尝试通过 SSH 连接到 Google Cloud Shell 时出现权限被拒绝（公钥）错误

Question

我正在关注 Google Cloud Shell REST API 文档 here，该文档显示使用 users.environments.publicKeys.create 方法将 SSH 公钥添加到我的 Cloud Shell。

我已使用 ssh-keygen 生成公钥/私钥对，并已使用此 API 成功地将公钥添加到我的 Cloud Shell。这样做之后，我可以通过使用 users.environments.get 方法来确认可以访问公钥，以获取显示此公钥的 shell 的详细信息。

每当我尝试使用相应的私钥通过 SSH 连接到我的 Cloud Shell 时，我都会收到错误 Permission denied (publickey).

• 我已尝试使用相同的公钥/私钥对连接到其他服务器，并且工作正常，因此可以排除密钥问题。
• 我已尝试从多个 Windows 和 Linux 客户端进行连接以排除本地文件权限的任何问题，但没有成功。
• 我尝试了多个键，但得到了相同的结果。

这是我尝试从 Ubuntu 机器通过 SSH 连接的输出：

ssh -i .ssh/id_rsa -p 6000 user@devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev -vvv

OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev" port 6000
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev [xx.xx.xx.xx] port 6000.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u6
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u6 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev:6000 as 'user'
debug3: put_host_port: [devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev]:6000
debug3: hostkeys_foreach: reading file "/home/local_user/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/local_user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev]:6000
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: hmac-md5,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: hmac-md5,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:oaU6VCSAN/xtJF6bMyDpuffYo6Cqsqsv44JsJ5Z/5/4
debug3: put_host_port: [xx.xx.xx.xx]:6000
debug3: put_host_port: [devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev]:6000
debug3: hostkeys_foreach: reading file "/home/local_user/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/local_user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev]:6000
debug3: hostkeys_foreach: reading file "/home/local_user/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/local_user/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from [xx.xx.xx.xx]:6000
debug1: Host '[devshell-vm-xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cloudshell.dev]:6000' is known and matches the RSA host key.
debug1: Found key in /home/local_user/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x56066a887910), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

编辑： sudo grep -i ssh /var/log/auth.log 在我的云外壳中运行的结果：

sshd[569]: rexec line 33: Deprecated option KeyRegenerationInterval
sshd[569]: rexec line 34: Deprecated option ServerKeyBits
sshd[569]: rexec line 45: Deprecated option RSAAuthentication
sshd[569]: rexec line 52: Deprecated option RhostsRSAAuthentication
sshd[569]: reprocess config line 45: Deprecated option RSAAuthentication sshd[569]: reprocess config line 52: Deprecated option RhostsRSAAuthentication sshd[569]: error: Received disconnect from xx.xx.xx.xx port 54590:14: No supported authentication methods available [preauth]
sshd[569]: Disconnected from xx.xx.xx.xx port 54590 [preauth

• 我已验证私钥没有损坏
• 我已验证我连接的用户名与 Cloud Shell 所期望的用户名匹配
• 我已验证 Cloud Shell 系统上的 authorized_keys 文件有权限“rw-r-r”（结果为-rw-r--r-- 1 root root 2584 Aug 26 12:08 /etc/ssh/keys/authorized_keys）

Answer 1

[更新]

运行这些使用alpha SDK 生成/安装 SSH 密钥的命令：

gcloud components install alpha
gcloud alpha cloud-shell ssh --dry-run

然后就可以使用SSH密钥文件~/.ssh/google_compute_engine了。

如果可行，那么您的 SSH 密钥就是问题所在。

[结束更新]

在您的调试输出中，第 87 行和第 88 行：

debug3: send packet: type 50
debug3: receive packet: type 51

第 87 行表示“用户身份验证请求”。 第 88 行表示“用户身份验证失败”。

SSH 服务器拒绝了您的 SSH 密钥。

在 Cloud Shell 中运行此命令以查看 SSHD 的日志。您应该会看到您的 SSH 密钥被拒绝的确切错误：

sudo grep -i ssh /var/log/auth.log

可能的问题/解决方案：

• 本地系统上的私钥损坏。
• 私钥与authorized_keys 中的远程系统公钥不匹配。
• 用户名“user”与远程系统不匹配。
• 远程系统 authorized_keys 上的文件权限不正确（应为 0644 - "rw-r-r"）
• OpenSSH 服务器无法读取 authorized_keys（缺少读取文件权限）。

注意：确保您的私钥 (.ssh/id_rsa) 只能由您读取（任何人都没有写入权限，除您以外的任何人都没有读取权限）- 0400。