git SSH 密钥要求输入密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15664561/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSH Key asks for password
提问by Mario
I stuck here now for like 2 Daysa week.
我现在每周待在这里两天。
I've got a CentOs machine with Gitlab4 and gitolite. Everything worked fine for weeks, but suddenly last weekend something strange happend quite all binaries disappeared from the mashine ( like yum, python, ruby, mysql ect. ) i've really no clue how that can happn... After hours of reinstalling and compiling gitlab was working again.
我有一台装有 Gitlab4 和 gitolite 的 CentOs 机器。数周以来一切正常,但上周末突然发生了一些奇怪的事情,所有二进制文件都从 mashine 中消失了(如 yum、python、ruby、mysql 等),我真的不知道这是怎么发生的……经过数小时的重新安装和编译 gitlab 又开始工作了。
But i cant get the ssh keys between the gitlaband gituser working. I already deleted and recreated the git user, set again all permissions, recreated the ssh keys, reinstalld gitolite ect. But nothing worked i keep getting the same error.
但是我无法在gitlab和git用户之间获取 ssh 密钥。我已经删除并重新创建了 git 用户,再次设置了所有权限,重新创建了 ssh 密钥,重新安装了 gitolite 等。但没有任何效果,我不断收到同样的错误。
git user .ssh folder
git 用户 .ssh 文件夹
-rwx------ 1 git git 557 Mar 27 16:46 authorized_keys
gitlab user .ssh folder
gitlab 用户 .ssh 文件夹
-rw------- 1 gitlab gitlab 1671 Mar 27 16:45 id_rsa
-rw-r--r-- 1 gitlab gitlab 406 Mar 27 16:45 id_rsa.pub
-rw-r--r-- 1 gitlab gitlab 391 Mar 27 16:50 known_hosts
SSH error:
SSH 错误:
ssh -vvvT git@localhost
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gitlab/.ssh/identity type -1
debug3: Not a RSA1 key file /home/gitlab/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gitlab/.ssh/id_rsa type 1
debug1: identity file /home/gitlab/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2
debug1: match: OpenSSH_4.3p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 502/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/gitlab/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/gitlab/.ssh/known_hosts:1
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/gitlab/.ssh/identity ((nil))
debug2: key: /home/gitlab/.ssh/id_rsa (0x848ba50)
debug2: key: /home/gitlab/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/gitlab/.ssh/identity
debug3: no such identity: /home/gitlab/.ssh/identity
debug1: Offering public key: /home/gitlab/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/gitlab/.ssh/id_dsa
debug3: no such identity: /home/gitlab/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
The auth log gives me:
身份验证日志给了我:
Apr 2 10:19:13 venus sshd[15693]: User git not allowed because account is locked
Apr 2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2
Thanks for any Help.
谢谢你的帮助。
回答by VonC
You mention:
你提到:
Apr 2 10:19:13 venus shd[15693]: User git not allowed because account is locked
Apr 2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2
This articlementions:
这篇文章提到:
OpenSSH now checks for locked accounts by default.
On Linux systems, locked accounts are defined as those that have!!in the password field of/etc/shadow.
This is the default entry for accounts created with the useradd command.
Even if you are using GSI authentication and do not need local passwords,sshdwon't let the user login with this message:
OpenSSH 现在默认检查锁定的帐户。
在 Linux 系统上,锁定帐户定义为!!密码字段中的帐户/etc/shadow。
这是使用 useradd 命令创建的帐户的默认条目。
即使您使用 GSI 身份验证并且不需要本地密码,sshd也不会让用户使用以下消息登录:
Too many authentication failures for username
In the
sshddebugging info it will indicate that the account is locked:
在
sshd调试信息中,它将表明该帐户已被锁定:
User username not allowed because account is locked
Here is some additional information from the sshd Manual:
Regardless of the authentication type, the account is checked to ensure that it is accessible.
An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups.
The definition of a locked account is system dependant.
Some platforms have their own account database (eg AIX) and some modify the passwd field ( "*LK*" on Solaris and UnixWare, "*" on HP-UX, containing "Nologin" on Tru64, a leading "*LOCKED*" on FreeBSD and a leading "!!" on Linux).
