为什么将公钥添加到授权主机后`ssh`不起作用？答案

【问题标题】：Why is `ssh` not working after adding public key to authorized hosts?为什么将公钥添加到授权主机后`ssh`不起作用？
【发布时间】：2017-08-19 07:38:11
【问题描述】：

我有一个集群，有一个主节点和一个从节点。我想在主节点和从节点之间进行 ssh。

现在，我可以使用我的私钥：ssh -i ~/.ssh/id_rsa ec2-user@<IP> 从本地机器和从我的主节点直接进入从节点的ssh。我被要求输入密码，然后我输入密码，就可以从我的本地机器和我的开发主机访问从节点。

理想情况下，我想从 dev master 上的 ~/.ssh 目录中删除我的私有 id_rsa 密钥，并且只在主节点和从节点之间来回使用我的公钥 id_rsa.pub 到 ssh。（这是出于安全原因，而且应该没那么难，对吧？）。

所以，我将我的公钥id_rsa.pub 添加到从节点上的authorized_keys。现在，当我尝试从主节点 ssh 到从节点时，它要求我输入 id_rsa.pub 的密码：

ssh -i ~/.ssh/id_rsa.pub ec2-user@<IP>
Enter passphrase for key '~/.ssh/id_rsa.pub'

而且，我输入了与id_rsa 相同的密码，但该密码失败。 :/ （我也试过按回车键（无密码））也不起作用。

对此我有两个问题：

1) 为什么id_rsa.pub的密码和id_rsa的密码不一样？
2) 为什么我的公钥id_rsa.pub添加到authorized_keys文件后，不能ssh到从节点？

当我尝试从我的主服务器 ssh 到我的从服务器时，将公钥添加到 ~/.ssh/authorized_keys 这是详细输出：

debug2: ssh_connect: needpriv0
debug1: Connecting to <ip> [<ip>] port 22.
debug1: Connection established.
debug1: identity file /home/ec2-user/.ssh/identity type -1
debug3: Not a RSA1 key file /home/ec2-user/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/ec2-user/.ssh/id_rsa type 1
debug1: identity file /home/ec2-user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 138/256
debug2: bits set: 508/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /home/ec2-user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '<ip>' is known and matches the RSA host key.
debug1: Found key in /home/ec2-user/.ssh/known_hosts:1
debug2: bits set: 521/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ec2-user/.ssh/identity ((nil))
debug2: key: /home/ec2-user/.ssh/id_rsa (0x7f2d4970bf40)
debug2: key: /home/ec2-user/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address <ip>.
debug1: Unspecified GSS failure.  Minor code may provide more information
Server krbtgt/US-WEST-2.COMPUTE.INTERNAL@host.COM not found in Kerberos database
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1205
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ec2-user/.ssh/identity
debug3: no such identity: /home/ec2-user/.ssh/identity
debug1: Offering public key: /home/ec2-user/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1573
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp df:e5:5b:18:67:05:8b:4d:06:6c:f9:99:c3:b5:2b:9f:4e:f2:52:8a
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug3: Wrote 640 bytes for a total of 2213
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/ec2-user/.ssh/id_dsa
debug3: no such identity: /home/ec2-user/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

当我的公钥被添加为authorized_keys 时，我不知道为什么它不允许我 ssh 进入从节点。

或者，如果在主节点和从节点之间有更简单的ssh 方法，我也会对此持开放态度。谢谢。

【问题讨论】：

你chmod 600 ~/.ssh/authorized_keys了吗？
是的，我按照这个问题做了：askubuntu.com/questions/110814/…谢谢！！
太棒了！你能支持我的答案，那么它就是你问题的正确答案！ :) 谢谢
请将您的问题移至Super User（在此处删除，在此处重新发布）。这里是off-topic。

标签： ssh amazon-ec2 ssh-keys pem

【解决方案1】：

公钥和私钥是锁定密钥对。你的公钥不是钥匙，而是一把锁。您可以将该锁交给任何人，但不能将您的私钥交给任何人。你的服务器有那个锁。如下面评论中所述，您无法用锁打开锁。使用ssh -i privatekey ip@aws 将起作用。不是ssh -i publickey ip@aws。

【讨论】：

即使按照您向我展示的那样设置了这些权限，我仍然遇到同样的问题。
好的我明白了，我现在明白你的问题了。您的节点在 authorized_keys 中有一个公钥。将公钥视为锁，将私钥视为钥匙。只有你应该有那把私钥，你不能用锁打开锁。您通过输入ssh -i id_rsa.pub ip@aws 进行尝试，您必须使用私钥来匹配已授权的公钥。
您能否编辑或删除您的答案，因为它不相关？
更新答案。
按照这个逻辑，我需要在我的开发主机上拥有我的私钥id_rsa，以便ssh 进入从机。我认为这不起作用，因为如果我允许其他人（同事等）访问我的开发大师进行协作，那么他/她将拥有我的私人 id_rsa 密钥。我需要能够在不使用我的私钥id_rsa 的情况下在我的主从之间进行 ssh，因为我不想与我的同事分享它。

【解决方案2】：

ssh -i ~/.ssh/id_rsa.pub ec2-user@<IP>

你应该在这里使用私钥。不是公开的。 SSH 在最近的几个版本中是错误的asking passphrase for quite everything，但现在应该修复了。

2) 为什么我的公钥 id_rsa.pub 添加到 authorized_keys 文件后，不能 ssh 到从节点？

密钥可能设置错误。在调试模式下运行客户端和服务器（ssh_confing 和sshd_config 中的LogLevel DEBUG3）并查看日志。如果您无法从中找到答案，请使用日志更新问题。

debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp df:e5:5b:18:67:05:8b:4d:06:6c:f9:99:c3:b5:2b:9f:4e:f2:52:8a
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug3: Wrote 640 bytes for a total of 2213
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic

上面的日志表明密钥已被接受，但不足以授予您对该服务器的访问权限。更多信息将显示在服务器日志中。

【讨论】：

由于某种原因，我在/etc/ssh 没有sshd_config 文件。而且，我不确定如何以不同的方式设置密钥。但无论如何，让我在我的问题中发布日志。
（对了，loglevel不用改，ssh -vvv <user>@<ip>就行了）
我为客户端日志添加了 cmets。服务器日志仍然会回答缺失的问题。