SSH 공개 키 문제

SSH 공개 키 문제

공개 키 인증을 사용하여 SSH 서버에 연결하는 여러 클라이언트가 있습니다.

Ubuntu 14.04 VM에서 동일한 서버에 연결하려고 합니다. 공개 키 인증이 작동하지 않습니다. 접속 로그입니다. 가능한 문제는 굵은 글씨로 표시됩니다. 클라이언트와 서버의 프로토콜과 소프트웨어 버전에 문제가 있는 것 같습니다. 또한 공개키 인증을 전혀 시도하지 않는 것 같습니다. 비밀번호만요.

관련 파일에 대한 모든 권한을 확인했습니다. 또한 개인 키에는 비밀번호가 없습니다.

    OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to ........ [........] port 22.
debug1: Connection established.
debug1: identity file ....../.ssh/id_rsa_perf type 1
debug1: identity file ....../.ssh/id_rsa_perf-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
****debug1: Remote protocol version 2.0, remote software version xxxxxxx
debug1: no match: xxxxxxx****
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: setup hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1022/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA fb:e2:06:14:e6:5f:94:91:a4:2f:8d:50:aa:ca:d1:0d
debug1: Host '........' is known and matches the RSA host key.
debug1: Found key in ......../.ssh/known_hosts:1
debug2: bits set: 1036/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: ........../.ssh/id_rsa_perf (0xb7878c10), explicit
****debug1: Authentications that can continue: password****
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (password).

다음은 동일한 설정, 두 클라이언트 모두에서 동일한 openssh 버전을 사용하여 동일한 서버에 연결하는 클라이언트의 연결 로그입니다. 제가 볼 때 유일한 차이점은 프로토콜/소프트웨어 버전 감지와 관련된 오류가 없다는 것입니다. 연결된 클라이언트는 물리적 상자이고 연결되지 않은 클라이언트는 VMWare 가상 인스턴스입니다. 둘 다 우분투 14.04입니다

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to ..............[.....] port 22.
debug1: Connection established.
debug1: identity file /home/...../.ssh/id_rsa_perf type 1
debug1: identity file /home/..../.ssh/id_rsa_perf-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
**debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1-hpn14v5**
**debug1: match: OpenSSH_6.7p1-hpn14v5 pat OpenSSH* compat 0x04000000**
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 8c:84:b3:25:e5:6c:35:53:24:d0:d2:db:66:8f:ce:3d
debug1: Host '......' is known and matches the ECDSA host key.
debug1: Found key in /home/...../.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/...../.ssh/id_rsa_perf (0xb7afa098), explicit
**debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey**
debug1: Offering RSA public key: /home/...../.ssh/id_rsa_perf
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 4e:af:a4:b5:23:da:0d:98:ee:c5:b2:f9:80:94:77:40
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to main.scan-dent.com ([....]:22).

답변1

두 출력을 비교하면 다음과 같습니다.

다소 비슷해 보이지만 그 중 하나는 다른 인증을 수행하므로 SSH 서버의 설정을 확인해야 합니다.

하나는 md5를 하고 있고 다른 하나는 sha1을 하고 있으니 확인해 보세요.

그리고 이미 알고 계시는지 모르겠지만 고객은 다릅니다. 따라서 하나는 작동하고 다른 하나는 작동하지 않는 이유에 대한 가설을 세우려면 최소한 오류가 무엇인지 추적하는 것과 같은 작업을 수행해야 합니다.

40,53c40,49
< debug2: mac_setup: setup hmac-md5
< debug1: kex: server->client aes128-ctr hmac-md5 none
< debug2: mac_setup: setup hmac-md5
< debug1: kex: client->server aes128-ctr hmac-md5 none
< debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
< debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
< debug2: bits set: 1022/2048
< debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
< debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
< **debug1: Server host key: RSA fb:e2:06:14:e6:5f:94:91:a4:2f:8d:50:aa:ca:d1:0d**
< debug1: Host '........' is known and matches the RSA host key.
< debug1: Found key in ......../.ssh/known_hosts:1
< debug2: bits set: 1036/2048
< debug1: ssh_rsa_verify: signature correct
---
> debug2: mac_setup: setup [email protected]
> debug1: kex: server->client aes128-ctr [email protected] none
> debug2: mac_setup: setup [email protected]
> debug1: kex: client->server aes128-ctr [email protected] none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
**> debug1: Server host key: ECDSA 8c:84:b3:25:e5:6c:35:53:24:d0:d2:db:66:8f:ce:3d**
> debug1: Host '......' is known and matches the ECDSA host key.
> debug1: Found key in /home/...../.ssh/known_hosts:3
> debug1: ssh_ecdsa_verify: signature correct
64,80c60,70

답변2

문제가 해결되었습니다. 연결되지 않은 클라이언트가 있는 방화벽에 일부 문제가 있는 것으로 나타났습니다. 이를 삭제한 후 클라이언트는 공개 키 인증을 사용하여 올바르게 연결할 수 있습니다.

관련 정보