Eu tenho 2 servidores idênticos executando o lançamento do CentOS Linux 7.4.1708 (Core) x64. Ambos são instalados com os mesmos pacotes.
Em ambos os servidores eu tenho minhas chaves privadas instaladas (as que eu uso no meu laptop), mas nos servidores eu não tenho nenhuma chave id_rsa.
Eu estou acostumado a fazer login em um servidor e, em seguida, a partir desse servidor sshing para o outro para puxar arquivos, ou algumas coisas aleatórias. Eu sempre fui capaz de fazer isso e o SSH usa o encaminhamento de chaves sem nenhum problema.
Bem, agora entre esses servidores não funciona, eu recebo o: "sign_and_send_pubkey: assinatura falhada: mensagem de operação recusada pelo agente". Mas o que é realmente estranho é que é apenas entre esses dois servidores. Se eu ssh em um desses servidores e, em seguida, o SSH para outro servidor, ele funciona perfeitamente. Não sei se tem a ver com a versão OpenSSH (versão sshd OpenSSH_7.4, OpenSSL 1.0.2k-fips 26 de janeiro de 2017), é a única diferença que encontrei.
Eu tentei os métodos que descrevem o ssh-add, etc., nada disso funciona. ssh-add -l
mostra minhas chaves. Como já mencionei, se eu ssh para outro servidor ele funciona. Eu não sei o que está causando esse problema. Aqui está um log de uma tentativa de login, tanto do cliente quanto do servidor:
Tentativa do cliente:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.168.0.22 [192.168.0.22] port 7922.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.22:7922 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:oWEB74igSY8hrsToszYlI71rlQHFUkxqZp3V9ZLDyeU
debug1: Host '[192.168.0.22]:7922' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug1: Next authentication method: publickey
debug1: Offering DSA public key: [1024-bit dsa, JGGV@the-best, Mon Oct 07 2002 21:53:53]
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering RSA public key: Laundry Dispens-inators root key
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering RSA public key: pvera@VCLP06
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
sign_and_send_pubkey: signing failed: agent refused operation
debug1: Offering RSA public key: jggv@JGGV
debug1: Server accepts key: pkalg rsa-sha2-512 blen 277
sign_and_send_pubkey: signing failed: agent refused operation
debug1: Offering RSA public key: pvera@VCLP06
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Log do servidor:
Connection from 192.168.0.27 port 33958 on 192.168.0.22 port 7922
debug1: Client protocol version 2.0; client software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Enabling compatibility mode for protocol 2.0
debug1: SELinux support disabled [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user root service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "192.168.0.27"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for DSA SHA256:Klpud/mybsWXCWRyLvrNeEe05arBwTwU6uz5kcAkEEA [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed publickey for root from 192.168.0.27 port 33958 ssh2: DSA SHA256:Klpud/mybsWXCWRyLvrNeEe05arBwTwU6uz5kcAkEEA
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:rpYwsIO0JjUvi4GOM3X7GinFIZ/AKNvdujvmesW+xOA [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed publickey for root from 192.168.0.27 port 33958 ssh2: RSA SHA256:rpYwsIO0JjUvi4GOM3X7GinFIZ/AKNvdujvmesW+xOA
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 3 failures 2 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:mpZgL1m3o8uJEVxBHWJwb2txIJPgPGpQWz2zvYkoaSk [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /root/.ssh/authorized_keys, line 2 RSA SHA256:mpZgL1m3o8uJEVxBHWJwb2txIJPgPGpQWz2zvYkoaSk
debug1: restore_uid: 0/0
Postponed publickey for root from 192.168.0.27 port 33958 ssh2 [preauth]
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 4 failures 2 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:nhJgL2r5V1K6Z6DRw6jjKL6O4Pqv3/vYRtq35oqERwc [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /root/.ssh/authorized_keys, line 1 RSA SHA256:nhJgL2r5V1K6Z6DRw6jjKL6O4Pqv3/vYRtq35oqERwc
debug1: restore_uid: 0/0
Postponed publickey for root from 192.168.0.27 port 33958 ssh2 [preauth]
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 5 failures 2 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:cmo8wJpMpQbjZHEtMDjroxvyzjbe/rQtRNfaJ15hi1A [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed publickey for root from 192.168.0.27 port 33958 ssh2: RSA SHA256:cmo8wJpMpQbjZHEtMDjroxvyzjbe/rQtRNfaJ15hi1A
Connection closed by 192.168.0.27 port 33958 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 5251
Eu realmente não sei mais o que fazer, eu passei mais de um dia com isso.