问题[ssh-keys](computer)

我需要配置一个脚本来将一些文件从一个 Ubuntu 服务器复制到另一个。远程服务器上的authorized_keys中允许使用密钥。

我正在尝试配置此脚本：

#!/bin/sh

#Monitoring
for i in 192.168.0.10 192.168.0.11;
do
  su user1 -l -c "scp -oStrictHostKeyChecking=accept-new -oPasswordAuthentication=no -oBindAddress=0.0.0.0 -q -r /tmp/log/*log user1@${i}:/data/logs/"
done

我收到此日志：

Executing: program /usr/bin/ssh host 192.168.0.10, user user1, command scp -v -r -d -t /data/logs/
lost connection

我可以使用我在远程服务器上的帐户进行连接。但是当我尝试运行脚本时，日志是：

OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 4: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.0.10 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.0.10 [192.168.0.10] port 22.
debug1: Connection established.
debug1: identity file /data/user1/.ssh/id_rsa type -1
debug1: identity file /data/user1/.ssh/id_rsa-cert type -1
debug1: identity file /data/user1/.ssh/id_dsa type -1
debug1: identity file /data/user1/.ssh/id_dsa-cert type -1
debug1: identity file /data/user1/.ssh/id_ecdsa type -1
debug1: identity file /data/user1/.ssh/id_ecdsa-cert type -1
debug1: identity file /data/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /data/user1/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /data/user1/.ssh/id_ed25519 type -1
debug1: identity file /data/user1/.ssh/id_ed25519-cert type -1
debug1: identity file /data/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /data/user1/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /data/user1/.ssh/id_xmss type -1
debug1: identity file /data/user1/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.10:22 as 'user1'
debug3: hostkeys_foreach: reading file "/data/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /data/user1/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys from 192.168.0.10
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
debug2: MACs stoc: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug3: hostkeys_foreach: reading file "/data/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /data/user1/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys from 192.168.0.10
debug1: Host '192.168.0.10' is known and matches the RSA host key.
debug1: Found key in /data/user1/.ssh/known_hosts:7
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /data/user1/.ssh/id_rsa
debug1: Will attempt key: /data/user1/.ssh/id_dsa
debug1: Will attempt key: /data/user1/.ssh/id_ecdsa
debug1: Will attempt key: /data/user1/.ssh/id_ecdsa_sk
debug1: Will attempt key: /data/user1/.ssh/id_ed25519
debug1: Will attempt key: /data/user1/.ssh/id_ed25519_sk
debug1: Will attempt key: /data/user1/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /data/user1/.ssh/id_rsa
debug3: sign_and_send_pubkey: RSA SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
Connection closed by 192.168.0.10 port 22

这是我可以毫无问题地访问的另一台服务器的日志：

OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 4: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.0.11 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.0.11 [192.168.0.11] port 22.
debug1: Connection established.
debug1: identity file /data/user1/.ssh/id_rsa type -1
debug1: identity file /data/user1/.ssh/id_rsa-cert type -1
debug1: identity file /data/user1/.ssh/id_dsa type -1
debug1: identity file /data/user1/.ssh/id_dsa-cert type -1
debug1: identity file /data/user1/.ssh/id_ecdsa type -1
debug1: identity file /data/user1/.ssh/id_ecdsa-cert type -1
debug1: identity file /data/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /data/user1/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /data/user1/.ssh/id_ed25519 type -1
debug1: identity file /data/user1/.ssh/id_ed25519-cert type -1
debug1: identity file /data/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /data/user1/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /data/user1/.ssh/id_xmss type -1
debug1: identity file /data/user1/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u4
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.11:22 as 'user1'
debug3: hostkeys_foreach: reading file "/data/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /data/user1/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from 192.168.0.11
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug3: hostkeys_foreach: reading file "/data/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /data/user1/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from 192.168.0.11
debug1: Host '192.168.0.11' is known and matches the RSA host key.
debug1: Found key in /data/user1/.ssh/known_hosts:2
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /data/user1/.ssh/id_rsa
debug1: Will attempt key: /data/user1/.ssh/id_dsa
debug1: Will attempt key: /data/user1/.ssh/id_ecdsa
debug1: Will attempt key: /data/user1/.ssh/id_ecdsa_sk
debug1: Will attempt key: /data/user1/.ssh/id_ed25519
debug1: Will attempt key: /data/user1/.ssh/id_ed25519_sk
debug1: Will attempt key: /data/user1/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /data/user1/.ssh/id_rsa
debug3: sign_and_send_pubkey: RSA SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.0.11 ([192.168.0.11]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env SHELL
debug3: Ignored env PWD
debug3: Ignored env LOGNAME
debug3: Ignored env HOME
debug3: Ignored env TERM
debug3: Ignored env USER
debug3: Ignored env SHLVL
debug3: Ignored env PATH
debug3: Ignored env MAIL
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0

