如何覆盖 SSH 默认身份?

tag-icon tag-icon ssh
如何覆盖 SSH 默认身份?

简洁版本:如何禁用/覆盖默认的 SSH 身份文件位置~/.ssh/id_{rsa,dsa}以及力量SSH 要使用另一个吗(首先)?

长版本

我正在尝试设置吉托莱特使用 ssh 密钥访问。我希望从我的客户端使用我的默认~/.ssh/id_rsa身份访问 gitolite-admin 存储库,同时我创建了一个单独的身份~/.ssh/id_rsa_git来访问普通存储库。

此外,我在以下位置创建了一个 SSH 别名~/.ssh/config

Host git
    Hostname <servername>
    User gitolite
    ForwardX11 no
    ForwardAgent no
    GSSAPIAuthentication no
    IdentityFile ~/.ssh/id_rsa_git

现在,当我尝试以非管理员用户身份访问 gitolite 存储库时,我得到了

$ ssh -v git true
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/jaap/.ssh/config
debug1: /home/jaap/.ssh/config line 105: Applying options for git
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <servername> port 22.
debug1: Connection established.
debug1: identity file /home/jaap/.ssh/id_rsa_git type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/jaap/.ssh/id_rsa_git-cert type -1
debug1: identity file /home/jaap/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/jaap/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze3
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <...>
debug1: Host '<servername>' is known and matches the RSA host key.
debug1: Found key in /home/jaap/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jaap/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentication succeeded (publickey).

这表明我的默认密钥./ssh/id_rsa首先被提供并被接受。但此密钥不提供对非管理员存储库的访问权限,因此我希望 SSH 仅提供/first ./ssh/id_rsa_git。我该怎么做?

我尝试添加IdentitiesOnly=yes,但这只会禁用 ssh-agent 密钥。似乎 ssh 配置(站点范围或每个用户)中没有选项可以禁用默认身份,但我也找不到指定其顺序的方法。

答案1

有一个名为 IdentitiesOnly 的 SSH 配置设置,默认为“否”。在您的配置文件中将其设置为是(全局或针对特定主机),您的问题应该可以解决。

例如,将其放入〜/ .ssh / config中:

Host your.server.com
    IdentityFile ~/example/your_new.key
    User your_user
    IdentitiesOnly yes

来自 ssh_config 的手册页:

 IdentitiesOnly
         Specifies that ssh(1) should only use the authentication identity
         files configured in the ssh_config files, even if ssh-agent(1) or a
         PKCS11Provider offers more identities.  The argument to this keyword
         must be ``yes'' or ``no''.  This option is intended for situations
         where ssh-agent offers many different identities.  The default is
         ``no''.

我遇到了完全相同的问题(并被 fail2ban 锁定)。这解决了它。

答案2

我发现最好不要将身份文件(密钥)存储在~/.ssh目录中,因为 SSH 客户端知道这一点,并且(正如您所注意到的)它有一种令人讨厌的倾向,即尝试它在此目录中找到的所有身份,即使您明确指定了供它使用的唯一身份文件。

我将所有身份文件存储在另一个目录 ( ~/.ssh2) 中,该目录不直接为 SSH 客户端所知。 中唯一的文件~/.sshconfig,其中包含一系列 {host -> key-to-use} 节。

使用此配置,SSH 客户端查找给定身份文件的唯一方法是您在命令行上使用 指定它-i,或者您在 中添加命名身份文件的节~/.ssh/config

答案3

不确定为什么您的设置没有按预期工作,但您可以通过将特定身份传递给来解决这个问题ssh

ssh -i ./ssh/id_rsa_git git

从手册页中:

 -i identity_file
         Selects a file from which the identity (private key) for
         public key authentication is read.  The default is
         ~/.ssh/identity for protocol version 1, and
         ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Identity files may also be speci‐
         fied on a per-host basis in the configuration file.  It
         is possible to have multiple -i options (and multiple
         identities specified in configuration files).  ssh will
         also try to load certificate information from the file‐
         name obtained by appending -cert.pub to identity file‐
         names.

也可能是因为主机已知。尝试从文件中删除相关行(第 19 行).ssh/known_hosts,然后重新连接。

相关内容