SSH 免密钥登录, Mac 登录 VPS(Ubuntu)可以,登录另一个 Mac 始终失败

2022-11-24 01:38:04 +08:00
 youthfire
完全相同的公钥私钥操作流程
ssh-keygen -t rsa 后,公钥已经上传,且完成 chmod 目录 700 和密钥 600

连接一台远端 vps(ubuntu 22.04),一切正常,不再需要密钥
但连接本地局域网另一台 mbp ,始终要求输入密钥。server/client 都是 MacOs Monterey 12.6.1

求助!

tim@tim_s-mbp ~ % ssh -v hilary@hilarymac.local
OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to hilarymac.local port 22.
debug1: Connection established.
debug1: identity file /Users/tim/.ssh/id_rsa type 0
debug1: identity file /Users/tim/.ssh/id_rsa-cert type -1
debug1: identity file /Users/tim/.ssh/id_dsa type -1
debug1: identity file /Users/tim/.ssh/id_dsa-cert type -1
debug1: identity file /Users/tim/.ssh/id_ecdsa type -1
debug1: identity file /Users/tim/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/tim/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/tim/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/tim/.ssh/id_ed25519 type -1
debug1: identity file /Users/tim/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/tim/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/tim/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/tim/.ssh/id_xmss type -1
debug1: identity file /Users/tim/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.6
debug1: compat_banner: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to hilarymac.local:22 as 'hilary'
debug1: load_hostkeys: fopen /Users/tim/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:xECOJFQQ3Rwk4Xg9QeD3yGZTE7ud71XhuBHGG/X0KPQ
debug1: load_hostkeys: fopen /Users/tim/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'hilarymac.local' is known and matches the ED25519 host key.
debug1: Found key in /Users/tim/.ssh/known_hosts:12
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/tim/.ssh/id_rsa RSA SHA256:uQhIb4LRrWFgk1EXuSBggqhaUsaaJYgzXDODnB2k810 agent
debug1: Will attempt key: /Users/tim/.ssh/id_dsa
debug1: Will attempt key: /Users/tim/.ssh/id_ecdsa
debug1: Will attempt key: /Users/tim/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/tim/.ssh/id_ed25519
debug1: Will attempt key: /Users/tim/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/tim/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/tim/.ssh/id_rsa RSA SHA256:uQhIb4LRrWFgk1EXuSBggqhaUsaaJYgzXDODnB2k810 agent
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/tim/.ssh/id_dsa
debug1: Trying private key: /Users/tim/.ssh/id_ecdsa
debug1: Trying private key: /Users/tim/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/tim/.ssh/id_ed25519
debug1: Trying private key: /Users/tim/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/tim/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
(hilary@hilarymac.local) Password:
2256 次点击
所在节点    VPS
31 条回复
adoal
2022-11-24 01:46:42 +08:00
看看 Mac 服务器端的日志
crab
2022-11-24 01:54:26 +08:00
试下是不是这个原因

