Como o usuário VDR comentou, preciso adicionar
-o StrictHostKeyChecking=no
como uma opção adicional ao chamar o ssh através do cron.
Eu desisto:
Eu tenho um script de cronjob que tenho executado há anos (fora de uma máquina RHEL 6.7) para remoto em outras máquinas RHEL via ssh. Funciona sem falhas contra o RHEL5 e 6, mas falha com o RHEL7. Na sua forma mais simples, o script se divide assim:
ssh -tttvi /home/robot/.ssh/passwdlesskey robot@${ThatIP} sudo -l
Em todas as máquinas remotas (RHEL6 e 7), o respectivo arquivo sudoers contém
Defaults requiretty
Como esperado, o script executa bem da linha de comando contra o RHEL7. Novamente, do cron funciona contra o RHEL 5 & 6 mas falha contra 7:
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
Uma coisa peculiar a notar é a diferença nas saídas SSH ao executar a linha de comando vs cron em um servidor RHEL7
C R O N C O M M A N D L I N E
------------------------------------------------------------------------+------------------------------------------------------------------------
debug1: skipped DNS lookup for numerical hostname | debug1: skipped DNS lookup for numerical hostname
WARNING: ECDSA key found for host 10.96.16.108 | debug1: Host '10.96.16.108' is known and matches the ECDSA host key.
in /home/robot/.ssh/known_hosts:416 | debug1: Found key in /home/robot/.ssh/known_hosts:416
ECDSA key fingerprint ee:67:90:d3:c3:b8:db:c7:d3:6a:68:6a:78:fd:25:da. | debug1: SSH2_MSG_NEWKEYS sent
+--[ECDSA 256]---+ | debug1: expecting SSH2_MSG_NEWKEYS
| | | debug1: SSH2_MSG_NEWKEYS received
| | | debug1: Roaming not allowed by server
| | | debug1: SSH2_MSG_SERVICE_REQUEST sent
| | | debug1: SSH2_MSG_SERVICE_ACCEPT received
| S= | | debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
| .= + | | debug1: Next authentication method: publickey
| ..= +... | | debug1: Offering DSA public key: /home/robot/.ssh/passwdlesskey
| ..+.*o=o. | | debug1: Server accepts key: pkalg ssh-dss blen 433
| o+*o+Eo | | debug1: Authentication succeeded (publickey).
+-----------------+ | Authenticated to 10.96.16.108 ([10.96.16.108]:22).
| debug1: channel 0: new [client-session]
debug1: read_passphrase: can't open /dev/tty: No such device or address | debug1: Entering interactive session.
Host key verification failed. | debug1: Sending command: sudo -l
------------------------------------------------------------------------+------------------------------------------------------------------------
Uma teoria que eu tinha: semelhante à maneira como o scp / sftp não gosta de interação saída do shell , percebi que o randomart exibido pelo servidor RHEL7 está interferindo no meu script. Mas mesmo a substituição de ssh -v por -q não ajuda.
O LogLevel do sshd é DEBUG2
Mar 9 10:51:01 rhel7test sshd[26198]: debug1: Forked child 26209.
Mar 9 10:51:01 rhel7test sshd[26209]: Set /proc/self/oom_score_adj to 0
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: inetd sockets after dupping: 3, 3
Mar 9 10:51:01 rhel7test sshd[26209]: Connection from 10.96.16.148 port 55171 on 10.96.16.108 port 22
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Enabling compatibility mode for protocol 2.0
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: fd 3 setting O_NONBLOCK
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: Network child is on pid 26210
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SELinux support enabled [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: permanently_set_uid: 74/74 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT received [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 0 used once, disabling now
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 504/1024 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 532/1024 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 6 used once, disabling now
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_derive_keys [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: set_newkeys: mode 1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: Connection closed by 10.96.16.148 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: monitor_read_log: child log fd closed
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Killing privsep child 26210
Lendo postagens semelhantes, eu já
Finalmente, porque tenho certeza que será perguntado, o sshd_config do RHEL6 & 7
R H E L 7 R H E L 6
--------------------------------------------------------------------------------+---------------------------------------------------------------------
HostKey /etc/ssh/ssh_host_rsa_key |
HostKey /etc/ssh/ssh_host_ecdsa_key |
HostKey /etc/ssh/ssh_host_ed25519_key |
SyslogFacility AUTHPRIV | AUTHPRIV
LogLevel DEBUG2 |
PermitRootLogin no | no
StrictModes yes |
MaxAuthTries 3 |
MaxSessions 10 |
PubkeyAuthentication yes |
AuthorizedKeysFile .ssh/authorized_keys |
IgnoreRhosts yes |
PermitEmptyPasswords no |
PasswordAuthentication yes | yes
ChallengeResponseAuthentication no | no
GSSAPIAuthentication yes | yes
GSSAPICleanupCredentials no | yes
UsePAM yes | yes
X11Forwarding yes | yes
PrintMotd no |
PrintLastLog no |
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS | XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server | sftp /usr/libexec/openssh/sftp-server
Então, eu não sei qual é a causa do problema.
Não é sudo
pedindo TTY, mas o cliente ssh
, que precisa de você para fazer a única coisa de segurança sobre o ssh, que você precisa fazer antes de estabelecer uma conexão segura. É a verificação do hostkey, que requer entrada manual do usuário, se não for configurado antecipadamente. Não está relacionado com a versão do sistema, mas com a configuração.
Você precisa armazenar a chave do host de servidores (parte pública) no known_hosts
do cliente. Existem várias possibilidades de como fazer isso:
Como o usuário ( robot
) que está executando o cron ( sudo -i -u robot
), tente se conectar ao servidor remoto:
ssh -i /home/robot/.ssh/passwdlesskey robot@${ThatIP}
e gravação manual "sim" no prompt
Use a ferramenta ssh-keyscan
, que faz exatamente a mesma coisa, mas não precisa ser interativa (certifique-se de executá-la como usuário diferente, que o usuário de destino terá acesso correto a esse arquivo):
ssh-keyscan {ThatIP} >> /home/robot/.ssh/known_hosts
O mesmo cenário - atualizei o sistema de destino do CentOS 6 para o CentOS 7 e, de repente, meu trabalho cron receberia Host key validation failed
erros, mas se eu o executasse da linha de comando, tudo bem. Eu estava totalmente inconsciente da ferramenta ssh-keyscan
, então agradeço a @Jakuje por escrever sobre isso. No meu caso, rodar a ferramenta ssh-keyscan não gera absolutamente nada, então eu adicionei -v
, e obtive:
>ssh-keyscan -v hostname.example.com
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: hostname.example.com doesn't support ssh1
Eish. Parece que o SSH na máquina de origem não suporta o SSH2. Então, olhei para a versão do ssh no sistema de origem:
>sudo yum list installed | grep ssh
openssh.x86_64 4.3p2-82.el5 installed
openssh-askpass.x86_64 4.3p2-82.el5 installed
openssh-clients.x86_64 4.3p2-82.el5 installed
openssh-server.x86_64 4.3p2-82.el5 installed
Legal. Apenas alguns anos atrás. Este post link ajudou-me a aprofundar a ideia de que o CentOS 7 desativa as chaves DSA. Solução? Gere e ative a chave DSA no CentOS 7. Mas, as chaves DSA são mais fracas do que o RSA, o que tornaria desnecessário meu novo servidor.
Solução ideal no meu caso: atualize o openssh na máquina de origem.