Fwd: ssh公匙认证奇怪现象?!

7 views
Skip to first unread message

Zoom.Quiet

unread,
Feb 22, 2011, 3:42:19 AM2/22/11
to ZSP}vhost}stdyun-vhost
好吧,俺得承认,俺一直在纠结这一问题,可以复现,但是,无从修订...
> 在 2011年2月22日 下午12:25,Zoom.Quiet <zoom....@gmail.com>写道:
>> 现象:
>> 1. 将 rsa+dsa 公匙分别部署在 debain/freebsd/centos 主机上
>> 2. 插上公司网线时:
>>    - debain 主机,正常无口令登录
>>    - freebsd 主机,正常无口令登录
>>    - centos 主机,正常无口令登录
>> 3. 断开网线,使用公司wifi时:
>>    - debain 主机,正常无口令登录
>>    - freebsd 主机,正常无口令登录
>>    - centos 主机,失常!要口令登录
>> 4. 回家使用ADSL wifi 时:
>>    - debain 主机,正常无口令登录
>>    - freebsd 主机,正常无口令登录
>>    - centos 主机,失常!要口令登录
>>
>> 俺就奇怪了,都是 sshd 服务哪,同样 密匙对,怎么在不同的网络路由情况下,不同OS的主机反应就这么奇怪呢?
>> 是否 CentOS 保持了什么东西,对不上,就不走SSH?


---------- 已转发邮件 ----------
发件人: Zoom.Quiet <zoom....@gmail.com>
日期: 2011年2月22日 下午2:15
主题: Re: [shlug] ssh公匙认证奇怪现象?!
收件人: sh...@googlegroups.com
抄送: Shell Xu <shell...@gmail.com>


在 2011年2月22日 下午2:00,Shell Xu <shell...@gmail.com> 写道:
> 方便做个ssh -v么?
>
是也乎,可以追查的哈...
eth0      Link encap:以太网  硬件地址 00:1f:16:34:92:42
         inet6 地址: fe80::21f:16ff:fe34:9242/64 Scope:Link
         UP BROADCAST MULTICAST  MTU:1500  跃点数:1
         接收数据包:23389 错误:0 丢弃:0 过载:0 帧数:0
         发送数据包:23666 错误:0 丢弃:0 过载:0 载波:0
         碰撞:0 发送队列长度:1000
         接收字节:15719778 (15.7 MB)  发送字节:3006774 (3.0 MB)
         Memory:f2600000-f2620000
...
wlan0     Link encap:以太网  硬件地址 00:26:c6:60:e1:ac
         inet 地址:10.20.210.62  广播:10.20.210.255  掩码:255.255.255.0
         inet6 地址: fe80::226:c6ff:fe60:e1ac/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  跃点数:1
         接收数据包:748630 错误:0 丢弃:0 过载:0 帧数:0
         发送数据包:746633 错误:0 丢弃:0 过载:0 载波:0
         碰撞:0 发送队列长度:1000
         接收字节:256909608 (256.9 MB)  发送字节:406502925 (406.5 MB)
时,无法正常SSH,不论 rsa/dsa
...
OpenSSH_5.3p1 Debian-3ubuntu5, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/zoomq/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ijinshan30 [219.232.254.30] port 22.
debug1: Connection established.
debug1: identity file /home/zoomq/.ssh/identity type -1
debug1: identity file /home/zoomq/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/zoomq/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.0
debug1: match: OpenSSH_4.0 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'ijinshan30 (219.232.254.30)' can't be established.
RSA key fingerprint is 0e:6f:ee:2b:3a:68:d7:88:31:62:ed:70:a0:59:14:0d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ijinshan30,219.232.254.30' (RSA) to the
list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/zoomq/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/zoomq/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/zoomq/.ssh/identity
debug1: Next authentication method: password
zhouqi@ijinshan30's password:
...

插上网线:
eth0      Link encap:以太网  硬件地址 00:1f:16:34:92:42
         inet 地址:10.20.208.152  广播:10.20.208.255  掩码:255.255.255.128
         inet6 地址: fe80::21f:16ff:fe34:9242/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  跃点数:1
         接收数据包:23418 错误:0 丢弃:0 过载:0 帧数:0
         发送数据包:23717 错误:0 丢弃:0 过载:0 载波:0
         碰撞:0 发送队列长度:1000
         接收字节:15723112 (15.7 MB)  发送字节:3014250 (3.0 MB)
         Memory:f2600000-f2620000
...
OpenSSH_5.3p1 Debian-3ubuntu5, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/zoomq/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ijinshan30 [219.232.254.30] port 22.
debug1: Connection established.
debug1: identity file /home/zoomq/.ssh/identity type -1
debug1: identity file /home/zoomq/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/zoomq/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
aa:74:1c:0c:d0:af:74:6e:22:48:27:40:dd:37:07:4e.
Please contact your system administrator.
Add correct host key in /home/zoomq/.ssh/known_hosts to get rid of this message.
Offending key in /home/zoomq/.ssh/known_hosts:3
RSA host key for ijinshan30 has changed and you have requested strict checking.
Host key verification failed.


然后 echo > /home/zoomq/.ssh/known_hosts 清空对应列表
再 SSH:

OpenSSH_5.3p1 Debian-3ubuntu5, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/zoomq/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ijinshan30 [219.232.254.30] port 22.
debug1: Connection established.
debug1: identity file /home/zoomq/.ssh/identity type -1
debug1: identity file /home/zoomq/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/zoomq/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'ijinshan30 (219.232.254.30)' can't be established.
RSA key fingerprint is aa:74:1c:0c:d0:af:74:6e:22:48:27:40:dd:37:07:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ijinshan30,219.232.254.30' (RSA) to the
list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/zoomq/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = zh_CN.utf8
debug1: Sending command: screen -x ZoomQuiet
...
就进入了


--
人生苦短, Pythonic! 冗余不做,日子甭过!备份不做,十恶不赦!
俺: http://about.me/zoom.quiet
开: http://code.ijinshan.com/
豆: http://www.douban.com/group/zoomquiet
书: http://code.google.com/p/openbookproject
蟒: http://code.google.com/p/kcpycamp/wiki/PythoniCamp

Reply all
Reply to author
Forward
0 new messages