有关com.jcraft.jsch.JSchException的查询:UnknownHostKey:x.y.com. DSA密钥指纹为"ac:ew:....". [英] Query regarding com.jcraft.jsch.JSchException: UnknownHostKey: x.y.com. DSA key fingerprint is "ac:ew:...."
问题描述
尝试从AWS集群连接到其中一台Windows服务器时,出现以下错误.
I am getting below error while trying to connect to one of the windows server from AWS cluster.
原因:com.jcraft.jsch.JSchException:UnknownHostKey:x.y.com. DSA密钥指纹为"ac:ew:.....
注意: :我使用PuTTYgen生成了RSA密钥,但是每次尝试连接时都会产生DSA指纹问题.我提到了多个SO链接,但无法获得正确的解决方案.
Note: I generated the RSA keys using PuTTYgen, but every time it tries to connect it gives issue with DSA fingerprint. I referred multiple SO links but unable to get the right solution.
最后,我根据其中一篇文章尝试了以下方法.第一次使用StrictHostKeyChecking作为no获取会话.完成后,将结果保存到AWS服务器上的已知主机文件中,以便下次尝试连接Windows服务器时知道它正在连接到正确的服务器.
Finally I tried below approach based on one of the posts. Get the session first time with StrictHostKeyChecking as no. Once done, save the result to known hosts file on the AWS server so that next time it tries to connect to Windows server it knows it is connecting to the right server.
session.setConfig("StrictHostKeyChecking", "no")
session.setConfig("PreferredAuthentications", "publickey,password")
session.connect(5000)
LOG.info("session connected...." + session.isConnected())
val arrayHostKey = jsch.getHostKeyRepository().getHostKey
for (i <- 0 to arrayHostKey.size - 1) {
println(arrayHostKey(i).getHost)
println(arrayHostKey(i).getKey)
println(arrayHostKey(i).getType)
if (arrayHostKey(i).getHost.equalsIgnoreCase(host))
session.setConfig("server_host_type", arrayHostKey(i).getType)
LOG.info("sftp session connected without using proxy..." + session.isConnected())
这行得通,但是我认为我失去了不设置session.setConfig("StrictHostKeyChecking", "no")的全部原因,并且可能是行得通的.实现此目标的正确方法是什么?
This works, but I think I am losing the entire reason for not setting up session.setConfig("StrictHostKeyChecking", "no") and may be it is working. What is the right way to achieve this?
第二点,我不确定是如何强制服务器仅要求RSA密钥而不是DSA?
Second point that I am not sure is how to force the server to ask for RSA keys only instead of DSA?
最后,对于生产环境,StrictHostKeyChecking,accept-new是不是更安全和建议的操作,而不是no?
Lastly, is StrictHostKeyChecking, accept-new a more secure and recommended operation for production environments instead of no?
这些是我正在查看的JSch日志.
These are the JSch logs I am seeing.
SSH_MSG_KEXINIT sent
SSH_MSG_KEXINIT received
kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
kex: server: ssh-dss
kex: client: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
kex: server->client aes128-ctr hmac-md5 none
kex: client->server aes128-ctr hmac-md5 none
SSH_MSG_KEXDH_INIT sent
expecting SSH_MSG_KEXDH_REPLY
ssh_dss_verify: signature true
Disconnecting from x.y.com port 22
推荐答案
我使用PuTTYgen生成了RSA密钥,但是每次尝试连接时都会产生DSA指纹问题.
I generated the RSA keys using PuTTYgen, but every time it tries to connect it gives issue with DSA fingerprint.
您似乎认为主机密钥与用于身份验证的密钥对有关-事实并非如此.这些完全无关.主机密钥是服务器的密钥,它们是固定的,服务器的所有用户在安装服务器时会生成相同的密钥.
It seems that you believe that the host key has something to do with key pair that you use for authentication – It does not. Those are completely unrelated. Host keys are keys of the server, they are fixed, the same for all users of the server, generated when the server is installed.
有关详细信息,请参阅我的文章了解SSH密钥对.
For details, see my article Understanding SSH key pairs.
我相信,一旦您意识到这一点,并回到所有有关UnknownHostKey的问题,现在对您来说更有意义:
I believe that once you realize this and go back to all the existing questions about UnknownHostKey, they will now make more sense to you:
- How to resolve Java UnknownHostKey, while using JSch SFTP library?
- com.jcraft.jsch.JSchException: UnknownHostKey
最后,我根据其中一篇文章尝试了以下方法.第一次使用
StrictHostKeyChecking作为no获取会话.完成后,将结果保存到AWS服务器上的已知主机文件中,以便下次尝试连接Windows服务器时知道它正在连接到正确的服务器.
Finally I tried below approach based on one of the posts. Get the session first time with
StrictHostKeyCheckingasno. Once done, save the result to known hosts file on the AWS server so that next time it tries to connect to Windows server it knows it is connecting to the right server.
这行得通,但是我认为我失去了不设置session.setConfig("StrictHostKeyChecking", "no")的全部原因,并且可能正在运行.实现此目标的正确方法是什么?
This works, but I think I am losing the entire reason for not setting up session.setConfig("StrictHostKeyChecking", "no") and may be it is working. What is the right way to achieve this?
这不是一个完美的解决方案,但是可以接受的.
It's not a perfect solution, but it's acceptable.
要获得完美的解决方案,请在Windows SSH服务器上本地找出指纹,并配置AWS Java代码以使其预先生效.
For a perfect solution, find out the fingerprint locally on your Windows SSH server and configure your AWS Java code to expect it upfront.
最后,对于生产环境,
StrictHostKeyChecking,accept-new是不是更安全和建议的操作,而不是no?
Lastly, is
StrictHostKeyChecking,accept-newa more secure and recommended operation for production environments instead ofno?
no完全不安全. accept-new与上述解决方案一样好.但是JSch仍然不支持accept-new.
no is not secure at all. accept-new is as good as your above solution. But JSch does not support accept-new anyway.
(实现起来并不难)
这篇关于有关com.jcraft.jsch.JSchException的查询:UnknownHostKey:x.y.com. DSA密钥指纹为"ac:ew:....".的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