如何解决？

我开始使用 YubiKey 5 连接到远程盒子，而不是使用软件密钥。我正在使用以下命令生成密钥：

ssh-keygen -t ed25519-sk

这在我 ssh 进入 Ubuntu 时有效，但当我 ssh 进入我的 Mac（macOS 11.4）时它不起作用。我不断收到“权限被拒绝（公钥）”错误。ed25519 公钥位于“authorized_keys”文件中。我能够使用我使用 RSA 算法生成的密钥通过 ssh 进入 Mac。下面是我 Mac 上的 sshd_config 文件。

关于可能导致我的错误的任何想法？

#   $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# pass locale information
AcceptEnv LANG LC_*

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

有时我必须经历 30 多个项目才能对每个项目进行小改动并将更改推送到 github 存储库。现在我已经设置了我的 ssh 命令.bash_profile，输入命令后我只需要输入我的 SSH 密码。我没有将密码添加到文件中，因为我不想将其保存在磁盘上。（我应该吗？）

现在的问题是，每次我更改文件夹时，vscode 都会杀死并创建新的终端实例，我被迫重新输入我的 ssh 密码。是否可以在 vs 代码中保留旧的终端实例？或者有什么建议可以改善我的工作流程？

GitLab 13.10的公告有一个弃用通知，将 authorized_keys 用于 ssh 密钥：

第一种机制（通过授权密钥集成）容易受到竞争条件和乱序执行问题的影响，因此难以扩展。因此，它将在 GitLab 14.0 中删除。有关详细信息，请参阅问题 #212227。

用于快速 ssh 密钥查找的文档（快速查找数据库中授权的 SSH 密钥 | GitLab）说

对于 Omnibus Docker，AuthorizedKeysCommand 在 GitLab 11.11 及更高版本中默认设置。

当我在 gitlab 容器的 ssh 配置文件中插入时，我看不到AuthorizedKeysCommand. 但是，我在我的实际 SSH 密钥中也找不到任何参考/var/opt/gitlab/.ssh/authorized_keys，这表明它实际上是在使用快速查找而不是系统authorized_keys文件。

我在管理区域 > 网络 > 性能优化中的配置已启用Write to "authorized_keys" file。我对此的理解是它是部署密钥的备份，而不是该文件将用于所有身份验证。

由于该authorized_keys文件将在 GitLab-14 中被弃用（两个月后？），我期待着。我怎么知道删除对该文件的支持是否会破坏我？我总是可以取消选中“写入authorized_keys”，但我不认为这会立即产生影响。

