1. 问题:win10通过ssh连接虚拟机上的Ubuntu,进行git操作会提示permission denied;而在Ubuntu的终端直接操作,可以正常访问github;同时也是git多账户配置会发生的问题;使用ssh-agent存储秘钥
截图如下
通过ssh -T -v git@github.com查看详细报错如下
OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [192.30.253.112] port 22.
debug1: Connection established.
debug1: identity file /c/Users/claud/.ssh/id_rsa type -1
debug1: identity file /c/Users/claud/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_dsa type -1
debug1: identity file /c/Users/claud/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/claud/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/claud/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_xmss type -1
debug1: identity file /c/Users/claud/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version babeld-6c2374e6
debug1: no match: babeld-6c2374e6
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /c/Users/claud/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /c/Users/claud/.ssh/id_rsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_dsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_ecdsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_ed25519
debug1: Will attempt key: /c/Users/claud/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/claud/.ssh/id_rsa
debug1: Trying private key: /c/Users/claud/.ssh/id_dsa
debug1: Trying private key: /c/Users/claud/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/claud/.ssh/id_ed25519
debug1: Trying private key: /c/Users/claud/.ssh/id_xmss
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
2. 问题成因
2.1. ssh扫描问题
为了区分秘钥,本人在生成秘钥输入秘钥名称时,将github对应秘钥设置为~/.ssh/id_rsa_github,在上面最后的几个debug1执行Trying private key,并没有扫描到id_rsa_github,只扫描了id_rsa,导致无法找到秘钥
2.2. ssh-agent
ssh-agent ,意为 ssh 代理,是一个密钥管理器,用来管理一个多个密钥。各操作系统下的ssh都会自带ssh-agent
ssh使用一个ssh-agent工具来作为秘钥管理器,其用处如下[1]
① 当其他程序 需要身份验证的时候,可以将验证申请交给 ssh-agent 来完成整个认证过程 。使用不同的密钥连接到不同的主机时,需要要手动指定对应的密钥,而 ssh 代理可以 自动帮助我们选择对应的密钥进行认证。
② 避免重复输入密码:如果您的私钥使用密码短语来加密了的话,每一次使用 SSH 密钥对 进行登录的时候,您都必须输入正确的密码短语。而 SSH agent 程序能够将您的已解密 的私钥缓存起来,在需要的时候提供给您的 SSH 客户端。这样子,您就只需要在使用 ssh-add
时将私钥加入 SSH agent 缓存的时候,输入一次密码短语就可以了。这为经 常使用 SSH 连接用户提供了不少便利。
然而,在win下连接Ubuntu的终端执行 ssh-add -l,会有“could not open a connection to your authentication agent”错误,说明ssh-agent未启动。执行“eval `ssh-agent -s`”启动ssh-agent,再执行ssh-add -l为空,表明此ssh-agent里未储存有秘钥
但是,在ubuntu下,ssh-add -l可正常执行,并且有秘钥显示
说明通过ssh打开的终端,并没有唤起ssh-agent,同时手动唤起也没有秘钥
3. 解决方案
3.1. 编写config
在~/.ssh/下新建config文件,编写如下
Host github
HostName github.com
User Username
IdentityFile /home/xxx/.ssh/id_rsa_github
Host为host别名,任意起;HostName为地址;User为登录Host的用户名;IdentityFile为秘钥地址
3.2. 设置ssh-agent自启动并复用
在每个终端启动时自启动ssh-agent,同时保证只使用一个ssh-agent进程,即可保证存入ssh-agent的秘钥不丢失
在~/.zshrc(本人使用zsh,如果使用其他shell请自行选择配置文件)中加入自启动&复用代码[2][3]
SSH_ENV="$HOME/.ssh/agent-environment"
function start_agent {
echo "Initialising new SSH agent..."
/usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
echo succeeded
chmod 600 "${SSH_ENV}"
. "${SSH_ENV}" > /dev/null
/usr/bin/ssh-add;
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
. "${SSH_ENV}" > /dev/null
#ps ${SSH_AGENT_PID} doesn't work under cywgin
ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
start_agent;
}
else
start_agent;
fi
保存,并执行"source ~/.zshrc" (source 配置文件),会有操作成功的提示
3.3. 每次启动设备后第一次打开终端时自动在ssh-agent中添加秘钥
# ssh-agent start automatic
SSH_ENV="$HOME/.ssh/agent-environment"
function start_agent {
echo "Initialising new SSH agent..."
/usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
echo succeeded
chmod 600 "${SSH_ENV}"
. "${SSH_ENV}" > /dev/null
/usr/bin/ssh-add;
}
# Load all ssh keys that start with "id_rsa"
function loadsshkeys {
for key in `find ~/.ssh/ -not -name "*.pub" -a -iname "id_rsa*"`
do
ssh-add ${key} > /dev/null 2>&1
done
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
. "${SSH_ENV}" > /dev/null
#ps ${SSH_AGENT_PID} doesn't work under cywgin
ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
start_agent;
loadsshkeys;
}
else
start_agent;
loadsshkeys;
fi
4. 结果
至此,可在通过ssh连接Ubuntu的终端下执行git操作。同时此方法也可用于多账户配置,比如id_rsa_github、id_rsa_gitlab...
5. 问题
Ubuntu本机终端和win下ssh起的终端有什么区别?为什么有程序在Ubuntu本机被执行,ssh远程没有被执行?
Ubuntu在开启图形化界面时会自动启动一个ssh-agent,导致win下ssh无法访问但本机可以访问