ssh-add --apple-use-keychain ~/.ssh/[your-private-key]
youthfire
2022-11-24 02:12:17 +08:00
@adoal 抱歉我不是很熟悉,如果是指 /var/log/system.log 里 sshd 相关信息的话,检查了似乎没有
@crab 谢谢帮助,我成功添加了,但还是始终提示需要密钥
dingwen07
2022-11-24 03:22:56 +08:00
确认远程 Mac 的 SSH 设置是否允许该用户登录(在共享里面),默认是只允许管理员通过 SSH 登录的
yaoyao1128
2022-11-24 06:31:00 +08:00
看 sshd 的啰嗦模式信息
hawhaw
2022-11-24 07:31:43 +08:00
在 server 端用 -p 参数另外指定一个新端口再开一个 sshd ,注意加上调试参数(具体是啥要查下,我忘了),然后客户端再连这个新的 sshd 。
再在服务端应该能看到详细的日志,里面肯定有报错信息,见招拆招吧
churchmice
2022-11-24 08:14:24 +08:00
确认 ubuntu 和远端 mac 的.ssh 文件夹内容都是一样的?
churchmice
2022-11-24 08:21:04 +08:00
另外 debug 信息要多点,多加点-v
ssh -vvvvvvv 这种
ETiV
2022-11-24 08:29:42 +08:00
再仔细检查一下对端 authorized_keys 有没有漏输入什么的,我时常 vim 粘贴前忘了按下 i ,就会丢掉第一个 s ,贴进去的就是 sh-rsa xxxxx…
xinge666
2022-11-24 08:56:05 +08:00
22.04 的 sshd 是 8.9 版本,而 8.8 以后不再禁用 RSA 算法了,换 ed25519 试试
PbCopy111
2022-11-24 08:58:47 +08:00
第一步,生成密钥的时候使用 ssh-keygen -t ed25519 这个命令试试看,如果成功了,自己查吧。
youthfire
2022-11-24 10:24:19 +08:00
目前已经尝试:
@xinge666 @PbCopy111 已经用 ed25519 重新生成,放到 vps(ubuntu 22.04)上,依旧成功免密登录,但放到 MacOs 上依然失败。同时结合了 @crab @dingwen07 的建议,已经添加到 keychain ,且 remote login 临时设置允许对象为 full ,仍然要求密钥。 @ETiV 用的 cp id_ed25519.pub .ssh/authorized_keys ,所以应该没有手工输入的错误,也谢谢建议。

服务器端和啰嗦模式,我都不熟悉怎么弄,再研究一下,谢谢大家!
ETiV
2022-11-24 10:49:59 +08:00
看来是真的不懂😂
你直接 cp 会把原来的 keys 覆盖掉的,不知道你备份了没有…

应该 cat key.pub >> ~/.ssh/authorized_keys
npe
2022-11-24 10:51:42 +08:00
ssh-copy-id 试试
youthfire
2022-11-24 10:55:56 +08:00
@ETiV 你是指 authorized_keys 可以存放多 keys 是么?学习了,好在里面就这一个,以前没配置过。
youthfire
2022-11-24 11:00:56 +08:00
@npe 这个试过了,也是一样结果,谢谢帮助。不过 ssh-copy-id 确实比手工方便。
ETiV
2022-11-24 12:38:41 +08:00
是的,可以放多个。

你看下 ssh-add -L 会输出你现有的公钥不,这里边的公钥应该出现在远程电脑的 .ssh/authorized_keys 里

然后确认下使用 IP 访问行不行,而不要用 .local 的 hostname
再者,确认下用户名的大小写,Mac 的 GUI 上显示的名字是可以和 HOME 账号名不一样的,你应该用 `basename $HOME` 显示的名字去登
youthfire
2022-11-24 14:09:59 +08:00
@ETiV 感谢帮助
ssh-add -L 显示 The agent has no identities.
在远程电脑里,用 vi 查看,可以看到公钥信息已经出现在 authorized_keys 中
ip 访问也是相同的结果,始终会要密码
用 basename $HOME 看了,用户名没问题

额外的调试:(不知道有没有用)
服务器端关闭 remote login(sharing),然后 terminal 运行 /usr/ssh/sshd -d 看了 verbose output
显示:
hilary@hilary_s-mbp ~ % /usr/sbin/sshd -d
debug1: sshd version OpenSSH_8.6, LibreSSL 3.3.6
debug1: Unable to load host key: /etc/ssh/ssh_host_rsa_key
debug1: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
debug1: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
ETiV
2022-11-24 15:49:59 +08:00
情况比较复杂 😂

你自己客户端侧的 Mac 上执行一下:ssh-add -K $HOME/.ssh/id_XXX ,把私钥先都加进 keychain 里,再尝试 ssh 连上去。

如果还不行,你 ssh 的时候 用 -i ~/.ssh/id_XXX 指定一个私钥去连。。。
tudou1514
2022-11-24 16:57:29 +08:00
Mac 终端打开 vim .ssh/config
加上
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
或者 ssh-keygen -t ecdsa -b 521 生成新的密钥对,ed25519 也可

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/897479

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX