简洁版本:如何禁用/覆盖默认的 SSH 身份文件位置~/.ssh/id_{rsa,dsa}
以及力量SSH 要使用另一个吗(首先)?
长版本:
我正在尝试设置吉托莱特使用 ssh 密钥访问。我希望从我的客户端使用我的默认~/.ssh/id_rsa
身份访问 gitolite-admin 存储库,同时我创建了一个单独的身份~/.ssh/id_rsa_git
来访问普通存储库。
此外,我在以下位置创建了一个 SSH 别名~/.ssh/config
:
Host git
Hostname <servername>
User gitolite
ForwardX11 no
ForwardAgent no
GSSAPIAuthentication no
IdentityFile ~/.ssh/id_rsa_git
现在,当我尝试以非管理员用户身份访问 gitolite 存储库时,我得到了
$ ssh -v git true
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/jaap/.ssh/config
debug1: /home/jaap/.ssh/config line 105: Applying options for git
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <servername> port 22.
debug1: Connection established.
debug1: identity file /home/jaap/.ssh/id_rsa_git type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/jaap/.ssh/id_rsa_git-cert type -1
debug1: identity file /home/jaap/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/jaap/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze3
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <...>
debug1: Host '<servername>' is known and matches the RSA host key.
debug1: Found key in /home/jaap/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jaap/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentication succeeded (publickey).
这表明我的默认密钥./ssh/id_rsa
首先被提供并被接受。但此密钥不提供对非管理员存储库的访问权限,因此我希望 SSH 仅提供/first ./ssh/id_rsa_git
。我该怎么做?
我尝试添加IdentitiesOnly=yes
,但这只会禁用 ssh-agent 密钥。似乎 ssh 配置(站点范围或每个用户)中没有选项可以禁用默认身份,但我也找不到指定其顺序的方法。
答案1
有一个名为 IdentitiesOnly 的 SSH 配置设置,默认为“否”。在您的配置文件中将其设置为是(全局或针对特定主机),您的问题应该可以解决。
例如,将其放入〜/ .ssh / config中:
Host your.server.com
IdentityFile ~/example/your_new.key
User your_user
IdentitiesOnly yes
来自 ssh_config 的手册页:
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity
files configured in the ssh_config files, even if ssh-agent(1) or a
PKCS11Provider offers more identities. The argument to this keyword
must be ``yes'' or ``no''. This option is intended for situations
where ssh-agent offers many different identities. The default is
``no''.
我遇到了完全相同的问题(并被 fail2ban 锁定)。这解决了它。
答案2
我发现最好不要将身份文件(密钥)存储在~/.ssh
目录中,因为 SSH 客户端知道这一点,并且(正如您所注意到的)它有一种令人讨厌的倾向,即尝试它在此目录中找到的所有身份,即使您明确指定了供它使用的唯一身份文件。
我将所有身份文件存储在另一个目录 ( ~/.ssh2
) 中,该目录不直接为 SSH 客户端所知。 中唯一的文件~/.ssh
是config
,其中包含一系列 {host -> key-to-use} 节。
使用此配置,SSH 客户端查找给定身份文件的唯一方法是您在命令行上使用 指定它-i
,或者您在 中添加命名身份文件的节~/.ssh/config
。
答案3
不确定为什么您的设置没有按预期工作,但您可以通过将特定身份传递给来解决这个问题ssh
:
ssh -i ./ssh/id_rsa_git git
从手册页中:
-i identity_file
Selects a file from which the identity (private key) for
public key authentication is read. The default is
~/.ssh/identity for protocol version 1, and
~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
protocol version 2. Identity files may also be speci‐
fied on a per-host basis in the configuration file. It
is possible to have multiple -i options (and multiple
identities specified in configuration files). ssh will
also try to load certificate information from the file‐
name obtained by appending -cert.pub to identity file‐
names.
也可能是因为主机已知。尝试从文件中删除相关行(第 19 行).ssh/known_hosts
,然后重新连接。