-x 13 ubuntu ubuntu 4096 Aug 13 15:01 ..
-rw-------  1 ubuntu ubuntu  403 Aug  3 20:57 authorized_keys
-rw-r--r--  1 ubuntu ubuntu 6636 Aug 13 21:24 known_hosts
ubuntu@mgr:~$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDndAlQRJcPYSHKkyW2njnWvwLpTe62MHneGRQLvqRtF7A5Yy4LlQKsZLDIivtzrA2GXaMme2lkJvCKlKFe4RQCEeUcdDr2bC1GbdTSAMQ0aaOyO1afIgOKp9zVg3NDIwZ28APpZd+f8sPtAlkfLaeJQ8moEiZz3FhcCRwbnnnVpcLT+S3rJU2mV2GTBktE3mLZoSWHkxsGT3jNdRIORqQxdCvBR2dtiNbPF83W9A7fhCL0tQQtoLu8c3Tp0AGUeYkcfUZ6VLFr+3TjCVskucg2pnnvxAG5DV/DiqGThKqDPWcMd5r2NwqsvaGplgvIdTIwveQOacSMGWQ4UCCIpwyJ ferdi@DESKTOP-4V6O744

비밀번호 없는 SSH는 Windows에서 Ubuntu까지 잘 작동합니다.

PS C:\Users\ferdi> ssh mgr
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
....
Last login: Fri Aug 14 09:43:40 2020 from 192.168.101.1

실패하다윈도우에서 CentOS로

PS C:\Users\ferdi> ssh -v sad
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\ferdi/.ssh/config
debug1: C:\\Users\\ferdi/.ssh/config line 1: Applying options for *
debug1: C:\\Users\\ferdi/.ssh/config line 9: Applying options for sad
debug1: Connecting to 192.168.101.225 [192.168.101.225] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\ferdi/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.101.225:22 as 'admbvtech'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qsdGbspZWINmoYKa62+Y6qFpQhH5ruIyo6IKCrapi3c
debug1: Host '192.168.101.225' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\ferdi/.ssh/known_hosts:15
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\ferdi/.ssh/id_xmss
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

성공우분투에서 CentOS로전달된 ID 사용.

PS C:\Users\ferdi> ssh mgr
...
Last login: Fri Aug 14 10:19:53 2020 from 192.168.101.1
ubuntu@mgr:~$ ssh -v [email protected]
...
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:O5V+dxb9IB8ft2SaxbDtFkK8lBoGVd20K+ugnBp7hSQ C:\\Users\\ferdi/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.101.225 ([192.168.101.225]:22).
...
Last login: Fri Aug 14 07:43:44 2020 from 192.168.101.110
[admbvtech@localhost ~]$

어떤 아이디어가 있나요? Hetzner Cloud에 구축된 Ubuntu 20.04 상자에서 동일한 문제가 발생한 것을 기억합니다(이를 파괴하고 18.04로 되돌려야 했습니다).

미리 감사드립니다.

답변1

ECDSA, ED25519를 사용하여 CentOS8 상자(및 Hetzner Ubuntu 20.04 상자)에 성공적으로 연결했습니다.심지어 RSA키(키 크기는 4096).

이전 키 크기가 너무 작았을 수도 있습니다. 유일하게 지속되는 문제는

이전의 취약한 RSA 키가 직접 연결되면 가치가 없는 것으로 간주되지만 ForwardAgent를 통해 중간에 있는 다른 호스트에 연결되면 가치가 없는 것으로 간주되는 이유는 무엇입니까?

관련 정보