如何在 rhc 设置期间为 ssh 密钥加载指定不同的位置?

How to specify a different location for ssh keys loading during rhc setup?

我正在为 OpenShift 项目使用 rhc cli 工具。我遇到了默认 rhc ssh 密钥的问题。

在任何与 ssh 相关的操作(设置、应用程序创建等)中,如果不存在,rhc 会创建 ~/.ssh/id_rsa 密钥。我不喜欢这种行为,我希望它使用 ~/.ssh/OpenShift-SSH-Keys/my_id_rsa.

之类的东西

因为在安装 rhc 时,它没有询问我要从哪个位置加载密钥。因此我也查看了 ~/.openshift/express.conf 并且我只看到了 ssl 的配置;不是 ssh。

所以我在互联网上找到以下配置行添加到 ~/.openshift/express.conf:

ssh_key_file='~/.ssh/OpenShift-SSH-Keys/my_id_rsa'

我添加了它并修改了我的 ~/.ssh/config 文件:

# Openshift *.rhcloud.com ssh-key config
Host *.rhcloud.com
         IdentityFile ~/.ssh/OpenShift-SSH-Keys/my_id_rsa
         IdentitiesOnly yes
         VerifyHostKeyDNS yes
         StrictHostKeyChecking no
         PasswordAuthentication no
         UserKnownHostsFile ~/.ssh/known_hosts

最后,我这样设置我的帐户:

rhc setup --config ~/.openshift/express.conf -l myusername@gmail.com

此命令行的输出:

OpenShift Client Tools (RHC) Setup Wizard

This wizard will help you upload your SSH keys, set your application namespace, and check that other programs like Git are
properly installed.

If you have your own OpenShift server, you can specify it now. Just hit enter to use the server for OpenShift Online:
openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com| 

You can add more servers later using 'rhc server'.

Using myusername@gmail.com to login to openshift.redhat.com
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Password: ************************

OpenShift can create and store a token on disk which allows to you to access the server without using your password. The
key is stored in your home directory and should be kept secret.  You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... RSA 1024 bit CA certificates are loaded due to old openssl compatibility
lasts 29 days

Saving configuration to /Users/theuser/.openshift/express.conf ... done

No SSH keys were found. We will generate a pair of keys for you.

    Created: /Users/theuser/.ssh/id_rsa.pub

Your public SSH key must be uploaded to the OpenShift server to access code.  Upload now? (yes|no) no

You can upload your public SSH key at a later time using the 'rhc sshkey' command

Checking for git ... found git version 2.5.0

Checking common problems .. done

Checking for a domain ... mydomainz1955

Checking for applications ... found 1

  myapp http://myapp-mydomainz1955.rhcloud.com/

  You are using 2 of 3 total gears
  The following gear sizes are available to you: small

Your client tools are now configured.

正如您在命令行输出中看到的那样:No SSH keys were found. We will generate a pair of keys for you.,虽然我在 ~/.openshift/express.conf 中指定我已经生成了 ssh 密钥,但 rhc setup 没有接受它们正在考虑或没有找到它们。

所以根据你们的说法,是否可以在 rhc 设置期间以某种方式指定不同的 ssh 密钥加载位置?

注意:我知道如何添加额外的 ssh 密钥,但我想停止 rhc creating/using ~/.ssh/id_rsa

据我所知,您只是希望 rhc 不使用您的默认 ssh 密钥。所以这里是你如何创建一个单独的密钥并配置 rhc 来使用它而不是默认的。

要点是:

  • 您 select norhc setup
  • 期间生成和上传 ssh 密钥
  • 您使用 rhc sshkey add
  • 单独添加密钥
  • 您将 ssh 配置为使用与您相同的域的不同密钥 在您的原始示例中列出

这能解决您的顾虑吗?

[crackit@koTapaH ~]$ mkdir /home/crackit/my_key_location
[crackit@koTapaH ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/crackit/.ssh/id_rsa): /home/crackit/my_key_location/key.rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/crackit/my_key_location/key.rsa.
Your public key has been saved in /home/crackit/my_key_location/key.rsa.pub.
The key fingerprint is:
c5:20:15:fb:17:96:86:8f:88:28:18:17:2a:b8:eb:51 crackit@koTapaH
The key's randomart image is:
+--[ RSA 2048]----+
|  .   ..+.       |
|.. .   . + . .   |
|= .     . + =    |
|.=   . . + = .   |
|o .E. . S o o    |
| ...       .     |
|..               |
|. .              |
| .               |
+-----------------+
[crackit@koTapaH ~]$ rhc setup
OpenShift Client Tools (RHC) Setup Wizard

This wizard will help you upload your SSH keys, set your application namespace,
and check that other programs like Git are properly installed.