我有一个关于 SSH 连接的一般性问题。已经查看了一些有关此事的相关帖子和文件，但找不到直接的答案。

使用密钥的 SSH 连接假定客户端有一个密钥对（公共和私有），而请求连接的服务器只有 pub 密钥。

我的问题是：由于一切都取决于只有通过私钥才能进行的解密，如果我们尝试采用“反向方式”（即“服务器”要求连接到“客户端”），我们是否应该期待拒绝？

泰

xiaojie@ubuntu:~/.ssh$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDiRDV1OlNoxzLaJI0Z2kWtrfD4FINaU3uwuH5e0VmkbkkG/tbD61R5pFHw2z3ZlPPYNP0NbWIzWUIA4gpCkMUgSg/lFsO6Ti3ppKBOEHy/uoEWvDgIbHu/Z8M+gNwii8mCnDdDvg+fcmLv90J4xCq3au4fTDjRQMe0FJkZxgIFFziDNoFKnwi8ES3Joaxmz9+vOxAEL+sAqzLRdJ7OuJ4qYHLoeXv7ok27yB5qCI+3ENrXBom6AkR2350CYZ4sDMBF1J2QorzCneJKqBJ9i8Ijh3dtZoXThinZlsh5SgAJtlpPMSAqbx5rvTSQdbpm2+hun9b54cHOYyfcrYFqusIwPj/TPNGxFQ0WKOpCDtKB1XLmkrOhvjCa+bvrzbB/eK1+lBUZdmO28W0G7USsHxmRJytz4NjF3H3DcRVbziMia6TftmFlfgbRMetqVfd0qMWioQbjzi/2m2IesNdgSc/al2hrZgpMd2uyRtYfXl11HFe8FS5pSt5p756U2+G6RpUCW11tu5hsbKI0NZ/FPTDARLsiz5V7fd20EtaYs77YucfG2yHJy4kWPxDoWM5cePf/T5mLMVUReU3T65r03xbjFGn+oSeDJhvGhAFD82cFmlBZssm2pQH2J+m/CeeaVkUXL9YDt7ysicAHSkRHpRijotzBV4ZKgdLQGe5o6QZGrQ== xiaojie@ubuntu
xiaojie@ubuntu:~/.ssh$ ssh-keygen -lf ~/.ssh/id_rsa
4096 SHA256:ovjUzYquVMajDQv8AXlbXU+X+zucgrulucC8aQqbD8g xiaojie@ubuntu (RSA)
xiaojie@ubuntu:~/.ssh$ ssh-keygen -lf ~/.ssh/id_rsa.pub
4096 SHA256:ovjUzYquVMajDQv8AXlbXU+X+zucgrulucC8aQqbD8g xiaojie@ubuntu (RSA)

xiaojie@ubuntu:~/.ssh$ ssh xiaojie@ubuntu 
The authenticity of host 'ubuntu (127.0.1.1)' can't be established.
ECDSA key fingerprint is SHA256:f2TduTCqvnPtV0X4NjJuGWTCTvv1zrZ6o02pR7l91PE.
Are you sure you want to continue connecting (yes/no)? 

为什么指纹从ssh localhost和结果ssh-keygen -lf ~/.ssh/id_rsa.pub不一样？

我使用 ssh 连接我的大学服务器

 ssh <myusername>@<server_Address>

输入密码后，我收到此错误：

-bash: fork: retry: No child processes

我第二次尝试登录时收到此消息：

C:\Users\djamj002> ssh [email protected]
[email protected]'s password: 
shell request failed on channel 0

任何想法？

我正在运行 debian 10、xfce、gnome-keyring、ssh-agent、LUKS 分区。

我使用 gnome-keyring 的原因是因为我不想在重新启动时输入 ssh 密钥密码。这是因为周围有很多闭路电视摄像机。恐怕是某种秘密的闭路电视摄像机记录了我输入的内容。我总是避免输入密码并尝试输入尽可能少的时间。

使用当前设置，我至少需要输入两个密码。一个用于 LUKS 分区，一个用于 lightdm 中的系统登录。

今天，我想减少一个密码要求，让系统自动登录，所以不再需要输入系统用户登录密码了。我认为这仍然是和以前一样的安全级别，因为 LUKS 分区加密仍然存在。（或者不太安全，但使用 LUKS 仍然安全）

