如何将 ansible 中的 ssh 密钥转发到目标机器上的 git 存储库?

How to forward ssh key in ansible to checkout git repository on target machine from origin?

我正在尝试配置 ansible 以从 bitbucket 检出一个 git 存储库并将其放在目标机器上。控制机器(我的电脑)有 bitbucket 私有 ssh 密钥。 public 密钥已上传到 bitbucket,并且使用它进行 ssh 访问已经过测试并且可以正常工作。

这是 ansible yml 任务代码:

- name: Checkout application
  become: no
  git: repo=git@bitbucket.org:bitbucketusername/deployment.git
       dest=/tmp/myapp
       accept_hostkey=True
       key_file=/home/me/.ssh/bitbucket_ssh_key

这是错误:

Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible: 
No such file or directory.
Permission denied (publickey)

所以我认为密钥转发不起作用?这很奇怪,因为在我的 ~/.ssh/config 中我为目标机器 111.222.333.444 启用了转发:

Host 111.222.333.444
  ForwardAgent yes

那么出了什么问题,如何将我的存储库从 bitbucket 获取到我的目标机器上?我正在使用 ansible 2.1.1.0.

编辑:这是 -vvvv 标志打开时它抱怨的部分:

TASK [Checkout application] *********************************************
task path: /home/me/path/to/the/ansible/playbook.yml:49
<111.222.333.444> ESTABLISH SSH CONNECTION FOR USER: deploy
<111.222.333.444> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 111.222.333.444 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480 `" && echo ansible-tmp-1477655760.17-42684399995480="` echo $HOME/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480 `" ) && sleep 0'"'"''
<111.222.333.444> PUT /tmp/tmp0NYGtg TO /home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/git
<111.222.333.444> SSH: EXEC sftp -b - -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 '[111.222.333.444]'
<111.222.333.444> ESTABLISH SSH CONNECTION FOR USER: deploy
<111.222.333.444> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 -tt 111.222.333.444 '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/git; rm -rf "/home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/" > /dev/null 2>&1 && sleep 0'"'"''
fatal: [app1]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone": true, "depth": null, "dest": "/tmp/myapp", "executable": null, "force": false, "key_file": "/home/me/.ssh/bitbucket_ssh_key", "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@bitbucket.org:memeares/deployment.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg": 
"Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible: No such file or directory.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.", "rc": 128, "stderr": "Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible: No such file or directory.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
", "stdout": "", "stdout_lines": []}

而且我还在 ansible.cfg 文件中配置了转发(如上面的输出所示):

[ssh_connection]
# Enable SSH Agent Forwarding so that the private key used to be able to
# checkout from git does not have to be on the server
ssh_args=-o ForwardAgent=yes

修复它的最后一个错误是 ssh-add ~/.ssh/the_ssh_key 将密钥添加到 ssh-agent

我认为在我的情况下,这是错误的组合,尽管这让我走到了这一步,因为我之前使用 ssh-add 添加了密钥,但在尝试调试其他错误后销毁了实例。

供参考,the debugging checklist.

还有这里没有提到的东西:

  • 如果密钥不是 id_rsa,则使用 -i the_ssh_key
  • 手动指定它
  • 确保服务器在相关用户的 ~/.ssh 目录
  • 中确实有 public 密钥 the_ssh_key.pub 文件的副本
  • 确保 /etc/ssh/sshd_configAllowAgentForwarding yes
  • ssh-agent -L 告诉你 ssh-agent "knows about" 是否是你的 ssh key 有问题。 (我不知道为什么用 ssh -i the_ssh_key 指定密钥文件时需要这样做)
  • 从中控机sshing时包含-o AllowAgentForwarding=yes