web-dev-qa-db-ja.com

「rsa-sha2-512」の代わりに「ssh-rsa」キーを生成する方法

鍵を適切に生成し、権限を設定し、パスワードなしでssh/scpを実行できるサーバーがたくさんあります。ただ、少し違うマシンが1台あり、違いを見つけたと思います。

違いは、パスワードなしでは接続できないマシンでは、sshがキーを受け入れるということです。

debug1: Server accepts key: pkalg ssh-rsa blen 279

他のすべての私のマシンは受け入れています:

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279

Sshキーを作成している間、私は常に引数「-t rsa」を設定しますが、どの種類のキーが生成されるかわかりません。 rsa-sha2-512のssh-rsaキーを作成するのを手伝ってもらえますか?最後に、/ etc/ssh/sshd_configを変更して何かを変更することはできません。

Sshログの完全なダンプは以下のとおりです。接続できるもの:

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to HOSTNAME [IP] port 22.
debug1: Connection established.
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to HOSTNAME:22 as 'SOMEUSER'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: Host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server Host key: ecdsa-sha2-nistp256 SHA256:###HASH###
debug1: Host 'HOSTNAME' is known and matches the ECDSA Host key.
debug1: Found key in /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/known_hosts:2
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug1: Authentication succeeded (publickey).
Authenticated to HOSTNAME ([IP]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8

接続できない2つ目:

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to HOSTNAME [IP] port 22.
debug1: Connection established.
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.8
debug1: no match: Sun_SSH_1.1.8
debug1: Authenticating to HOSTNAME:22 as 'USERNAME'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: Host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server Host key: ssh-rsa SHA256:###HASH###
debug1: Host 'HOSTNAME' is known and matches the RSA Host key.
debug1: Found key in /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/known_hosts:13
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after ###HASH### blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069)

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa
debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa
debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:

キーを生成するために使用しているコマンド:

ssh-keygen -b 2048 -t rsa -E sha256 -f filename

私も試してみました:

  • さまざまなパラメータでキーを作成します。

    -t rsa1; -t ecdsa; -b 1024; -b 2048;

2
J. Doe

RSAキー自体は「SHA1」でも「SHA2」でもありません。キー形式にはハッシュアルゴリズムはまったく含まれていません。秘密鍵は2つの大きな数字で構成されています。

ただし、SSHは、各pubkeyアルゴリズムで使用するハッシュアルゴリズムにあまり柔軟性を残していませんでした。たとえば、署名に「ssh-rsa」キーを使用する場合は常に、SHA1と一緒に使用するように指定されていました。したがって、人々が既存のRSA鍵を使用できるようにするには、接続のために新しい署名アルゴリズム名を作成する必要がありますpkalg rsa-sha2-512は、同じssh-rsaキーを使用して、代わりにSHA2でのみ署名を実行します。

通常、この機能は、クライアントとサーバーの両方がサポートすることを要求した場合、合意によって有効になります。 rsa-sha2のサポートを誤って主張しているサーバーで無効にする場合は、OpenSSHクライアントでPubkeyAcceptedKeyTypesをカスタマイズできます。

ssh -o "PubkeyAcceptedKeyTypes=ssh-rsa" [...]

ただし、サーバーがSHA2でRSAをサポートしていないことをクライアントがすでに正しく検出しているため、この場合は役に立ちません。あなたの問題はおそらく完全にどこか別の場所にあります。

1
user1686

私も同じような状況でした。

これはキーの生成方法ではなく、sshdがpubkey認証を拒否し、パスワードのみを受け入れる原因となるためです。これはあなたにとって有用かもしれないと思いました。

一部のファイアウォール(Palo Alto、Fortigate、CheckPointなど)は、透過的なSSHプロキシとして機能し、トラフィックを傍受できますが、秘密鍵を使用して認証することはできません。

したがって、わからない場合でも、管理者に厄介なことをしていないかどうかを尋ねても問題はありません。

ファイアウォールを有効にした出力は次のとおりです。

52:~ laimis$ ssh -v mem
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/laimis/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to mem port 22.
debug1: Connection established.
debug1: identity file /Users/laimis/.ssh/id_rsa type 0
debug1: identity file /Users/laimis/.ssh/id_rsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_dsa type 1
debug1: identity file /Users/laimis/.ssh/id_dsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519 type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/laimis/.ssh/id_xmss type -1
debug1: identity file /Users/laimis/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2
debug1: no match: PaloAltoNetworks_0.2
debug1: Authenticating to mem:22 as 'laimis'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: Host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server Host key: ssh-rsa SHA256:S0MWqGuhCYBUQq4T9evKCHomiPHxLw/Sdda41XmAg3g
debug1: Host 'mem' is known and matches the RSA Host key.
debug1: Found key in /Users/laimis/.ssh/known_hosts:521
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Skipping ssh-dss key /Users/laimis/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:B26Tg4YaV+VsS1Ou0wcKY/jD5sBh7IWIFw19DCdZhw0 /Users/laimis/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/laimis/.ssh/id_ecdsa
debug1: Trying private key: /Users/laimis/.ssh/id_ed25519
debug1: Trying private key: /Users/laimis/.ssh/id_xmss
debug1: Next authentication method: password
laimis@mem's password: 
debug1: Authentication succeeded (password).
Authenticated to mem ([10.130.10.65]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = lt_LT.UTF-8
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)

ファイアウォールを無効にした出力は次のとおりです。

52:~ laimis$ ssh -v mem
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/laimis/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to mem port 22.
debug1: Connection established.
debug1: identity file /Users/laimis/.ssh/id_rsa type 0
debug1: identity file /Users/laimis/.ssh/id_rsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_dsa type 1
debug1: identity file /Users/laimis/.ssh/id_dsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa type -1
debug1: identity file /Users/laimis/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519 type -1
debug1: identity file /Users/laimis/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/laimis/.ssh/id_xmss type -1
debug1: identity file /Users/laimis/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to mem:22 as 'laimis'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: Host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server Host key: ecdsa-sha2-nistp256 SHA256:QG8mC4gGXfD8CmWA71LTOs8yqeKhFP3Jz2pf1AYLw7s
debug1: Host 'mem' is known and matches the ECDSA Host key.
debug1: Found key in /Users/laimis/.ssh/known_hosts:521
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Skipping ssh-dss key /Users/laimis/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:B26Tg4YaV+VsS1Ou0wcKY/jD5sBh7IWIFw19DCdZhw0 /Users/laimis/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 149
debug1: Authentication succeeded (publickey).
Authenticated to mem ([10.130.10.65]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = lt_LT.UTF-8
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)
0
Laimis