我正在尝试在我们公司设置一台服务器,其中一件事就是希望能够在上面托管公共 Git 存储库,以便我可以通过 ssh 进行访问。我用来访问它的服务器和工作站都运行 64 位 Windows 7。我一直在关注本指南要做到这一点,我目前正处于尝试使用已知主机访问我的服务器的git@atp-dev1
阶段atp-dev1
。
然而,我现在已经能够通过 ssh 进入服务器而无需提供密码,但它仍然每次都要求我输入密码。以下是我采取的步骤:
- 使用 配置服务器
ssh-host-config
。StrictModes 设置为“是”。 - 在我的工作站上生成了一个名为“gitolite-admin”的 ssh 密钥对。
- 将公钥复制到服务器的
authorized_keys
文件中ssh-copy-id
并确认它在那里。 .ssh
将我的服务器文件夹的权限配置为700
和(我已尝试在我的工作站上设置权限以匹配此,但 Cygwin 的一些其他问题阻止我更改权限)。.ssh/authorized_keys
600
-rw-r--r--
我打开 Cygwin64 终端并输入以下内容:ssh -i ~/.ssh/gitolite-admin git@atp-dev1
。然后它会提示输入密码。使用-vvv
included 执行此操作后,我得到以下输出:
$ ssh git@atp-dev1 -vvv
OpenSSH_6.7p1, OpenSSL 1.0.1k 8 Jan 2015
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to atp-dev1 [172.16.1.92] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_rsa-cert type -1
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /cygdrive/c/Users/davidfallah/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "atp-dev1" from file "/cygdrive/c/Users/davidfallah/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /cygdrive/c/Users/davidfallah/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA aa:84:ea:95:b6:b9:ba:52:fa:14:73:62:97:12:30:95
debug3: load_hostkeys: loading entries for host "atp-dev1" from file "/cygdrive/c/Users/davidfallah/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /cygdrive/c/Users/davidfallah/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "172.16.1.92" from file "/cygdrive/c/Users/davidfallah/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /cygdrive/c/Users/davidfallah/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'atp-dev1' is known and matches the ECDSA host key.
debug1: Found key in /cygdrive/c/Users/davidfallah/.ssh/known_hosts:3
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /cygdrive/c/Users/davidfallah/.ssh/id_rsa (0x6000684b0),
debug2: key: /cygdrive/c/Users/davidfallah/.ssh/id_dsa (0x600078a40),
debug2: key: /cygdrive/c/Users/davidfallah/.ssh/id_ecdsa (0x0),
debug2: key: /cygdrive/c/Users/davidfallah/.ssh/id_ed25519 (0x0),
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /cygdrive/c/Users/davidfallah/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering DSA public key: /cygdrive/c/Users/davidfallah/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /cygdrive/c/Users/davidfallah/.ssh/id_ecdsa
debug3: no such identity: /cygdrive/c/Users/davidfallah/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /cygdrive/c/Users/davidfallah/.ssh/id_ed25519
debug3: no such identity: /cygdrive/c/Users/davidfallah/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
git@atp-dev1's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to atp-dev1 ([172.16.1.92]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/git
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/git
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
我在该输出中注意到一个有趣的事情,即在强制输入密码授权后,它说authorized_keys
由于服务器上 Cygwin 主目录中的“目录所有权或模式错误”,因此无法读取 ( /home/git
)。我不知道这是为什么,因为我很确定我已经为主目录、目录.ssh
和.ssh
文件设置了适当的权限。
如果相关的话,我已经在我的工作站上进行了修改/etc/passwd
,使 Cygwin 使用与 Windows 相同的主目录(在 下C:\Users\
),而不是在 下C:\cygwin64\home
。在服务器上,它用作C:\cygwin64\home\git\
Cygwin 主目录。
最后,如果它完全相关的话,我的工作站的/etc/fstab
文件是:
# For a description of the file format, see the Users Guide
# http://cygwin.com/cygwin-ug-net/using.html#mount-table
# This is default anyway:
none /cygdrive cygdrive binary,noacl,posix=0,user 0 0
编辑
etc/sshd_config
服务器上的文件是:
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_ecdsa_key
#HostKey /etc/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
奇怪的行为:我刚刚尝试仔细检查权限/home/git
,发现我完全无法访问该文件夹 - 我甚至无法以管理员身份访问它。我可能需要与我们的 IT 部门联系以解决这个问题。
编辑2
设法重新获得 的所有权/home/git
。不确定我为什么一开始就丢失了它。这些是主目录和 ssh 文件夹的权限:
从home/git
:
drwxrwx---+ 1 git ATP-DEV1+None 0 Mar 18 17:05 .
drwxrwxrwt+ 1 davidfallah Domain Users 0 Mar 18 15:09 ..
-rw------- 1 ATP-DEV1+git ATP-DEV1+None 1099 Mar 19 09:31 .bash_history
-rwxr-xr-x 1 ATP-DEV1+git ATP-DEV1+None 1494 Mar 18 14:09 .bash_profile
-rwxr-xr-x 1 ATP-DEV1+git ATP-DEV1+None 6054 Mar 18 14:09 .bashrc
-rwxr-xr-x 1 ATP-DEV1+git ATP-DEV1+None 1919 Mar 18 14:09 .inputrc
-rwxr-xr-x 1 ATP-DEV1+git ATP-DEV1+None 1236 Mar 18 14:09 .profile
drws------+ 1 git Domain Users 0 Mar 18 17:59 .ssh
从home/git/.ssh
:
drws------+ 1 git Domain Users 0 Mar 18 17:59 .
drwxrwx---+ 1 git ATP-DEV1+None 0 Mar 18 17:05 ..
-rw------- 1 git Domain Users 405 Mar 18 18:00 authorized_keys
编辑3
StrictModes
在服务器上设置并重新启动 ssh 服务后no
,我可以使用以下命令无需密码访问我的服务器:
ssh git@atp-dev1 -i ~/.ssh/gitolite-admin
这种情况不太理想,因为它会稍微损害安全性,但它让我相当有信心,这都是权限问题。我相当确定服务器上的权限是正确的,但正如我上面提到的,在这篇文章中,我无法更改工作站上的权限,这可能是阻塞问题。