bash 为什么 ssh-agent 需要 root 访问权限?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27183255/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why does ssh-agent need root access?
提问by Daniel Brady
I've just installed Archbang, and am trying to clone a Git project of mine, which necessitates SSH keys.
我刚刚安装了 Archbang,正在尝试克隆我的一个 Git 项目,这需要 SSH 密钥。
I've followed the Github guide to success in the past, on Ubuntu and RedHat boxes, but for some reason it's not working out for me on my new Arch install.
过去,我在 Ubuntu 和 RedHat 机器上遵循 Github 指南获得成功,但由于某种原因,它在我的新 Arch 安装中不起作用。
I've successfully generated my SSH public/private key pairs with this command:
我已经使用以下命令成功生成了我的 SSH 公钥/私钥对:
ssh-keygen -t rsa -b 4096 -C "email@address"
But when I move on to starting up the SSH agent and adding my public key, I run into issues.
但是当我继续启动 SSH 代理并添加我的公钥时,我遇到了问题。
[user@arch ~]$ eval "$(ssh-agent -s)"
bind: Permission denied
unix_listener: cannot bind to path: /tmp/ssh-ZqYqSabxjZeA/agent.9328
This is successful, however, if I run it as root:
但是,如果我以 root 身份运行它,这是成功的:
[user@arch ~]$ eval "$(sudo ssh-agent -s)"
[sudo] password for user:
Agent pid 9146
But I'm pretty sure I don't want to be doing SSH things as root.
但是我很确定我不想以 root 身份执行 SSH 操作。
Continuing forward, when I then try to use ssh-add, I get permissions errors, as well, but this time as both the standard user and root:
继续前进,当我尝试使用 时ssh-add,我也会收到权限错误,但这次是标准用户和 root 用户:
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.
[user@arch ~]$ sudo ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.
So now I'm really confused.
所以现在我真的很困惑。
I've tried opening up a bash process as root to do this stuff, but 1) I don't like that idea and 2) it still doesn't work, but this time for a different reason:
我试过以 root 身份打开一个 bash 进程来做这些事情,但是 1) 我不喜欢这个想法 2) 它仍然不起作用,但这一次是出于不同的原因:
[user@arch ~]$ sudo ssh-agent -s
[root@arch ~]# ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:
For some reason, doing this in a root shell causes my SSH key passphrase to be rejected; I've tried this multiple times, with the simplest of passphrases, so I'm positive I've given it the correct passphrase.
出于某种原因,在 root shell 中执行此操作会导致我的 SSH 密钥密码被拒绝;我已经用最简单的密码尝试了多次,所以我肯定我已经给了它正确的密码。
I'm at a loss. I really don't like all this sudostuff, and I don't know why it seems to be necessary; I've checked the permissions on the .ssh directory and its files, even going as far as deleting the whole directory and regenerating the keys to be sure they aren't being generated with the wrong permissions.
我不知所措。我真的不喜欢所有这些sudo东西,我不知道为什么它似乎是必要的;我已经检查了 .ssh 目录及其文件的权限,甚至删除整个目录并重新生成密钥以确保它们没有以错误的权限生成。
Can someone please help me out here? What am I doing wrong?
有人可以帮我吗?我究竟做错了什么?
EDIT:In response to suggested answers, I have tried this again using a socket location inside my home directory. These are the results:
编辑:为了回应建议的答案,我再次尝试使用我的主目录中的套接字位置。这些是结果:
[user@arch ~]$ mkdir -m 700 ~/.ssh
[user@arch ~]$ ssh-keygen -t rsa -b 4096 -C "email@address"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
...
[user@arch ~]$ chmod 644 .ssh/id_rsa.pub && chmod 600 .ssh/id_rsa
[user@arch ~]$ eval "$(ssh-agent -sa .ssh-agent.$$)"
Agent pid 1881
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '.ssh/id_rsa.pub' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
At this point, I'm confused as to why those permissions are not acceptable, and as to why it thinks my public key is a private key. But I humor it, changing the permissions to 600 and trying to add it again.
在这一点上,我很困惑为什么这些权限是不可接受的,以及为什么它认为我的公钥是私钥。但我很幽默,将权限更改为 600 并尝试再次添加。
[user@arch ~]$ chmod 600 .ssh/id_rsa.pub
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:
And now I've gotten to a similar spot as I was before: it does not like the passphrase I've created for my SSH key. What's going on?! This is truly perplexing.
现在我遇到了与以前类似的情况:它不喜欢我为 SSH 密钥创建的密码。这是怎么回事?!这确实令人费解。
回答by pgl
It seems the user you're running as doesn't have permission to write to the default ssh-agent socket location.
您正在运行的用户似乎无权写入默认的 ssh-agent 套接字位置。
This should fix your problem:
这应该可以解决您的问题:
ssh-agent -a ~/.ssh-agent.$$
This specifies the socket location with the -aoption, as ~/.ssh-agent.$$, ie, inside your home directory.
这使用-a选项指定套接字位置as ~/.ssh-agent.$$,即在您的主目录中。
The permissions issue could be caused by something like simple UNIX permissions (ie, /tmpnot writeable by that user), or SELinux, or something else.
权限问题可能是由简单的 UNIX 权限(即,/tmp该用户不可写)或 SELinux 或其他内容引起的。
回答by Daniel Brady
After many hours of struggling with this, I finally tracked down the source(s) of my problems.
经过数小时的努力,我终于找到了问题的根源。
- My umask was set completely incorrectly: when I was setting up my environment after the install, I accidentally put
umask 755in my.bashrc; what I intended was for my file permissions to be 755, in which case theumaskshould have been set to022or002(I went with the latter). This incorrectumaskturned out to be the root (hehe) of all my permission errors: files and directories being generated by all the different SSH commands were being created with incorrect permissions. - I was attempting to
ssh-addmy public key, instead of my private key; I couldn't figure out why it kept saying my passphrase was wrong, despite me being 100% sure it was correct. The reason was because the password was for the privatekey; the public key was not password protected, and so attempting tossh-addit and enter a password for it resulted in all those "Bad passphrase" errors.
- 我的umask设置完全正确:当我安装后,我的环境设置,我不小心把
umask 755我的.bashrc; 我打算将我的文件权限设置为 755,在这种情况下,umask应该将其设置为022或002(我选择后者)。这个错误umask结果是我所有权限错误的根源(呵呵):所有不同的 SSH 命令生成的文件和目录都是使用不正确的权限创建的。 - 我试图使用
ssh-add我的公钥,而不是我的私钥;我不明白为什么它一直说我的密码错误,尽管我 100% 确定它是正确的。原因是因为密码是给私钥的;公钥不受密码保护,因此尝试使用ssh-add它并为其输入密码会导致所有这些“错误密码”错误。
Thank you all for your help! You set me down the path to finding the solution that worked for me. After correcting these mistakes, I was successfully able to both start up ssh-agentwithout root access and add my privateSSH key.
谢谢大家的帮助!您让我走上了寻找适合我的解决方案的道路。纠正这些错误后,我成功地在ssh-agent没有 root 访问权限的情况下启动并添加了我的私人SSH 密钥。
