从远程会话中运行时 ssh-copy-id 失败
[英]ssh-copy-id fails when run from within a remote session
问题描述
I have a task to copy ssh keys from one node to all others in an array.
我有一项任务是将 ssh 密钥从一个节点复制到数组中的所有其他节点。 For this, I wrote a simple bash script which copies itself to other nodes and runs it there.为此,我编写了一个简单的 bash 脚本,它将自身复制到其他节点并在那里运行。 What confuses me is the fact that ssh-copy-id works fine on the node where the script is executed manually but it fails if run remotely in an ssh session.令我困惑的是,ssh-copy-id 在手动执行脚本的节点上运行良好,但如果在 ssh 会话中远程运行,则会失败。 Here's the script:这是脚本:
1 #!/bin/bash
2 # keys-exchange.sh
4 nodes=( main worker-01 worker-02 worker-03 )
6 for n in $( echo "${nodes[@]}" ); do
7 [ $n != $HOSTNAME ] && ssh-copy-id $n
8 done
10 if [ -z $REMOTE ]; then
11 for n in $( echo ${nodes[@]} ); do
12 if [ $n != $HOSTNAME ]; then
13 scp $0 $USER@$n:$0 > /dev/null
14 ssh $USER@$n "REMOTE=yes HOSTNAME=$n $0 ; rm -f $0"
15 fi
16 done
17 fi
The code in rows 6-8 works fine copying the ssh key to all nodes other than itself.第 6-8 行中的代码可以很好地将 ssh 密钥复制到除自身之外的所有节点。 Then, if the REMOTE variable is not set, code in rows 11-16 copies the script to remote nodes (except the node it's running on, row 12) and runs it there.然后,如果未设置 REMOTE 变量,第 11-16 行中的代码会将脚本复制到远程节点(除了运行它的节点,第 12 行)并在那里运行它。 In row 14, I set and pass the variable REMOTE to skip the code block in rows 10-17 (so the script copies itself only from the source node to others), and the variable HOSTNAME because I found it's not set in an ssh session.在第 14 行,我设置并传递变量 REMOTE 以跳过第 10-17 行中的代码块(因此脚本仅将自身从源节点复制到其他节点)和变量 HOSTNAME,因为我发现它没有在 ssh 会话中设置. The user's name and the script path are completely the same on the source node and all destination nodes.源节点和所有目标节点上的用户名和脚本路径完全相同。
When running on the source node, it works properly asking for a confirmation and the remote host's password.在源节点上运行时,它可以正常工作,要求确认和远程主机的密码。 But the script that has just run successfully on the source node fails running in the remote ssh session: ssh-copy-id fails with the following error:但是刚刚在源节点上运行成功的脚本在远程ssh会话中运行失败:ssh-copy-id失败,报错如下:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: ERROR: Host key verification failed.
At that moment, no .ssh/known_hosts file is present on a remote node so I can't do ssh-keygen -R.那时,远程节点上不存在 .ssh/known_hosts 文件,因此我无法执行 ssh-keygen -R。 What am I missing and how to make it work?我错过了什么以及如何让它发挥作用?
3 个解决方案
解决方案1
0 2020-08-27 12:16:11
ssh-copy-id is not copying your keys to remote hosts, it's adding them to ~/.ssh/authorized_keys and when you jump to that remote host there are no keys(or are they?) so there is nothig to copy further. ssh-copy-id不是将您的密钥复制到远程主机,而是将它们添加到~/.ssh/authorized_keys并且当您跳转到该远程主机时,没有密钥(或者它们是?)所以没有什么可以进一步复制的。 And if ssh-copy-id run without -i option it'll copy(add to authorized_keys) all .pub keys from your ~/.ssh dir wich could be not desired so i suggest to run it like this ssh-copy-id -i $key $host如果ssh-copy-id在没有-i选项的情况下运行,它会从你的~/.ssh目录复制(添加到 authorized_keys)所有 .pub 密钥,这可能是不需要的,所以我建议像这个ssh-copy-id -i $key $host一样运行它ssh-copy-id -i $key $host
解决方案2
0 2020-08-27 12:28:57
ssh $USER@$n "REMOTE=yes HOSTNAME=$n $0 ; rm -f $0"
Try running ssh with the "-tt" option to request a PTY (pseudo-TTY) for the remote session:尝试使用“-tt”选项运行ssh以请求远程会话的 PTY(伪 TTY):
ssh -tt $USER@$n "REMOTE=yes HOSTNAME=$n $0 ; rm -f $0"
^^^
In the case that you're describing, you're launching ssh on the remote system to connect to a third system.在您描述的情况下,您是在远程系统上启动ssh以连接到第三个系统。 The ssh instance doesn't have a saved copy of the third host's host key. ssh 实例没有保存的第三个主机的主机密钥副本。 So you'd normally expect ssh to prompt the user whether to continue connecting to the third host.因此,您通常希望ssh提示用户是否继续连接到第三台主机。 Except that it's not prompting the user--it's just refusing to connect to the third host.除了它没有提示用户——它只是拒绝连接到第三台主机。
When ssh is invoked with a command to run on the remote system, by default it runs that command without a TTY.当使用在远程系统上运行的命令调用 ssh 时,默认情况下它会在没有 TTY 的情况下运行该命令。 In this case, the remote ssh instance sees that it's running without a TTY and runs non-interactively.在这种情况下,远程ssh实例看到它在没有 TTY 的情况下运行,并且以非交互方式运行。 When it's non-interactive, it doesn't prompt the user for things like passwords and whether to accept a host key or not.当它是非交互式时,它不会提示用户输入密码以及是否接受主机密钥等信息。
Running the local ssh instance with "-tt" causes it to request a PTY for the remote session.使用“-tt”运行本地 ssh 实例会导致它为远程会话请求 PTY。 So the remote ssh instance will have a TTY and it will prompt the user--you--for things like host key confirmations.所以远程 ssh 实例将有一个 TTY,它会提示用户——你——进行主机密钥确认之类的事情。
解决方案3
0 2021-11-23 15:59:22
Be sure that on the destination side, the /etc/ssh/sshd_config is configured to accept the type of key that was generated.确保在目标端,/etc/ssh/sshd_config 配置为接受生成的密钥类型。
PubkeyAcceptedKeyTypes ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa PubkeyAcceptedKeyTypes ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa
I generated the key using "ssh-keygen -t rsa -b 4096 ..." however, up above the following line did not include the ",ssh-rsa" at the end, so even though the ssh-copy-id updated my destination, the sshd did not accept rsa type generated keys.我使用“ssh-keygen -t rsa -b 4096 ...”生成了密钥,但是,在下面一行的最后没有包含“,ssh-rsa”,所以即使更新了ssh-copy-id我的目的地,sshd 不接受 rsa 类型生成的密钥。 Once i added ",sha-rsa", the did "systemctl restart sshd" it worked!一旦我添加了“,sha-rsa”,“systemctl restart sshd”就起作用了!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.