如何使用密钥身份验证在两个服务器之间使用SCP复制?


16

我可以使用密钥身份验证通过SSH登录SERVER1和SERVER2。但是,我无法在两个服务器之间复制文件。为什么?如何在它们之间复制?(我必须复制的数据大于我的笔记本硬盘)

我的笔记本运行Ubuntu 10.04 LTS,两台服务器是AIX 5300-10-02-0943。我~/.ssh/known_hosts在笔记本上的文件包含这两个服务器的公共密钥。我tsocks之所以使用,是因为我必须使用SSH隧道才能访问这两个服务器。两台服务器可以互相ping通。

[USER@NOTEBOOK ~] tsocks scp -v -i /home/USER/.ssh/id_rsa -p -r root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
Executing: /usr/bin/ssh '-v' '-x' '-oClearAllForwardings yes' '-n' '-l' 'root' 'SERVER1' 'scp -v -r -p' '/PATH/TO/DIR' 'root@SERVER2:/PATH/TO/DIR'
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to SERVER1 [SERVER1] port 22.
debug1: Connection established.
debug1: identity file /home/USER/.ssh/identity type -1
debug1: identity file /home/USER/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/USER/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2p1+sas
debug1: match: OpenSSH_5.2p1+sas pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'SERVER1' is known and matches the RSA host key.
debug1: Found key in /home/USER/.ssh/known_hosts:59
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 151
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
debug1: Sending command: scp -v -r -p /PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
Executing: program /applications/ssh/5.20.15.0/bin/ssh host SERVER2, user root, command scp -v -r -p -t /PATH/TO/DIR
OpenSSH_5.2p1+sas, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to SERVER2 [SERVER2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2p1+sas
debug1: match: OpenSSH_5.2p1+sas pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
lost connection
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 1984, received 3848 bytes, in 0.3 seconds
Bytes per second: sent 6903.4, received 13389.2
debug1: Exit status 1


[USER@NOTEBOOK ~] tsocks scp -i /home/USER/.ssh/id_rsa -p -r root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
Host key verification failed.
lost connection
[USER@NOTEBOOK ~] 

/ dev / tty是否存在?试试这个:ben.goodacre.name/tech/Can't_open_/dev/…– vj- 2012
6

Answers:


10

这很容易解决。瞧,源服务器不知道目标服务器,它不能要求您确认身份,因为您没有在此处打开终端:

debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
lost connection

因此,只需登录到源帐户/服务器并尝试ssh(或scp)到dest帐户,接受主机密钥并取消登录/ scp。您应该能够复制。

local $ ssh source@src-server
src-server $ ssh dest@dst-server
The authenticity of host 'destination (10.0.0.x)' can't be established.
RSA key fingerprint is 71:ec:c0:86:7f:b6:51:eb:76:c8:1f:2f:ba:0a:f4:20.
Are you sure you want to continue connecting (yes/no)? yes
dest@dst-server's password: ^C
src-server $ exit

local $ scp -r source@src-server:/path/to/files dest@dst-server:/path/to/files

如果没有,请尝试:

local $ scp -r -o "ForwardAgent=yes" source@src-server:/path/to/files dest@dst-server:/path/to/files

如果您拥有可以访问目标服务器的SSH密钥,而源服务器没有访问权,则添加-o "ForwardAgent=yes"将允许您将SSH代理转发到源服务器,以便它可以使用SSH密钥连接到目标服务器。


7

一点诊断:从这里

debug1: Sending command: scp -v -r -p /PATH/TO/DIR root@SERVER2:/PATH/TO/DIR
[...]
debug1: read_passphrase: can't open /dev/tty: No such device or address

我怀疑(猜测)它是这样工作的,服务器到服务器的副本已scp登录SERVER1并执行scp命令将文件发送到SERVER2;因此,调用方(来自SERVER1)必须进行身份验证。现在这失败了,因为它是非交互式的(没有/dev/tty),并且没有办法要求输入密码。

这意味着将密钥复制到SERVER1(我无法确定这是否适合您的情况)可能可以解决问题(我认为...)(如果没有密码短语,那就糟糕了

编辑一个解决方案可能是以下,使用sshfs访问你要发送的文件,通过把他们scpsshfs-mounted目录。这应该为您提供所需的交互性(如果上面的猜测是正确的),并将所有键都保持在本地。


sshfs不是一个选择。
LanceBaynes'5

因此,问题在于SERVER1无法使用密钥auth SSH到SERVER2吗?是否有任何ssh客户端参数可用于在笔记本上使用密钥?
LanceBaynes'5

2
不知道,恐怕。但是,您可以使用ssh SERVER1 scp *args-YOU-specifiy*一点灵活性。也许有些stdin骗术可能会有所帮助...我不确定。
sr_

2
@utopiabound的答案(使用ssh-agent)听起来比stdin骗术要好得多。
sr_

3

我已经尝试过了,它在两个系统之间对我有用,但有一些区别:

  • 我有一个运行SSH代理并添加了SSH密钥的(ssh-add
  • 我默认启用了ssh-agent转发

请尝试以下操作:

ssh-add
scp -v -o "ForwardAgent=yes" -p -r root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR  

仍然“主机密钥验证失败。”
LanceBaynes'5

@LanceBaynes确保您已以根用户身份从SERVER1登录到SERVER2。也许您在SERVER1上root的已知主机文件中没有该文件?
utopiabound,2012年

1

您可能要使用-3scp选项,它会通过笔记本电脑引导流量。

[USER@NOTEBOOK ~] scp -3 root@SERVER1:/PATH/TO/DIR root@SERVER2:/PATH/TO/DIR


0

尝试使用ssh的以下选项:

-o StrictHostKeyChecking=no
-o UserKnownHostsFile=.ssh/known_hosts [OPTIONAL]

就我而言,我尝试从PostgreSQL中的SP内部与ssh连接。第一次尝试失败:

pc_ubuntu_db=# SELECT command('ssh -q -v admin@10.30.134.26 hostname');
debug1: Server host key: RSA 0a:28:83:72:d7:7d:89:93:96:a1:1b:e2:f9:22:85:62 
debug1: read_passphrase: can't open /dev/tty: No such device or address
        Host key verification failed.

问题根源:无法用Know_host编写

pc_ubuntu_db=# SELECT command('ssh -v -o StrictHostKeyChecking=no -i admin@10.30.134.26 hostname');
debug1: Server host key: RSA 0a:28:83:72:d7:7d:89:93:96:a1:1b:e2:f9:22:85:62
Warning: Permanently added '10.30.134.26' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
...
Transferred: sent 2672, received 2040 bytes, in 0.0 seconds
Bytes per second: sent 214358.6, received 163657.0
debug1: Exit status 0

下一个连接输出:

debug1: Server host key: RSA 0a:28:83:72:d7:7d:89:93:96:a1:1b:e2:f9:22:85:62
debug1: Host '10.30.134.26' is known and matches the RSA host key.
debug1: Found key in /var/lib/postgresql/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct

成功!

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.