ssh访问主机,git连接github失败;git多账户配置问题;使用ssh-agent存储秘钥

1. 问题:win10通过ssh连接虚拟机上的Ubuntu,进行git操作会提示permission denied;而在Ubuntu的终端直接操作,可以正常访问github;同时也是git多账户配置会发生的问题;使用ssh-agent存储秘钥

截图如下

标左图为Ubuntu终端操作,右图为win下ssh连接Ubuntu操作,两者为同一账号登录  题
左图为Ubuntu终端操作,右图为win下ssh连接Ubuntu操作,两者为同一账号登录

通过ssh -T -v git@github.com查看详细报错如下

OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [192.30.253.112] port 22.
debug1: Connection established.
debug1: identity file /c/Users/claud/.ssh/id_rsa type -1
debug1: identity file /c/Users/claud/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_dsa type -1
debug1: identity file /c/Users/claud/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/claud/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/claud/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_xmss type -1
debug1: identity file /c/Users/claud/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version babeld-6c2374e6
debug1: no match: babeld-6c2374e6
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /c/Users/claud/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /c/Users/claud/.ssh/id_rsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_dsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_ecdsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_ed25519
debug1: Will attempt key: /c/Users/claud/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/claud/.ssh/id_rsa
debug1: Trying private key: /c/Users/claud/.ssh/id_dsa
debug1: Trying private key: /c/Users/claud/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/claud/.ssh/id_ed25519
debug1: Trying private key: /c/Users/claud/.ssh/id_xmss
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

 

2. 问题成因

2.1. ssh扫描问题

为了区分秘钥,本人在生成秘钥输入秘钥名称时,将github对应秘钥设置为~/.ssh/id_rsa_github,在上面最后的几个debug1执行Trying private key,并没有扫描到id_rsa_github,只扫描了id_rsa,导致无法找到秘钥

2.2. ssh-agent

ssh-agent ,意为 ssh 代理,是一个密钥管理器,用来管理一个多个密钥。各操作系统下的ssh都会自带ssh-agent

ssh使用一个ssh-agent工具来作为秘钥管理器,其用处如下[1]

① 当其他程序 需要身份验证的时候,可以将验证申请交给 ssh-agent 来完成整个认证过程 。使用不同的密钥连接到不同的主机时,需要要手动指定对应的密钥,而 ssh 代理可以 自动帮助我们选择对应的密钥进行认证。

② 避免重复输入密码:如果您的私钥使用密码短语来加密了的话,每一次使用 SSH 密钥对 进行登录的时候,您都必须输入正确的密码短语。而 SSH agent 程序能够将您的已解密 的私钥缓存起来,在需要的时候提供给您的 SSH 客户端。这样子,您就只需要在使用 ssh-add 时将私钥加入 SSH agent 缓存的时候,输入一次密码短语就可以了。这为经 常使用 SSH 连接用户提供了不少便利。

然而,在win下连接Ubuntu的终端执行 ssh-add -l,会有“could not open a connection to your authentication agent”错误,说明ssh-agent未启动。执行“eval `ssh-agent -s`”启动ssh-agent,再执行ssh-add -l为空,表明此ssh-agent里未储存有秘钥

但是,在ubuntu下,ssh-add -l可正常执行,并且有秘钥显示

说明通过ssh打开的终端,并没有唤起ssh-agent,同时手动唤起也没有秘钥

 

3. 解决方案

3.1. 编写config

在~/.ssh/下新建config文件,编写如下

Host github
    HostName  github.com
    User Username
    IdentityFile /home/xxx/.ssh/id_rsa_github

Host为host别名,任意起;HostName为地址;User为登录Host的用户名;IdentityFile为秘钥地址

3.2. 设置ssh-agent自启动并复用

在每个终端启动时自启动ssh-agent,同时保证只使用一个ssh-agent进程,即可保证存入ssh-agent的秘钥不丢失

在~/.zshrc(本人使用zsh,如果使用其他shell请自行选择配置文件)中加入自启动&复用代码[2][3]

SSH_ENV="$HOME/.ssh/agent-environment"

function start_agent {
    echo "Initialising new SSH agent..."
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add;
}

# Source SSH settings, if applicable

if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    #ps ${SSH_AGENT_PID} doesn't work under cywgin
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

保存,并执行"source ~/.zshrc" (source 配置文件),会有操作成功的提示

3.3. 每次启动设备后第一次打开终端时自动在ssh-agent中添加秘钥

# ssh-agent start automatic
SSH_ENV="$HOME/.ssh/agent-environment"

function start_agent {
    echo "Initialising new SSH agent..."
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add;
}

# Load all ssh keys that start with "id_rsa"
function loadsshkeys {
    for key in `find ~/.ssh/ -not -name "*.pub" -a -iname "id_rsa*"`
    do
      ssh-add ${key} > /dev/null 2>&1
    done
}

# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    #ps ${SSH_AGENT_PID} doesn't work under cywgin
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
        loadsshkeys;
    }
else
    start_agent; 
    loadsshkeys;
fi

 

4. 结果

至此,可在通过ssh连接Ubuntu的终端下执行git操作。同时此方法也可用于多账户配置,比如id_rsa_github、id_rsa_gitlab...

 

5. 问题

Ubuntu本机终端和win下ssh起的终端有什么区别?为什么有程序在Ubuntu本机被执行,ssh远程没有被执行?

Ubuntu在开启图形化界面时会自动启动一个ssh-agent,导致win下ssh无法访问但本机可以访问

 

引用

[1] ssh agent详解 -- 就是这个范儿

[2] Using ssh-agent with ssh

[3] https://stackoverflow.com/a/18915067

  • 1
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值