pielot 2025-05-18 09:28 采纳率: 0%
浏览 17

ubuntu ssh 連線錯誤:REMOTE HOST IDENTIFICATION HAS CHANGED!

錯誤:

(base) haohao@zhangjunhaodebijixingdiannao .ssh % sudo ssh ubuntu@127.0.0.1 -v
OpenSSH_9.9p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
/etc/ssh/ssh_config line 23: Unsupported option "rhostsrsaauthentication"
/etc/ssh/ssh_config line 24: Unsupported option "rsaauthentication"
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /var/root/.ssh/id_rsa type -1
debug1: identity file /var/root/.ssh/id_rsa-cert type -1
debug1: identity file /var/root/.ssh/id_ecdsa type -1
debug1: identity file /var/root/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/root/.ssh/id_ecdsa_sk type -1
debug1: identity file /var/root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /var/root/.ssh/id_ed25519 type -1
debug1: identity file /var/root/.ssh/id_ed25519-cert type -1
debug1: identity file /var/root/.ssh/id_ed25519_sk type -1
debug1: identity file /var/root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /var/root/.ssh/id_xmss type -1
debug1: identity file /var/root/.ssh/id_xmss-cert type -1
debug1: identity file /var/root/.ssh/id_dsa type -1
debug1: identity file /var/root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9
debug1: compat_banner: match: OpenSSH_9.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 127.0.0.1:22 as 'ubuntu'
debug1: load_hostkeys: fopen /var/root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:Q/r7sa2RqQnbKohDIJxJECVYFSTfR06K6zlBUkc3TEE
debug1: load_hostkeys: fopen /var/root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:Q/r7sa2RqQnbKohDIJxJECVYFSTfR06K6zlBUkc3TEE.
Please contact your system administrator.
Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /var/root/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
UpdateHostkeys is disabled because the host key is not trusted.
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Authentications that can continue: publickey,password,hostbased
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 5 keys
debug1: Skipping ssh-dss key /Users/haohao/.ssh/ssh_host_dsa_key - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: Will attempt key: /Users/haohao/.ssh/ssh_host_ecdsa_key ECDSA SHA256:bhavc7PpqnoXsV7cISR3kbE95lPsmx1A1V5wf4R8Ctg agent
debug1: Will attempt key: root@ubuntu-utm ED25519 SHA256:Q/r7sa2RqQnbKohDIJxJECVYFSTfR06K6zlBUkc3TEE agent
debug1: Will attempt key: /Users/haohao/.ssh/ssh_host_rsa_key RSA SHA256:6fgX1jdZHyvGZEuKLxpBbbGnMMHxePBI/jmhNi7nvKk agent
debug1: Will attempt key: /Users/haohao/.ssh/ssh_host_ecdsa_key ECDSA SHA256:SiZWfTyfhsNcodt7t+31mTJD1LE38y0/ffEQcK7ApXE agent
debug1: Will attempt key: /var/root/.ssh/id_rsa 
debug1: Will attempt key: /var/root/.ssh/id_ecdsa 
debug1: Will attempt key: /var/root/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /var/root/.ssh/id_ed25519 
debug1: Will attempt key: /var/root/.ssh/id_ed25519_sk 
debug1: Will attempt key: /var/root/.ssh/id_xmss 
debug1: Will attempt key: /var/root/.ssh/id_dsa 
debug1: Offering public key: /Users/haohao/.ssh/ssh_host_ecdsa_key ECDSA SHA256:bhavc7PpqnoXsV7cISR3kbE95lPsmx1A1V5wf4R8Ctg agent
debug1: Authentications that can continue: publickey,password,hostbased
debug1: Offering public key: root@ubuntu-utm ED25519 SHA256:Q/r7sa2RqQnbKohDIJxJECVYFSTfR06K6zlBUkc3TEE agent
debug1: Authentications that can continue: publickey,password,hostbased
debug1: Offering public key: /Users/haohao/.ssh/ssh_host_rsa_key RSA SHA256:6fgX1jdZHyvGZEuKLxpBbbGnMMHxePBI/jmhNi7nvKk agent
debug1: Authentications that can continue: publickey,password,hostbased
debug1: Offering public key: /Users/haohao/.ssh/ssh_host_ecdsa_key ECDSA SHA256:SiZWfTyfhsNcodt7t+31mTJD1LE38y0/ffEQcK7ApXE agent
debug1: Authentications that can continue: publickey,password,hostbased
debug1: Trying private key: /var/root/.ssh/id_rsa
debug1: Trying private key: /var/root/.ssh/id_ecdsa
debug1: Trying private key: /var/root/.ssh/id_ecdsa_sk
debug1: Trying private key: /var/root/.ssh/id_ed25519
debug1: Trying private key: /var/root/.ssh/id_ed25519_sk
debug1: Trying private key: /var/root/.ssh/id_xmss
debug1: Trying private key: /var/root/.ssh/id_dsa
debug1: No more authentication methods to try.
ubuntu@127.0.0.1: Permission denied (publickey,password,hostbased).
(base) haohao@zhangjunhaodebijixingdiannao .ssh %

