为什么 git 忽略了我在 /etc/ssh/ssh_known_hosts 中的 SSH 密钥?
Why is git ignoring my SSH Key in /etc/ssh/ssh_known_hosts?
我已将 github.com
SSH 密钥添加到 /etc/ssh/ssh_known_hosts
。但是当我 运行
git clone git@github.com:me/repo
我仍然得到
Cloning into 'repo'...
The authenticity of host 'github.com (XXX.XXX.XXX.XXX)' can't be established.
RSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no)?
- 如果我将密钥添加到
~/.ssh/known_hosts
它会按预期工作,没有提示。
- 我运行在一台 debian 机器上安装这个。
- 我希望直接使用文件
/etc/ssh/ssh_known_hosts
工作,因为有多个用户。
- 我也无法输入
'yes'
,因为这是 运行ning in puppet
。
- 出于安全原因,我们不能使用
StrictHostKeyChecking = no
。
- 我没有
~/.ssh/config
文件。
- (edit) 自从修改
/etc/ssh/ssh_known_hosts
. 后,我也重新启动了 sshd
如何强制 git 使用 /etc/ssh/ssh_known_hosts
?
编辑 1:
这是文件 /etc/ssh/ssh_config
(~/.ssh/config
不存在):
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
这是我的 /etc/ssh/ssh_known_hosts
:
# HEADER: This file was autogenerated at 2020-12-31 10:33:06 +0000
# HEADER: by puppet. While it can still be managed manually, it
# HEADER: is definitely not recommended.
gerrit.wikimedia.org ssh-rsa AAAAB3Nz[...]
github ssh-rsa AAAAB3NzAAAAB3Nz[...]
编辑 2:
所有人都对 /etc/ssh/ssh_known_hosts
:
具有读取权限
vagrant@vagrant:~$ ls -la /etc/ssh/ssh_known_hosts
-rw-r--r-- 1 root root 795 Dec 31 10:33 /etc/ssh/ssh_known_hosts
这绝对是 SSH 问题。 SSH(1) 手册页指出:
ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with. Host keys are stored in ~/.ssh/known_hosts
in the user's home directory. Additionally, the file /etc/ssh/ssh_known_hosts
is automatically checked for known hosts.
您的问题可能是未提升权限的用户无法读取 /etc/ssh/ssh_known_hosts
文件。
ssh 有一个警告,如果您 运行 类似 sudo ssh-keygen -R domain.com
的东西,它可以修改您现有的 /etc/ssh/ssh_known_hosts/
文件,使其只能由 root 读取。 (-rw------- root root
)。您可能想使用 chown
或 chmod
更改此文件的权限,以确保它在没有 root 权限的情况下也可读。
sudo chmod +r /etc/ssh/ssh_known_hosts
您的已知主机文件格式不正确。每行的第一个条目是您要连接的系统的名称。在这种情况下,它需要是 github.com
,而不是普通的 github
。这是 OpenSSH 用于查找适当密钥的技术。
您可以使用ssh-keyscan github.com
找到正确的格式。
我已将 github.com
SSH 密钥添加到 /etc/ssh/ssh_known_hosts
。但是当我 运行
git clone git@github.com:me/repo
我仍然得到
Cloning into 'repo'...
The authenticity of host 'github.com (XXX.XXX.XXX.XXX)' can't be established.
RSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no)?
- 如果我将密钥添加到
~/.ssh/known_hosts
它会按预期工作,没有提示。 - 我运行在一台 debian 机器上安装这个。
- 我希望直接使用文件
/etc/ssh/ssh_known_hosts
工作,因为有多个用户。 - 我也无法输入
'yes'
,因为这是 运行ning inpuppet
。 - 出于安全原因,我们不能使用
StrictHostKeyChecking = no
。 - 我没有
~/.ssh/config
文件。 - (edit) 自从修改
/etc/ssh/ssh_known_hosts
. 后,我也重新启动了
sshd
如何强制 git 使用 /etc/ssh/ssh_known_hosts
?
编辑 1:
这是文件 /etc/ssh/ssh_config
(~/.ssh/config
不存在):
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
这是我的 /etc/ssh/ssh_known_hosts
:
# HEADER: This file was autogenerated at 2020-12-31 10:33:06 +0000
# HEADER: by puppet. While it can still be managed manually, it
# HEADER: is definitely not recommended.
gerrit.wikimedia.org ssh-rsa AAAAB3Nz[...]
github ssh-rsa AAAAB3NzAAAAB3Nz[...]
编辑 2:
所有人都对 /etc/ssh/ssh_known_hosts
:
vagrant@vagrant:~$ ls -la /etc/ssh/ssh_known_hosts
-rw-r--r-- 1 root root 795 Dec 31 10:33 /etc/ssh/ssh_known_hosts
这绝对是 SSH 问题。 SSH(1) 手册页指出:
ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with. Host keys are stored in
~/.ssh/known_hosts
in the user's home directory. Additionally, the file/etc/ssh/ssh_known_hosts
is automatically checked for known hosts.
您的问题可能是未提升权限的用户无法读取 /etc/ssh/ssh_known_hosts
文件。
ssh 有一个警告,如果您 运行 类似 sudo ssh-keygen -R domain.com
的东西,它可以修改您现有的 /etc/ssh/ssh_known_hosts/
文件,使其只能由 root 读取。 (-rw------- root root
)。您可能想使用 chown
或 chmod
更改此文件的权限,以确保它在没有 root 权限的情况下也可读。
sudo chmod +r /etc/ssh/ssh_known_hosts
您的已知主机文件格式不正确。每行的第一个条目是您要连接的系统的名称。在这种情况下,它需要是 github.com
,而不是普通的 github
。这是 OpenSSH 用于查找适当密钥的技术。
您可以使用ssh-keyscan github.com
找到正确的格式。