ssh访问主机，git连接github失败；git多账户配置问题；使用ssh-agent存储秘钥

1. 问题：win10通过ssh连接虚拟机上的Ubuntu，进行git操作会提示permission denied；而在Ubuntu的终端直接操作，可以正常访问github；同时也是git多账户配置会发生的问题；使用ssh-agent存储秘钥

截图如下

左图为Ubuntu终端操作，右图为win下ssh连接Ubuntu操作，两者为同一账号登录

通过ssh -T -v git@github.com查看详细报错如下

OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [192.30.253.112] port 22.
debug1: Connection established.
debug1: identity file /c/Users/claud/.ssh/id_rsa type -1
debug1: identity file /c/Users/claud/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_dsa type -1
debug1: identity file /c/Users/claud/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/claud/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/claud/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/claud/.ssh/id_xmss type -1
debug1: identity file /c/Users/claud/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version babeld-6c2374e6
debug1: no match: babeld-6c2374e6
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /c/Users/claud/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /c/Users/claud/.ssh/id_rsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_dsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_ecdsa
debug1: Will attempt key: /c/Users/claud/.ssh/id_ed25519
debug1: Will attempt key: /c/Users/claud/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/claud/.ssh/id_rsa
debug1: Trying private key: /c/Users/claud/.ssh/id_dsa
debug1: Trying private key: /c/Users/claud/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/claud/.ssh/id_ed25519
debug1: Trying private key: /c/Users/claud/.ssh/id_xmss
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

 

2. 问题成因

2.1. ssh扫描问题

为了区分秘钥，本人在生成秘钥输入秘钥名称时，将github对应秘钥设置为~/.ssh/id_rsa_github，在上面最后的几个debug1执行Trying private key，并没有扫描到id_rsa_github，只扫描了id_rsa，导致无法找到秘钥

2.2. ssh-agent

ssh-agent ，意为 ssh 代理，是一个密钥管理器，用来管理一个多个密钥。各操作系统下的ssh都会自带ssh-agent

ssh使用一个ssh-agent工具来作为秘钥管理器，其用处如下[1]

① 当其他程序 需要身份验证的时候，可以将验证申请交给 ssh-agent 来完成整个认证过程 。使用不同的密钥连接到不同的主机时，需要要手动指定对应的密钥，而 ssh 代理可以 自动帮助我们选择对应的密钥进行认证。

② 避免重复输入密码：如果您的私钥使用密码短语来加密了的话，每一次使用 SSH 密钥对 进行登录的时候，您都必须输入正确的密码短语。而 SSH agent 程序能够将您的已解密 的私钥缓存起来，在需要的时候提供给您的 SSH 客户端。这样子，您就只需要在使用 ssh-add 时将私钥加入 SSH agent 缓存的时候，输入一次密码短语就可以了。这为经 常使用 SSH 连接用户提供了不少便利。

然而，在win下连接Ubuntu的终端执行 ssh-add -l，会有“could not open a connection to your authentication agent”错误，说明ssh-agent未启动。执行“eval `ssh-agent -s`”启动ssh-agent，再执行ssh-add -l为空，表明此ssh-agent里未储存有秘钥

但是，在ubuntu下，ssh-add -l可正常执行，并且有秘钥显示

说明通过ssh打开的终端，并没有唤起ssh-agent，同时手动唤起也没有秘钥

 

3. 解决方案

3.1. 编写config

在~/.ssh/下新建config文件，编写如下

Host github
    HostName  github.com
    User Username
    IdentityFile /home/xxx/.ssh/id_rsa_github

Host为host别名，任意起；HostName为地址；User为登录Host的用户名；IdentityFile为秘钥地址

3.2. 设置ssh-agent自启动并复用

在每个终端启动时自启动ssh-agent，同时保证只使用一个ssh-agent进程，即可保证存入ssh-agent的秘钥不丢失

在~/.zshrc（本人使用zsh，如果使用其他shell请自行选择配置文件）中加入自启动&复用代码[2][3]

SSH_ENV="$HOME/.ssh/agent-environment"

function start_agent {
    echo "Initialising new SSH agent..."
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add;
}

# Source SSH settings, if applicable

if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    #ps ${SSH_AGENT_PID} doesn't work under cywgin
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

保存，并执行"source ~/.zshrc" (source 配置文件)，会有操作成功的提示

3.3. 每次启动设备后第一次打开终端时自动在ssh-agent中添加秘钥

# ssh-agent start automatic
SSH_ENV="$HOME/.ssh/agent-environment"

function start_agent {
    echo "Initialising new SSH agent..."
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add;
}

# Load all ssh keys that start with "id_rsa"
function loadsshkeys {
    for key in `find ~/.ssh/ -not -name "*.pub" -a -iname "id_rsa*"`
    do
      ssh-add ${key} > /dev/null 2>&1
    done
}

# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    #ps ${SSH_AGENT_PID} doesn't work under cywgin
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
        loadsshkeys;
    }
else
    start_agent; 
    loadsshkeys;
fi

 

4. 结果

至此，可在通过ssh连接Ubuntu的终端下执行git操作。同时此方法也可用于多账户配置，比如id_rsa_github、id_rsa_gitlab...

 

5. 问题

Ubuntu本机终端和win下ssh起的终端有什么区别？为什么有程序在Ubuntu本机被执行，ssh远程没有被执行？

Ubuntu在开启图形化界面时会自动启动一个ssh-agent，导致win下ssh无法访问但本机可以访问

 

引用

[1] ssh agent详解 -- 就是这个范儿

[2] Using ssh-agent with ssh

[3] https://stackoverflow.com/a/18915067