服务器 Gind.cn
  1. 服务器 Gind.cn
  3. EC2 SSH / SFTP问题
Intereting Posts
Hyper-V服务器2016和2012R2副本兼容性 Apache是​​否在VirtualHost的DocumentRoot之上查看.htaccess文件? 根据不同的文件Nginx Access.log状态结果 在linux卷上重叠扇区 结合SharePoint和数据库镜像 如何添加回退到我的代理在Nginx? 用户不能使用LDAPS更改Active Directory中的密码 如何在没有运行邮件服务器的情况下维护Ubuntu 12.04服务器 什么是开源或免费票务跟踪系统? Apache SSL错误:未find私钥 60秒内TLS钥匙的保密无效 无法为MariaDB设置binlog_format 如何closures有关碳粉不足的通知 当monit启动时,mysql服务状态不会显示 通过一个shell脚本打开/closures将数据附加到文件

EC2 SSH / SFTP问题

我在这个问题上做了很多search,找不到什么特别相关的东西。

我有许多实例跨越区域分组,并分组到各种负载平衡器。 其中一个组织是由各种不同的应用程序使用的“API”,用于共同和安全的任务。

在API组中,我们有一个使用Elastic IP的实例,这样我们就可以可靠地使用cron来完成rsync等任务。之前有人也决定将这个IP硬编码到典型意大利面条的各种应用程序中是一个好主意如果其他的代码是森林时尚…长话短说,非常重要的一个例子。

前两天我突然无法SSH(这是一年前创build的)。 所有其他实例的pem键都可以工作,这些实例已经存在了相当长的时间。

这是从家庭计算机(昨天)尝试使用ssh -v -i path / file.pem user @ ip的失败连接输出的 

ssh -v -i <path>/<file>.pem <user>@<ip> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to <ip> [<ip>] port 22. debug1: Connection established. debug1: identity file /home/<user>/.ssh/id_rsa type -1 debug1: identity file /home/<user>/.ssh/id_rsa-cert type -1 debug1: identity file /home/<user>/.ssh/id_dsa type -1 debug1: identity file /home/<user>/.ssh/id_dsa-cert type -1 debug1: identity file /home/<user>/.ssh/id_ecdsa type -1 debug1: identity file /home/<user>/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26 debug1: Host '<ip>' is known and matches the ECDSA host key. debug1: Found key in /home/<user>/.ssh/known_hosts:78 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: .ssh/<file>.pem debug1: Authentications that can continue: publickey debug1: Trying private key: /home/<user>/.ssh/id_rsa debug1: Trying private key: /home/<user>/.ssh/id_dsa debug1: Trying private key: /home/<user>/.ssh/id_ecdsa debug1: No more authentication methods to try. Permission denied (publickey).

最后,在search了几个小时之后,我运行了ssh -Tvvv -i path / file.pem user @ ip ,神奇地,我有一个到实例的debugging连接。

这是从家里的一台机器完成的。 我杀了连接,并正常连接。 没问题。 从办公室的服务器连接,没有问题。

今天我不能在办公室从我的机器SSH进入实例,并且所有转换后的密钥也不能在这个实例上工作(例如,用于filezilla等的ppk密钥)

这是从工作机器(家用机器)-vdebugging输出 

 ssh -v -i <path>/<file>.pem <user>@<ip> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to <ip> [<ip>] port 22. debug1: Connection established. debug1: identity file /home/<user>/.ssh/<file>.pem type -1 debug1: identity file /home/<user>/.ssh/<file>.pem-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26 debug1: Host '<ip>' is known and matches the ECDSA host key. debug1: Found key in /home/<user>/.ssh/known_hosts:78 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: .ssh/<file>.pem debug1: Authentications that can continue: publickey debug1: Trying private key: /home/<user>/.ssh/<file>.pem debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to <ip> ([<ip>]:22). debug1: channel 0: new [client-session] debug1: Requesting [email protected] debug1: Entering interactive session. debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/<user> debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Welcome to blah...

对于连接到实例的实例和机器,所有对密钥的权限是相同的。

有没有人有任何想法可以做什么来纠正这个?

谢谢,大卫

– 编辑 –

这是工作机器的-vdebugging输出,它仍然不会build立SSH连接。

我最近也清除了这台机器上的已知主机。 

 ssh -v -i <path>/<file>.pem <user>@<ip> OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to <ip> [<ip>] port 22. debug1: Connection established. debug1: identity file /home/<user>/.ssh/<file>.pem type -1 debug1: identity file /home/<user>/.ssh/<file>.pem-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH_5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 75:43:6d:03:43:f5:89:fa:8d:fe:64:e1:39:9a:73:26 debug1: Host '<ip>' is known and matches the ECDSA host key. debug1: Found key in /home/<user>/.ssh/known_hosts:1 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/<user>/.ssh/<file>.pem debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. Permission denied (publickey).

我想重申,尽pipe是否可以build立ssh连接,所有转换后的密钥都不能用于sftp。 具体的.ppk键转换为在filezilla中使用。 同样的,.ppk可以在所有其他的实例上运行,除了问题的孩子之外…也可以工作。

– EDIT 2–

我能够连接的机器重新启动,我不能再与它连接。

这是你的问题: 

 debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/<user>

用户的主目录可能不是组或世界可写的,而.ssh目录和.ssh/authorized_keys只能由用户读取。 一旦你修复了权限,你应该再次find你的login。

根据我的经验,我学会了用极端的偏见杀死行为不当的ec2实例。 由于你的密钥在你的其他实例上,而不是在这个特定的实例上,所以我会把它当成一个搞砸的实例。 如果您确实需要该服务器上的数据,则可以将其closures,然后将ebs卷挂载到另一个实例上,然后从那里执行恢复。