启用自动登录后，我发现 gnome 密钥环不再自动解锁。如果我想用我当前的设置解锁它，我必须再次输入解锁密码，这是我想要避免的第二个密码。

通过 goolging，我发现我可以简单地从 seahorse 中的 gnome 钥匙圈中删除解锁密码，以便使用自动登录解锁。

以上是我目前情况的详细故事。所以这就是问题所在。如果我从 gnome 密钥环中删除解锁密码，我不知道在后台会发生什么。

我之所以使用 gnome keyring 是因为我不希望我的系统中任何正在运行的程序可以直接从文件系统访问 ssh 私钥~/.ssh/id_rsa。有些人可能会争辩说，程序可能仍然从记忆中获取密钥。只要这能提高某种安全性，我真的不在乎它是如何工作的。只要未加密的 ssh-key 没有存储在某个文件系统中，我就可以了。恐怕从 gnome-keyring 中删除密码会使未经加密的文件以纯文本格式存储在文件系统中。从 gnome 密钥环中删除密码会对存储（文件系统）的观点产生任何影响吗？

我真的不在乎没有密码来解锁密钥环，因为我有 LUKS 分区加密，除非他们知道我的 LUKS 密码，否则人们不能使用密钥环。但是如果我删除密钥环密码，我确实关心是否任何正在运行的程序可以直接从文件系统访问一些纯文本密钥。

我希望我已经在这个问题上说清楚了，非常感谢你的帮助。

我正在使用已openssl安装但未安装的系统ssh-keygen。我无法安装新软件。我可以使用以下命令生成 SSH 密钥对openssl：

sh-4.2$ openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
....................................................................................+++
...............................+++
unable to write 'random state'
e is 65537 (0x10001)
sh-4.2$ openssl rsa -in key.pem -outform PEM -pubout -out key.pub
writing RSA key
sh-4.2$ cat key.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvGwJnfrGGvHyEigIdSg1
rZFhe+5412j4+bCdtmArUuBna6hXLs5CqJ+cmnUK8hHV7Z9t81vINAWqbNTEQfc6
PU9meCnk1RRQPqm8MeE+G5EDkyZUIanoWhT2yN46sMKEq3ChCW7Ubw+Q42BIrUIE
7pChkG0SH4TlgimkJHmV2ydE6gVlRw+EWbZzqK+IF8xjyDs7xCEmH04AoEV8mwcP
+JziGPiijArgf9M53DEYldVJFPXpti0CqDuW33ZQoiuwV1xnrEgu6kU0M/Ct6WTA
A2dgG8b17SSsL3AYxQy6YWQzD6bZ99U0sj9dW7BM3UPa/wlkgF0hHkFzPb1CBeoY
twIDAQAB
-----END PUBLIC KEY-----
sh-4.2$ 

通常我会使用ssh-keygen它为authorized_keys文件生成所需的 OpenSSH 格式：

sh-4.2$ ssh-keygen -f key.pub -i -mPKCS8
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8bAmd+sYa8fISKAh1KDWtkWF77njXaPj5sJ22YCtS4GdrqFcuzkKon5yadQryEdXtn23zW8g0Baps1MRB9zo9T2Z4KeTVFFA+qbwx4T4bkQOTJlQhqehaFPbI3jqwwoSrcKEJbtRvD5DjYEitQgTukKGQbRIfhOWCKaQkeZXbJ0TqBWVHD4RZtnOor4gXzGPIOzvEISYfTgCgRXybBw/4nOIY+KKMCuB/0zncMRiV1UkU9em2LQKoO5bfdlCiK7BXXGesSC7qRTQz8K3pZMADZ2AbxvXtJKwvcBjFDLphZDMPptn31TSyP11bsEzdQ9r/CWSAXSEeQXM9vUIF6hi3
sh-4.2$ 

不过我ssh-keygen在这个系统上没有。如何仅使用openssl基本实用程序生成所需的输出？

我试图了解通过 SSH 进行无密码登录的概念。据我了解，您在要连接 FROM 的计算机上创建 SSH 密钥对。然后将公钥复制到您将连接到的服务器。到目前为止，一切都很好？如果我在基础上错了，请纠正我...

我猜这将导致只能从我的计算机进行无密码登录（创建密钥对的地方，因为那是存在私钥的地方）。

但是，如果我希望能够从多台计算机使用无密码登录到同一台服务器呢？您是否需要在将连接到服务器的每台计算机上创建一个密钥对并将每个公钥复制到服务器？我应该怎么做？