fail to ssh passwordlessly¶
Info
The post can date back to Dec 17, 2020
像往常一样 ssh,但是报错了
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
Please contact your system administrator.
Add correct host key in /home/weiya/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/weiya/.ssh/known_hosts:42
remove with:
ssh-keygen -f "/home/weiya/.ssh/known_hosts" -R "chpc-login01.itsc.cuhk.edu.hk"
ECDSA host key for chpc-login01.itsc.cuhk.edu.hk has changed and you have requested strict checking.
Host key verification failed.
于是根据提示运行了
ssh-keygen -f "/home/weiya/.ssh/known_hosts" -R "chpc-login01.itsc.cuhk.edu.hk"
然后重新 ssh,但还是要求输入密码。类似的问题另见 ssh remote host identification has changed
这其实对应了服务器上 /etc/ssh 文件夹下几个 pub 文件,咨询 Michael 也得到回复说最近 public fingerprint 有修改,这应该是 known hosts 的内容。
可以以 MD5 的形式展示,
$ ssh-keygen -l -E md5 -f ssh_host_ed25519_key.pub
ssh-keyscan -t rsa server_ip
也能返回完全一致的结果,然后手动添加至 known_hosts 文件,仍然不能成功,尝试过新增其他格式的 key,
ssh-keygen -t [ed25519 | ecdsa | dsa]
然而统统没用。
后来跟服务器管理员反复沟通,提交 ssh -vvv xxx &> ssh.log 日志文件供其检查,才确认是最近服务器配置更改的原因,虽然没有明说,但是注意到 /etc/ssh/sshd_config 更新后不久管理员就回复说好了,问及原因,他的回答是,
It is related to security context which will make SELinux to block the file access. I think this required root permission to config.
Last update:
November 20, 2022
Created: November 20, 2022
Created: November 20, 2022