If there is a requirement to disable password authentication for the account while allowing still public-key, then thepasswdfield should be set to something other than these values (eg "NP" or "*NP*" ).Fix: Replace !! with (for example) NP in /etc/shadow.
以下是 sshd 手册中的一些附加信息:
无论身份验证类型如何,都会检查帐户以确保它可以访问。
如果帐户被锁定、列在 DenyUsers 中或其组列在 DenyGroups 中,则该帐户不可访问。
锁定帐户的定义取决于系统。
一些平台有自己的帐户数据库(如AIX)和一些修改passwd字段(“*LK*”在Solaris和UnixWare,“*”在HP-UX,含“Nologin”在Tru64,领先“*LOCKED*” FreeBSD和领导“!!”上Linux)。
如果需要禁用帐户的密码验证同时允许仍然使用公钥,则该passwd字段应设置为这些值以外的其他值(例如“NP”*NP*修复:更换!!在/etc/shadow 中使用(例如)NP。
As mentioned by jszakmeister(comments) and Yongcan-Frank-Lv(comments):
正如jszakmeister(评论)和Yongcan -Frank-Lv(评论)所提到的:
sudo passwd -u git
would be enough to unlock the account.
将足以解锁帐户。
回答by kfmfe04
This exact same issuewas killing me in gitlab 5.2(bitnami).
这个完全相同的问题在gitlab 5.2(bitnami) 中杀死了我。
I finally tracked it down in /var/log/auth.logwhich showed:
我终于找到了它,/var/log/auth.log其中显示:
May 28 11:32:10 ml115 sshd[27779]: User git not allowed because account is locked
May 28 11:32:10 ml115 sshd[27779]: input_userauth_request: invalid user git [preauth]
After that, it didn't take me long to find that the gitentry in /etc/shadowhad a !that needed to be replaced with a *.
之后,没过多久我就发现里面的git条目/etc/shadow有一个!需要替换为*.
With *and all my keys set up, I was able to ssh in from another machine (note that ssh -vvT git@gitserveralso helps with diagnosis).
随着*和我所有的按键设置,我能够在SSH从另一台机器(注意,ssh -vvT git@gitserver也与诊断帮助)。
git push -u origin master
git push -u origin master
now works.
现在工作。
My system is Ubuntu 13.04.
我的系统是 Ubuntu 13.04。
回答by kkurian
Although the accepted answer may work, it may not be the preferred way to go about this.
尽管接受的答案可能有效,但它可能不是解决此问题的首选方法。
At least on Ubuntu 12.04, passwd -u gitwill result in this warning:
至少在 Ubuntu 12.04 上,passwd -u git会导致此警告:
passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.
Sounds good... except that the man page for usermodwarns against using the -poption.
听起来不错……除了手册页usermod警告不要使用该-p选项。
Note: This option is not recommended because the password (or encrypted password)
will be visible by users listing the processes.
Instead of all of that, calling passwd -d gitlabwill do the trick by deleting the password for the user (it sets that passwd field to an empty string).
而不是所有这些,调用passwd -d gitlab将通过删除用户的密码来实现(它将密码字段设置为空字符串)。
回答by Yongcan-Frank-Lu
you should put ~gitlab/.ssh/id_rsa.pub into ~git/.ssh/authorized_keys
你应该把 ~gitlab/.ssh/id_rsa.pub 放入 ~git/.ssh/authorized_keys
-rwx------ 1 git git 557 Mar 27 16:46 authorized_keys
-rwx------ 1 git git 557 Mar 27 16:46 authorized_keys
-rw-r--r-- 1 gitlab gitlab 406 Mar 27 16:45 id_rsa.pub
-rw-r--r-- 1 gitlab gitlab 406 Mar 27 16:45 id_rsa.pub
I can see the size not match, did you add some ssh key option there in authorized_keys? Also you should check error log of sshd also (eg: /var/log/auth or /var/log/secure etc)
我可以看到大小不匹配,您是否在authorized_keys 中添加了一些 ssh 密钥选项?此外,您还应该检查 sshd 的错误日志(例如:/var/log/auth 或 /var/log/secure 等)
回答by Dmitry Polushkin
Easiest solution to unlock user: usermod -p '*' username
解锁用户的最简单解决方案: usermod -p '*' username
