如何使用密钥身份验证在两个服务器之间使用SCP复制？

16

我可以使用密钥身份验证通过SSH登录SERVER1和SERVER2。但是，我无法在两个服务器之间复制文件。为什么？如何在它们之间复制？（我必须复制的数据大于我的笔记本硬盘）

我的笔记本运行Ubuntu 10.04 LTS，两台服务器是AIX 5300-10-02-0943。我~/.ssh/known_hosts在笔记本上的文件包含这两个服务器的公共密钥。我tsocks之所以使用，是因为我必须使用SSH隧道才能访问这两个服务器。两台服务器可以互相ping通。

[USER@NOTEBOOK ~] tsocks scp -v -i /home/USER/.ssh/id_rsa -p -r root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
Executing: /usr/bin/ssh '-v' '-x' '-oClearAllForwardings yes' '-n' '-l' 'root' 'SERVER1' 'scp -v -r -p' '/PATH/TO/DIR' 'root@SERVER2:/PATH/TO/DIR'
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to SERVER1 [SERVER1] port 22.
debug1: Connection established.
debug1: identity file /home/USER/.ssh/identity type -1
debug1: identity file /home/USER/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/USER/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2p1+sas
debug1: match: OpenSSH_5.2p1+sas pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'SERVER1' is known and matches the RSA host key.
debug1: Found key in /home/USER/.ssh/known_hosts:59
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 151
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
debug1: Sending command: scp -v -r -p /PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
Executing: program /applications/ssh/5.20.15.0/bin/ssh host SERVER2, user root, command scp -v -r -p -t /PATH/TO/DIR
OpenSSH_5.2p1+sas, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to SERVER2 [SERVER2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2p1+sas
debug1: match: OpenSSH_5.2p1+sas pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
lost connection
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 1984, received 3848 bytes, in 0.3 seconds
Bytes per second: sent 6903.4, received 13389.2
debug1: Exit status 1


[USER@NOTEBOOK ~] tsocks scp -i /home/USER/.ssh/id_rsa -p -r root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
Host key verification failed.
lost connection
[USER@NOTEBOOK ~]

ssh scp

— 兰斯·贝恩斯
source

/ dev / tty是否存在？试试这个：ben.goodacre.name/tech/Can't_open_/dev/…– vj- 2012

— 6

10

这很容易解决。瞧，源服务器不知道目标服务器，它不能要求您确认身份，因为您没有在此处打开终端：

debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
lost connection

因此，只需登录到源帐户/服务器并尝试ssh（或scp）到dest帐户，接受主机密钥并取消登录/ scp。您应该能够复制。

local $ ssh source@src-server
src-server $ ssh dest@dst-server
The authenticity of host 'destination (10.0.0.x)' can't be established.
RSA key fingerprint is 71:ec:c0:86:7f:b6:51:eb:76:c8:1f:2f:ba:0a:f4:20.
Are you sure you want to continue connecting (yes/no)? yes
dest@dst-server's password: ^C
src-server $ exit

local $ scp -r source@src-server:/path/to/files dest@dst-server:/path/to/files

如果没有，请尝试：

local $ scp -r -o "ForwardAgent=yes" source@src-server:/path/to/files dest@dst-server:/path/to/files

如果您拥有可以访问目标服务器的SSH密钥，而源服务器没有访问权，则添加-o "ForwardAgent=yes"将允许您将SSH代理转发到源服务器，以便它可以使用SSH密钥连接到目标服务器。

— alecco
source

7

一点诊断：从这里

debug1: Sending command: scp -v -r -p /PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
[...]
debug1: read_passphrase: can't open /dev/tty: No such device or address

我怀疑（猜测）它是这样工作的，服务器到服务器的副本已scp登录SERVER1并执行scp命令将文件发送到SERVER2；因此，调用方（来自SERVER1）必须进行身份验证。现在这失败了，因为它是非交互式的（没有/dev/tty），并且没有办法要求输入密码。

这意味着将密钥复制到SERVER1（我无法确定这是否适合您的情况）可能可以解决问题（我认为...）（如果没有密码短语，那就太糟糕了）

编辑一个解决方案可能是以下，使用sshfs访问你要发送的文件，通过把他们scp从sshfs-mounted目录。这应该为您提供所需的交互性（如果上面的猜测是正确的），并将所有键都保持在本地。

— sr_
source

sshfs不是一个选择。

— LanceBaynes'5

因此，问题在于SERVER1无法使用密钥auth SSH到SERVER2吗？是否有任何ssh客户端参数可用于在笔记本上使用密钥？

— LanceBaynes'5

2

不知道，恐怕。但是，您可以使用ssh SERVER1 scp *args-YOU-specifiy*一点灵活性。也许有些stdin骗术可能会有所帮助...我不确定。

— sr_

2

@utopiabound的答案（使用ssh-agent）听起来比stdin骗术要好得多。

— sr_

3

我已经尝试过了，它在两个系统之间对我有用，但有一些区别：

我有一个运行SSH代理并添加了SSH密钥的（ssh-add）
我默认启用了ssh-agent转发

请尝试以下操作：

ssh-add
scp -v -o "ForwardAgent=yes" -p -r root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR

— 乌托邦
source

仍然“主机密钥验证失败。”

— LanceBaynes'5

@LanceBaynes确保您已以根用户身份从SERVER1登录到SERVER2。也许您在SERVER1上root的已知主机文件中没有该文件？

— utopiabound，2012年

1

您可能要使用-3scp选项，它会通过笔记本电脑引导流量。

即 [USER@NOTEBOOK ~] scp -3 root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR

— Törzsmókus
source

0

尝试使用ssh的以下选项：

-o StrictHostKeyChecking=no
-o UserKnownHostsFile=.ssh/known_hosts [OPTIONAL]

就我而言，我尝试从PostgreSQL中的SP内部与ssh连接。第一次尝试失败：

pc_ubuntu_db=# SELECT command('ssh -q -v admin@10.30.134.26 hostname');
debug1: Server host key: RSA 0a:28:83:72:d7:7d:89:93:96:a1:1b:e2:f9:22:85:62 
debug1: read_passphrase: can't open /dev/tty: No such device or address
        Host key verification failed.

问题根源：无法用Know_host编写

pc_ubuntu_db=# SELECT command('ssh -v -o StrictHostKeyChecking=no -i admin@10.30.134.26 hostname');
debug1: Server host key: RSA 0a:28:83:72:d7:7d:89:93:96:a1:1b:e2:f9:22:85:62
Warning: Permanently added '10.30.134.26' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
...
Transferred: sent 2672, received 2040 bytes, in 0.0 seconds
Bytes per second: sent 214358.6, received 163657.0
debug1: Exit status 0

下一个连接输出：

debug1: Server host key: RSA 0a:28:83:72:d7:7d:89:93:96:a1:1b:e2:f9:22:85:62
debug1: Host '10.30.134.26' is known and matches the RSA host key.
debug1: Found key in /var/lib/postgresql/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct

成功！

— GHR眼
source