[Server & Network] SSH 接続エラーはオプションを付けると調査できる

macOS Mojave 10.14 にアップグレード後、SSH 接続エラーが起こったので調査。
結局は、ただの勘違いだったのですが。。。

対象

% sw_vers
ProductName:    Mac OS X
ProductVersion: 10.14
BuildVersion:   18A391
% ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.3

以下の例では、このような ~/.ssh/config を設定済みとします。

~/.ssh/config
Host deadwood
  UseKeychain     yes
  AddKeysToAgent  yes
  ForwardAgent    yes
  PreferredAuthentications publickey
  Hostname        203.0.113.1
  User            ****
  Port            22
  IdentityFile    ~/.ssh/id_rsa

また ssh-add -l で登録を確認できる状態とします。

% ssh-add -l
The agent has no identities.
% ssh-add -K ~/.ssh/id_rsa
Identity added: /Users/****/.ssh/id_rsa (/Users/****/.ssh/id_rsa)
% ssh-add -l deadwood
2048 SHA256:Ba5/**** /Users/****/.ssh/id_rsa (RSA)

症状

この例では Permission denied (publickey,password). というエラーが表示されました。

% ssh deadwood
****@203.0.113.1: Permission denied (publickey,password).

対応

ssh --help では表示されないのですが、man ssh するとオプションがずらっと表示されます。


SSH(1) BSD General Commands Manual SSH(1) NAME ssh -- OpenSSH SSH client (remote login program) : DESCRIPTION : The options are as follows: -T Disable pseudo-terminal allocation. -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.

オプション付きで ssh -vT を利用しましょう。
debug 情報が表示されます。

% ssh -vT deadwood
OpenSSH_7.7p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/****/.ssh/config
debug1: /Users/****/.ssh/config line 1: Applying options for deadwood
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 203.0.113.1 [203.0.113.1] port 22.
debug1: Connection established.
debug1: identity file /Users/****/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/****/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
debug1: match: OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to 203.0.113.1:22 as 'deadwood'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: **** SHA256:****
debug1: Host '203.0.113.1' is known and matches the ECDSA host key.
debug1: Found key in /Users/****/.ssh/known_hosts:5
debug1: rekey after **** blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after **** blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:**** /Users/****/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
****@203.0.113.1: Permission denied (publickey,password).

key_load_public: No such file or directory と言われています。
そのサーバには、対応するパブリックキーが無いようです。

解約済みのサーバに接続しようとしていました。。。😭

補遺