Ssh

我怎樣才能停止 ssh 提供錯誤的密鑰?

  • July 23, 2018

(這是 ssh 的問題,而不是 gitolite)

我已經在我的家庭伺服器(ubuntu 12.04 伺服器,open-ssh)上配置了 gitolite。我想要一個特殊的身份文件來管理儲存庫,所以我需要使用兩個不同的身份密鑰通過 ssh 訪問我自己的主機。

這是我的 .ssh/config 文件的內容:

Host gitadmin.gammu.com
User            git
IdentityFile    /home/alvaro/.ssh/id_gitolite_mantra

Host git.gammu.com
User            git
IdentityFile    /home/alvaro/.ssh/id_alvaro_mantra

這是我的主機文件的內容:

# Git
127.0.0.1      gitadmin.gammu.com
127.0.0.1      git.gammu.com

所以我應該能夠以這種方式與 gitolite 通信以使用“普通”帳戶進行訪問:

$ssh git.gammu.com 

並以這種方式使用管理帳戶進行訪問:

$ssh gitadmin.gammu.com

當我嘗試使用普通帳戶訪問時,一切正常:

alvaro@mantra:~/.ssh$ ssh git.gammu.com
PTY allocation request failed on channel 0
hello alvaro, this is gitolite 2.2-1 (Debian) running on git 1.7.9.5
the gitolite config gives you the following access:
   @R_ @W_    testing
Connection to git.gammu.com closed.

當我對管理帳戶執行相同操作時:

alvaro@mantra:~$ ssh gitadmin.gammu.com
PTY allocation request failed on channel 0
hello alvaro, this is gitolite 2.2-1 (Debian) running on git 1.7.9.5
the gitolite config gives you the following access:
   @R_ @W_    testing
Connection to gitadmin.gammu.com closed.

它應該顯示管理儲存庫。如果我使用詳細選項啟動 ssh:

ssh -vvv gitadmin.gammu.com 
...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/alvaro/.ssh/id_alvaro_mantra (0x7f7cb6c0fbc0)
debug2: key: /home/alvaro/.ssh/id_gitolite_mantra (0x7f7cb6c044d0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/alvaro/.ssh/id_alvaro_mantra
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
...

它提供了密鑰 id_alvaro_mantra,但它不應該!

當我使用 -i 選項指定密鑰時也會發生同樣的情況:

ssh -i /home/alvaro/.ssh/id_gitolite_mantra -vvv gitadmin.gammu.com
...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/alvaro/.ssh/id_alvaro_mantra (0x7fa365237f90)
debug2: key: /home/alvaro/.ssh/id_gitolite_mantra (0x7fa365230550)
debug2: key: /home/alvaro/.ssh/id_gitolite_mantra (0x7fa365231050)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/alvaro/.ssh/id_alvaro_mantra
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 36:b1:43:36:af:4f:00:e5:e1:39:50:7e:07:80:14:26
debug3: sign_and_send_pubkey: RSA 36:b1:43:36:af:4f:00:e5:e1:39:50:7e:07:80:14:26
debug1: Authentication succeeded (publickey).
...

發生了什麼?我錯過了一些東西,但我找不到什麼。

這些是我的主目錄的內容:

-rw-rw-r--  1 alvaro alvaro  395 nov 14 18:00 authorized_keys
-rw-rw-r--  1 alvaro alvaro  326 nov 21 10:21 config
-rw-------  1 alvaro alvaro  137 nov 20 20:26 environment
-rw-------  1 alvaro alvaro 1766 nov 20 21:41 id_alvaromaceda.es
-rw-r--r--  1 alvaro alvaro  404 nov 20 21:41 id_alvaromaceda.es.pub
-rw-------  1 alvaro alvaro 1766 nov 14 17:59 id_alvaro_mantra
-rw-r--r--  1 alvaro alvaro  395 nov 14 17:59 id_alvaro_mantra.pub
-rw-------  1 alvaro alvaro  771 nov 14 18:03 id_developer_mantra
-rw-------  1 alvaro alvaro 1679 nov 20 12:37 id_dos_pruebasgit
-rw-r--r--  1 alvaro alvaro  395 nov 20 12:37 id_dos_pruebasgit.pub
-rw-------  1 alvaro alvaro 1679 nov 20 12:46 id_gitolite_mantra
-rw-r--r--  1 alvaro alvaro  397 nov 20 12:46 id_gitolite_mantra.pub
-rw-------  1 alvaro alvaro 1675 nov 20 21:44 id_gitpruebas.es
-rw-r--r--  1 alvaro alvaro  408 nov 20 21:44 id_gitpruebas.es.pub
-rw-------  1 alvaro alvaro 1679 nov 20 12:34 id_uno_pruebasgit
-rw-r--r--  1 alvaro alvaro  395 nov 20 12:34 id_uno_pruebasgit.pub
-rw-r--r--  1 alvaro alvaro 2434 nov 21 10:11 known_hosts

還有一堆其他鍵沒有提供…為什麼提供 id_alvaro_mantra 而不是其他鍵?我無法理解。

我需要一些幫助,不知道在哪裡找……

這是根據手冊頁的預期行為ssh_config

IdentityFile
        Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
        tion identity is read.  The default is ~/.ssh/identity for protocol
        version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
        protocol version 2.  Additionally, any identities represented by the
        authentication agent will be used for authentication.  

        [...]

        It is possible to have multiple identity files specified in configu‐
        ration files; all these identities will be tried in sequence.  Mul‐
        tiple IdentityFile directives will add to the list of identities
        tried (this behaviour differs from that of other configuration
        directives).

基本上,指定IdentityFiles 只是將密鑰添加到已呈現給客戶端的 SSH 代理的目前列表中。

嘗試在文件底部使用 this 覆蓋此行為.ssh/config

Host *
IdentitiesOnly yes

引用自:https://serverfault.com/questions/450796