SSH Tips

2019/04/26 共 573 字 2 分钟阅读
LINUX • OS ssh tips

AI 摘要: 解决了Mac系统升级到Ventura 13.1后SSH仍然需要密码的问题，方法是将服务器的密钥升级和加密为ed25519

1. ssh 更新到新的算法

mac 系统升级到 ventura 13.1 后，遇到 ssh 之前配置了免密登录，但仍然需要密码的问题

After the Mac system is upgraded to Ventura 13.1, I encounter the problem that SSH is configured with passwordless login, but the password is still required, my solution is to upgrade and encrypt the server’s key to ed25519:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
// 1. server: check HostKey in /etc/ssh/sshd_config
...
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

// 2. client: ssh-keygen -t ed25519
ssh-keygen -t ed25519

// 3. client: vim ~/.ssh/ssh_config
Host *
    IdentityFile ~/.ssh/id_ed25519

// 4. client: ssh-copy-id
ssh-copy-id -i ~/.ssh/id_ed25519.pub

// 5. test ssh using identity file
ssh -v username@hostname

more about see man sshd_config, search keywords HostKey and HostKeyAlgorithms

1
2
3
4
5
6
7
8
 HostKey
    Specifies a file containing a private host key used by SSH.  The defaults are /etc/ssh/ssh_host_ecdsa_key,
    /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key.

    Note that sshd(8) will refuse to use a file if it is group/world-accessible and that the HostKeyAlgorithms
    option restricts which of the keys are actually used by sshd(8).
HostKeyAlgorithms
             Specifies the host key signature algorithms that the server offers.

2. mac 系统升级到 ventura 13.1 后， ssh 遇到 key type 不匹配问题

ssh 遇到Unable to negotiate with UNKNOWN port 65535: no matching host key type found. Their offer: ssh-rsa,ssh-dss

因为高版本 openssl 默认不再支持 ssh-rsa算法，因为存在安全隐患: https://www.zdnet.com/article/openssh-to-deprecate-sha-1-logins-due-to-security-risk/

参考: https://stackoverflow.com/questions/73795935/sign-and-send-pubkey-no-mutual-signature-supported

2.1. ssh 设置（支持 ssh-rsa,ssh-dss 算法）

1
2
// 直接指定 HostKeyAlgorithms 指定服务器提供的主机密钥签名算法
ssh -oHostKeyAlgorithms=+ssh-rsa,ssh-dss root@hostname

2.2. 也可以在 ~/.ssh/ssh_config 配置

1
2
3
Host *
    PubkeyAcceptedKeyTypes=+ssh-rsa
    HostKeyAlgorithms=+ssh-rsa

3. 如何保持 SSH Seesion 会话

参考: https://patrickmn.com/aside/how-to-keep-alive-ssh-sessions/

通常大部分客户端会有相关 SSH 会话的保持功能，但如果是A->B->C这类，客户端工具通常无法支持B->C这段链路的会话保持(大多数跳板机就是类似 Case)

可以通过下述方式实现(5min 会发送一个空包给对端，限定的重试阈值(2 次)都没有收到回包，则默认为连接断开！

3.1. 作为客户端保持

for 所有用户: /etc/ssh/ssh_config
for 当前用户: ~/.ssh/ssh_config

1
2
3
Host *
    ServerAliveInterval 300
    ServerAliveCountMax 2

3.2. 作为 sshd 服务，让客户端保持会话

在/etc/ssh/sshd_config配置内开启下面两个属性

1
2
ClientAliveInterval 300
ClientAliveCountMax 2