[Server & Network General] SSH 接続エラーはオプションを付けると調査できる

公開日: 2018/11/13

macOS Mojave 10.14 にアップグレード後、SSH 接続エラーが起こったので調査。
結局は、ただの勘違いだったのですが。。。

## 対象

“`prettyprinted
% sw_vers
ProductName: Mac OS X
ProductVersion: 10.14
BuildVersion: 18A391
% ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.3
“`

以下の例では、このような `~/.ssh/config` を設定済みとします。

“`prettyprinted:~/.ssh/config
Host deadwood
UseKeychain yes
AddKeysToAgent yes
ForwardAgent yes
PreferredAuthentications publickey
Hostname 203.0.113.1
User ****
Port 22
IdentityFile ~/.ssh/id_rsa
“`

また `ssh-add -l` で登録を確認できる状態とします。

“`prettyprinted
% ssh-add -l
The agent has no identities.
% ssh-add -K ~/.ssh/id_rsa
Identity added: /Users/****/.ssh/id_rsa (/Users/****/.ssh/id_rsa)
% ssh-add -l deadwood
2048 SHA256:Ba5/**** /Users/****/.ssh/id_rsa (RSA)
“`

> * [[macOS] macOS Sierra にしたら SSH の度にパスフレーズを求められる問題の解決方法 | deadwood](https://www.d-wood.com/blog/2016/12/21_8704.html)
> * [[macOS] SSH: 鍵作成とconfigによる複数ホストの管理 | deadwood](https://www.d-wood.com/blog/2013/05/17_3620.html)

## 症状

この例では `Permission denied (publickey,password).` というエラーが表示されました。

“`prettyprinted
% ssh deadwood
****@203.0.113.1: Permission denied (publickey,password).
“`

## 対応

`ssh –help` では表示されないのですが、`man ssh` するとオプションがずらっと表示されます。

“`prettyprinted

SSH(1) BSD General Commands Manual SSH(1)

NAME
ssh — OpenSSH SSH client (remote login program)
:
DESCRIPTION
:
The options are as follows:

-T Disable pseudo-terminal allocation.

-v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging
connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The
maximum is 3.
“`

オプション付きで `ssh -vT` を利用しましょう。
debug 情報が表示されます。

“`prettyprinted
% ssh -vT deadwood
OpenSSH_7.7p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/****/.ssh/config
debug1: /Users/****/.ssh/config line 1: Applying options for deadwood
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 203.0.113.1 [203.0.113.1] port 22.
debug1: Connection established.
debug1: identity file /Users/****/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/****/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
debug1: match: OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to 203.0.113.1:22 as ‘deadwood’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: **** SHA256:****
debug1: Host ‘203.0.113.1’ is known and matches the ECDSA host key.
debug1: Found key in /Users/****/.ssh/known_hosts:5
debug1: rekey after **** blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after **** blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:**** /Users/****/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
****@203.0.113.1: Permission denied (publickey,password).
“`

`key_load_public: No such file or directory` と言われています。
そのサーバには、対応するパブリックキーが無いようです。

解約済みのサーバに接続しようとしていました。。。😭

## 補遺

> * [RFC 6890 – Special-Purpose IP Address Registries](https://tools.ietf.org/html/rfc6890)