SSH密钥需要密码(SSH Key asks for password)

2019-07-28 14:04发布

我现在一个星期坚持在这里像2天

我有一个CentOS机Gitlab4和gitolite。 一切正常了几个星期,但突然在上周末一些奇怪的事情happend颇为所有的二进制文件从mashine消失(如荫,Python和Ruby中,MySQL等。)我真的不知道怎么说都happn ...后重新安装的时间和编译gitlab再次合作。

但我不能得到gitlabGit用户的工作之间的SSH密钥。 我已经删除并重新创建Git的用户,重新设置所有权限,重新SSH密钥,reinstalld gitolite等。 但是,没有什么工作,我不断收到同样的错误。

git的用户的.ssh文件夹

-rwx------ 1 git git  557 Mar 27 16:46 authorized_keys

gitlab用户的.ssh文件夹

-rw------- 1 gitlab gitlab 1671 Mar 27 16:45 id_rsa
-rw-r--r-- 1 gitlab gitlab  406 Mar 27 16:45 id_rsa.pub
-rw-r--r-- 1 gitlab gitlab  391 Mar 27 16:50 known_hosts

SSH错误:

ssh -vvvT git@localhost
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gitlab/.ssh/identity type -1
debug3: Not a RSA1 key file /home/gitlab/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gitlab/.ssh/id_rsa type 1
debug1: identity file /home/gitlab/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2
debug1: match: OpenSSH_4.3p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 502/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/gitlab/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/gitlab/.ssh/known_hosts:1
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/gitlab/.ssh/identity ((nil))
debug2: key: /home/gitlab/.ssh/id_rsa (0x848ba50)
debug2: key: /home/gitlab/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/gitlab/.ssh/identity
debug3: no such identity: /home/gitlab/.ssh/identity
debug1: Offering public key: /home/gitlab/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/gitlab/.ssh/id_dsa
debug3: no such identity: /home/gitlab/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

在auth日志给我:

Apr  2 10:19:13 venus sshd[15693]: User git not allowed because account is locked
Apr  2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2

谢谢你的帮助。

Answer 1:

你提到:

Apr 2 10:19:13 venus shd[15693]: User git not allowed because account is locked 
Apr 2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2

这篇文章中提到:

OpenSSH的现在检查锁定帐户默认。
在Linux系统中,锁定的帐户被定义为那些有!! 在密码字段/etc/shadow
这是与useradd命令创建帐号的默认项
即使您正在使用GSI认证,不需要本地密码, sshd不会让此消息的用户登录:

Too many authentication failures for username

sshd调试信息就会显示该帐户被锁定:

User username not allowed because account is locked

下面是从sshd的手册一些额外的信息:

不管身份验证类型,帐户进行检查,以确保它是可访问的。
如果它被锁定,在DenyUsers上市或或其集团公司在DenyGroups列出的帐户无法访问。
锁定帐户的定义取决于系统。
一些平台有自己的帐户数据库(如AIX)和一些修改passwd字段(“ *LK*在Solaris和UnixWare”,“ * ”在HP-UX,含有“ Nologin ”在Tru64,领先的“ *LOCKED* ” FreeBSD和领先“ !!在Linux上”)。
如果禁用密码验证帐户,同时允许还是公钥的要求,那么passwd字段应设置为这些值(例如“以外的NP ”或“ *NP* ”)。

解决方法:更换! 与(例如)NP在/ etc /阴影。


正如提到jszakmeister ( 评论 )和永灿-弗兰克-LV ( 评论 ):

sudo passwd -u git

就足以解开帐户



Answer 2:

完全相同的问题害了我在gitlab 5.2(bitnami)。

我终于跟踪它在/var/log/auth.log这表明:

May 28 11:32:10 ml115 sshd[27779]: User git not allowed because account is locked
May 28 11:32:10 ml115 sshd[27779]: input_userauth_request: invalid user git [preauth]

在此之后,它没有多久我就发现git在进入/etc/shadow! 这需要与被替换*

随着*和我所有的按键设置,我能够从另一台机器的SSH(注意, ssh -vvT git@gitserver也有助于诊断)。

git push -u origin master

现在的作品。

我的系统是Ubuntu的13.04。



Answer 3:

你应该把〜gitlab /的.ssh / id_rsa.pub到〜混帐/的.ssh / authorized_keys中

-rwx ------ 1个GIT中GIT中557 03月27日16时46分的authorized_keys

-rw-R - R-- 1 gitlab gitlab 406 03月27日16:45 id_rsa.pub

我能看到的大小不匹配,你在authorized_keys里添加一些SSH密钥选项呢? 你也应该检查的sshd的错误日志也(如:在/ var /日志/ AUTH或/ var /日志/安全等)



Answer 4:

尽管接受的答案可能会工作,也未必是去了解这个的首选方式。

至少在Ubuntu 12.04, passwd -u git会导致这样的警告:

passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.

听起来不错......只是,对于男人页面usermod警告不要使用-p选项。

Note: This option is not recommended because the password (or encrypted password)
will be visible by users listing the processes.

相反,所有这一切,调用passwd -d gitlab将被用户删除密码的伎俩(它将设置passwd字段为空字符串)。



文章来源: SSH Key asks for password