Apache sshd-sftp 0.11.0:新主机密钥文件导致 ssh_dispatch_run_fatal:签名不正确
Posted
技术标签:
【中文标题】Apache sshd-sftp 0.11.0:新主机密钥文件导致 ssh_dispatch_run_fatal:签名不正确【英文标题】:Apache sshd-sftp 0.11.0: new host key file causing ssh_dispatch_run_fatal: incorrect signature 【发布时间】:2018-12-29 04:45:09 【问题描述】:在新机器/服务器上,启动 ssh 服务器会报错:
ssh_dispatch_run_fatal: Connection to UNKNOWN port: incorrect signature
原来是主机密钥文件hostkey.ser 导致了这种情况,如果在它所做的新盒子设置中不存在,它应该创建一个新的,但是当sftp'in 时它会抛出上述错误。我将 hostkey.ser 从本地盒子复制到新盒子,它可以工作。
为了重现,我在本地机器上重命名了 hostkey.ser 文件,因此在服务器重新启动时它创建了新的 hostkey.ser 文件并引发了同样的错误。
问题:为什么只有一种主机密钥文件hostkey.ser 有效?为什么它不能使用新创建的主机密钥文件hostkey.ser? java/openssh 版本是否对从sshserver 创建新的有效hostkey.ser 很重要
更新:此页面指出了在类路径上具有充气城堡罐的一些要求,这是必需的吗? https://github.com/apache/mina-sshd/blob/master/README.md
sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider("hostkey.ser"));
调试日志:
$ sftp -vvv -oPort=2233 test@localhost
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 62: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 2233 localhost
debug1: permanently_drop_suid: 10531
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version SSHD-CORE-0.11.0
debug1: no match: SSHD-CORE-0.11.0
debug2: fd 6 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to localhost:2233 as 'test'
debug3: put_host_port: [localhost]:2233
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type DSA in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [localhost]:2233
debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts"
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-dss-cert-v01@openssh.com,ssh-dss
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-dss-cert-v01@openssh.com,ssh-dss,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-dss
debug2: ciphers ctos: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug3: send packet: type 30
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-dss SHA256:8co/VQwoyWfRIjfegwAgGovnRiprHMP2pLZqznzMvbo
debug3: put_host_port: [localhost]:2233
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type DSA in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [localhost]:2233
debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts"
debug1: Host '[localhost]:2233' is known and matches the DSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: incorrect signature
Couldn't read packet: Connection reset by peer
【问题讨论】:
【参考方案1】:使用 RSA 算法似乎可以解决问题,默认使用 DSA。
sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider("hostkey.ser","RSA"));
【讨论】:
RSA是today's implementation中的默认算法以上是关于Apache sshd-sftp 0.11.0:新主机密钥文件导致 ssh_dispatch_run_fatal:签名不正确的主要内容,如果未能解决你的问题,请参考以下文章