Gitlab CI - SSH 权限被拒绝(公钥、密码)
Gitlab CI - SSH Permission denied (publickey,password)
我一直在尝试为我的项目设置 CD。我的 Gitlab CI runner 和我的项目将在同一台服务器上。我已关注 https://docs.gitlab.com/ee/ci/examples/deployment/composer-npm-deploy.html,但我一直收到 SSH Permission denied (publickey,password). 错误。我所有的变量、私钥和其他变量都在项目设置中正确设置。
我使用 ssh-keygen -t rsa -C "my.email@example.com" -b 4096 命令创建了我的 ssh 密钥,没有密码,并使用 ~/.ssh/id_rsa 文件的内容设置了我的 PRODUCTION_PRIVATE_KEY 变量。
这是我的 gitlab-ci.yml:
stages:
- deploy
deploy_production:
stage: deploy
image: tetraweb/php
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- ssh-add <(echo "$PRODUCTION_PRIVATE_KEY")
- mkdir -p ~/.ssh
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
- apt-get install rsync
script:
- ssh $PRODUCTION_SERVER_USER@$PRODUCTION_SERVER
- hostname
only:
- master
这是 Gitlab CI runner 的输出:
Running with gitlab-ci-multi-runner 9.2.0 (adfc387)
on ci-test (1eada8d0)
Using Docker executor with image tetraweb/php ...
Using docker image sha256:17692e06e6d33d8a421441bbe9adfda5b65c94831c6e64d7e69197e0b51833f8 for predefined container...
Pulling docker image tetraweb/php ...
Using docker image tetraweb/php ID=sha256:474f639dc349f36716fb98b193e6bae771f048cecc9320a270123ac2966b98c6 for build container...
Running on runner-1eada8d0-project-3287351-concurrent-0 via lamp-512mb-ams2-01...
Fetching changes...
HEAD is now at dfdb499 Update .gitlab-ci.yml
Checking out dfdb4992 as master...
Skipping Git submodules setup
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
/usr/bin/ssh-agent
$ eval $(ssh-agent -s)
Agent pid 12
$ ssh-add <(echo "$PRODUCTION_PRIVATE_KEY")
Identity added: /dev/fd/63 (rsa w/o comment)
$ mkdir -p ~/.ssh
$ echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
$ apt-get install rsync
Reading package lists...
Building dependency tree...
Reading state information...
rsync is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$ ssh $PRODUCTION_SERVER_USER@$PRODUCTION_SERVER
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added '{MY_SERVER_IP}' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
ERROR: Job failed: exit code 1
提前致谢。
您需要将 public 密钥添加到服务器,以便将其识别为身份验证密钥。就是把你使用的私钥对应的public密钥的内容粘贴到$PRODUCTION_SERVER上的~/.ssh/authorized_keys。
这是对我有用的脚本:
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- mkdir -p ~/.ssh
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 700 ~/.ssh/id_rsa
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
- ssh-keyscan -t rsa 64.227.1.160 > ~/.ssh/known_hosts
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
- chmod 644 ~/.ssh/known_hosts
而且我还必须取消对变量的保护。
还有一件很重要的事...
~/.ssh/authorized_keys文件的权限应该是600.
以下可以交替使用
some_stage:
- eval $(ssh-agent -s)
- cd ~
- touch id.rsa
- echo "$SSH_PRIVATE_KEY" > id.rsa
- chmod 700 id.rsa
- ssh -o StrictHostKeyChecking=no -i id.rsa $SSH_USER@$SERVER
也可能是因为您可以通过 ssh 进入的用户受到限制。
就我而言,在服务器上,我得到以下 tail -f /var/log/auth.log:
..
Sep 6 19:25:59 server-name sshd[7943]: User johndoe from WW.XX.YY.ZZ not allowed because none of user's groups are listed in AllowGroups
..
解决方案包括更新服务器文件 /etc/ssh/sshd_config 上的 AllowGroups 指令:
AllowGroups janesmith johndoe
在我们的案例中,我们一无所知,直到我们将标志 -v 添加到 SSH 命令(我们知道 public 密钥设置是正确的,因为我们能够使用私钥从我们的笔记本电脑连接到此实例)。
我们看到了这个:
debug1: Offering public key: ... RSA SHA256:... agent
95debug1: send_pubkey_test: no mutual signature algorithm
并通过以下两个链接了解了情况:我们的密钥是使用 RSA 格式生成的,该格式在 up-to-date openssh 版本上被认为是遗留的。
- https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html
- https://transang.me/ssh-handshake-is-rejected-with-no-mutual-signature-algorithm-error/
所以你有两个解决方案:
- 使用 ed25519 格式生成新密钥并在您的实例上设置 public 密钥
- 在你的 ssh 命令中使用下面这个额外的标志
这应该是一个临时解决方法:
ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa -o StrictHostKeyChecking=no your_user@your_instance_url "your command"
希望阅读本文对您有所帮助。
此致!