If you have your own OpenShift server, you can specify it now. Just hit enter to
use the server for OpenShift Online: openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com| 

You can add more servers later using 'rhc server'.

Login to openshift.redhat.com: 
Login to openshift.redhat.com: asdfgg@example.com
Password: *************

OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret.  You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... lasts about 1 month

Saving configuration to /home/crackit/.openshift/express.conf ... done

No SSH keys were found. We will generate a pair of keys for you.

    Created: /home/crackit/.ssh/id_rsa.pub

Your public SSH key must be uploaded to the OpenShift server to access code.
Upload now? (yes|no)
no

You can upload your public SSH key at a later time using the 'rhc sshkey'
command

Checking for git ... found git version 2.1.0

Checking common problems .. done

Checking for a domain ... foobar

Checking for applications ... found 2

  jenkins http://jenkins-foobar.rhcloud.com/
  tmp     http://tmp-foobar.rhcloud.com/

  You are using 2 of 3 total gears
  The following gear sizes are available to you: small, medium

Your client tools are now configured.

[crackit@koTapaH ~]$ rhc sshkey add mykey my_key_location/key.rsa.pub 
RESULT:
SSH key my_key_location/key.rsa.pub has been added as 'mykey'

[crackit@koTapaH ~]$ vi .ssh/config
<.. do your modifications here ..>

[crackit@koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040@tmp-foobar.rhcloud.com ...

    *********************************************************************

    You are accessing a service that is for use only by authorized users.
    If you do not have authorization, discontinue use at once.
    Any use of the services is subject to the applicable terms of the
    agreement which can be found at:
    https://www.openshift.com/legal

    *********************************************************************

    Welcome to OpenShift shell

    This shell will assist you in managing OpenShift applications.

    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
    Shell access is quite powerful and it is possible for you to
    accidentally damage your application.  Proceed with care!
    If worse comes to worst, destroy your application with "rhc app delete"
    and recreate it
    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!

    Type "help" for more info.


[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit@koTapaH ~]$ 

更新:我没有注意到生成了密钥。但我确信 rhc setup 期间生成的密钥并未实际使用。首先是因为默认位置的密钥永远不会添加到 openshift。您可以在下面看到一个快速证明。另一种查看方式是 rhc sshkeys list.

另一件事是,如果您在默认位置已经有密钥,则不会生成任何密钥(在这种情况下您仍然 select no 不上传它们)。但它实际上是 rhc 中 IMO 的一个小错误,即在不询问用户的情况下生成 ssh 密钥。这可能是一个非常罕见的用例 - 你没有默认密钥并且你想使用来自 non-standard 位置的密钥(这不是你在标准位置有密钥的用例,只是不要想使用它)但 IMO 仍然不应该生成用户没有请求的东西。所以这就是我如何向您展示仅使用了我想要的自定义密钥:

[crackit@koTapaH ~]$ rm -rf .ssh/id_rsa*
[crackit@koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040@tmp-foobar.rhcloud.com ...
<...>
    Type "help" for more info.


[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit@koTapaH ~]$ ls .ssh/
config  known_hosts
[crackit@koTapaH ~]$

更新2当然token不能帮你用ssh:

[crackit@koTapaH ~]$ rm -rf my_key_location
[crackit@koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040@tmp-foobar.rhcloud.com ...
no such identity: /home/crackit/my_key_location/key.rsa: No such file or directory
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

SSH 密钥用于 ssh。令牌用于 API 请求。这些是不同的用例。 rhc 使用下面的 ssh 可执行文件,因此使用自定义密钥意味着编辑 ~/.ssh/config 以将默认密钥设置到另一个位置或为不同的主机设置不同的密钥。 rhc setup 处理不好。但是一旦你设置了密钥,你就不必再 运行 rhc setup 了。