以下是我的ssh_config檔案

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
   RhostsRSAAuthentication yes
   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
   StrictHostKeyChecking no
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
  • 写回答

4条回答 默认 最新

  • 檀越@新空间 2025-05-18 09:29
    关注

    上午好☀️☀️☀️️
    本答案参考通义千问

    這個問題的錯誤信息表明,您嘗試連接到的遠端主機的 SSH 主機金鑰已經改變了。這可能意味著遠端主機被重新安裝、重置,或是發生了中間人攻擊(Man-in-the-Middle Attack)。SSH 客戶端會自動將遠端主機的金鑰存儲在 known_hosts 文件中,當遠端主機的金鑰與已存儲的金鑰不一致時,SSH 會拒絕連接並顯示警告。

    以下是解決此問題的步驟:

    解決方案

    1. 確認是否需要更新金鑰

    在某些情況下,遠端主機的金鑰改變是正當的,例如:

    • 遠端主機重新安裝或升級。
    • 使用了新的 SSH 配置。

    如果您確定這是正當的情況,可以手動從 known_hosts 文件中移除舊的金鑰。

    2. 移除舊的金鑰

    您可以使用以下命令從 known_hosts 文件中移除舊的金鑰:

    ssh-keygen -R 127.0.0.1

    這條命令會自動從 ~/.ssh/known_hosts/etc/ssh/ssh_known_hosts 文件中移除與 127.0.0.1 對應的金鑰。

    如果您的 known_hosts 文件位於其他路徑,可以手動編輯該文件,找到並刪除相關行。

    3. 強制更新金鑰

    如果您確認遠端主機的金鑰是安全的,可以強制更新它到 known_hosts 文件中:

    sudo ssh-keyscan -t ed25519 127.0.0.1 >> ~/.ssh/known_hosts

    這條命令會從遠端主機獲取最新的金鑰並添加到 known_hosts 文件中。

    4. 檢查遠端主機的金鑰

    在執行上述操作之前,建議手動檢查遠端主機的金鑰是否正確。您可以通過以下方式獲取遠端主機的金鑰:

    ssh-keyscan 127.0.0.1

    然後將輸出與遠端主機管理員提供的金鑰進行比對,確保其正確無誤。

    5. 再次嘗試連接

    完成上述步驟後,再次嘗試連接到遠端主機:

    ssh ubuntu@127.0.0.1

    注意事項

    1. 不要忽略警告:SSH 的警告是為了保護您的系統免受中間人攻擊。除非您確定金鑰改變是正當的,否則不要輕易跳過警告。
    2. 權限問題:確保您有權限訪問和修改 ~/.ssh/known_hosts/etc/ssh/ssh_known_hosts 文件。
    3. 備份文件:在修改 known_hosts 文件之前,建議備份該文件以防意外。

    修改後的代碼

    如果您需要在腳本中自動處理此問題,可以使用以下 Bash 腳本:

    #!/bin/bash

# 定義遠端主機地址
HOST="127.0.0.1"

# 檢查 known_hosts 文件是否存在
if [ ! -f ~/.ssh/known_hosts ]; then
    echo "known_hosts 文件不存在,正在創建..."
    touch ~/.ssh/known_hosts
fi

# 移除舊的金鑰
echo "正在移除舊的金鑰..."
ssh-keygen -R $HOST

# 更新新的金鑰
echo "正在更新新的金鑰..."
ssh-keyscan -t ed25519 $HOST >> ~/.ssh/known_hosts

# 再次嘗試連接
echo "正在嘗試連接到 $HOST..."
ssh ubuntu@$HOST

    將此腳本保存為 update_ssh_key.sh,然後運行:

    chmod +x update_ssh_key.sh
./update_ssh_key.sh

    這樣可以自動處理 SSH 金鑰更新的問題。

    评论

报告相同问题?

问题事件

  • 创建了问题 5月18日