我一直在尝试为我的项目设置 CD。我的 Gitlab CI runner 和我的项目将在同一台服务器上。我已关注 https://docs.gitlab.com/ee/ci/examples/deployment/composer-npm-deploy.html,但我一直收到 SSH Permission denied (publickey,password). 错误。我所有的变量、私钥和其他变量都在项目设置中正确设置。
我使用 ssh-keygen -t rsa -C "my.email@example.com" -b 4096 命令创建了我的 ssh 密钥,没有密码,并使用 ~/.ssh/id_rsa 文件的内容设置了我的 PRODUCTION_PRIVATE_KEY 变量。
这是我的 gitlab-ci.yml:
stages:
- deploy
deploy_production:
stage: deploy
image: tetraweb/php
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- ssh-add <(echo "$PRODUCTION_PRIVATE_KEY")
- mkdir -p ~/.ssh
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
- apt-get install rsync
script:
- ssh $PRODUCTION_SERVER_USER@$PRODUCTION_SERVER
- hostname
only:
- master
这是 Gitlab CI runner 的输出:
Running with gitlab-ci-multi-runner 9.2.0 (adfc387)
on ci-test (1eada8d0)
Using Docker executor with image tetraweb/php ...
Using docker image sha256:17692e06e6d33d8a421441bbe9adfda5b65c94831c6e64d7e69197e0b51833f8 for predefined container...
Pulling docker image tetraweb/php ...
Using docker image tetraweb/php ID=sha256:474f639dc349f36716fb98b193e6bae771f048cecc9320a270123ac2966b98c6 for build container...
Running on runner-1eada8d0-project-3287351-concurrent-0 via lamp-512mb-ams2-01...
Fetching changes...
HEAD is now at dfdb499 Update .gitlab-ci.yml
Checking out dfdb4992 as master...
Skipping Git submodules setup
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
/usr/bin/ssh-agent
$ eval $(ssh-agent -s)
Agent pid 12
$ ssh-add <(echo "$PRODUCTION_PRIVATE_KEY")
Identity added: /dev/fd/63 (rsa w/o comment)
$ mkdir -p ~/.ssh
$ echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
$ apt-get install rsync
Reading package lists...
Building dependency tree...
Reading state information...
rsync is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$ ssh $PRODUCTION_SERVER_USER@$PRODUCTION_SERVER
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added '{MY_SERVER_IP}' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
ERROR: Job failed: exit code 1
提前致谢。
您需要将 public 密钥添加到服务器,以便将其识别为身份验证密钥。就是把你使用的私钥对应的public密钥的内容粘贴到$PRODUCTION_SERVER上的~/.ssh/authorized_keys。
这是对我有用的脚本:
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- mkdir -p ~/.ssh
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 700 ~/.ssh/id_rsa
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
- ssh-keyscan -t rsa 64.227.1.160 > ~/.ssh/known_hosts
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
- chmod 644 ~/.ssh/known_hosts
而且我还必须取消对变量的保护。
还有一件很重要的事... ~/.ssh/authorized_keys文件的权限应该是600.
以下可以交替使用
some_stage:
- eval $(ssh-agent -s)
- cd ~
- touch id.rsa
- echo "$SSH_PRIVATE_KEY" > id.rsa
- chmod 700 id.rsa
- ssh -o StrictHostKeyChecking=no -i id.rsa $SSH_USER@$SERVER
也可能是因为您可以通过 ssh 进入的用户受到限制。
就我而言,在服务器上,我得到以下 tail -f /var/log/auth.log:
..
Sep 6 19:25:59 server-name sshd[7943]: User johndoe from WW.XX.YY.ZZ not allowed because none of user's groups are listed in AllowGroups
..
解决方案包括更新服务器文件 /etc/ssh/sshd_config 上的 AllowGroups 指令:
AllowGroups janesmith johndoe
在我们的案例中,我们一无所知,直到我们将标志 -v 添加到 SSH 命令(我们知道 public 密钥设置是正确的,因为我们能够使用私钥从我们的笔记本电脑连接到此实例)。
我们看到了这个:
debug1: Offering public key: ... RSA SHA256:... agent
95debug1: send_pubkey_test: no mutual signature algorithm
并通过以下两个链接了解了情况:我们的密钥是使用 RSA 格式生成的,该格式在 up-to-date openssh 版本上被认为是遗留的。
- https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html
- https://transang.me/ssh-handshake-is-rejected-with-no-mutual-signature-algorithm-error/
所以你有两个解决方案:
- 使用 ed25519 格式生成新密钥并在您的实例上设置 public 密钥
- 在你的 ssh 命令中使用下面这个额外的标志
这应该是一个临时解决方法:
ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa -o StrictHostKeyChecking=no your_user@your_instance_url "your command"
希望阅读本文对您有所帮助。
此致!