SSH密钥要求输入密码

时间:2013-03-27 16:48:11

标签: git ssh gitolite ssh-keys gitlab

我现在在这里坚持<罢工>,就像一周一样。

我有一台带有Gitlab4和gitolite的CentOs机器。一切都运行良好数周,但突然上周末发生了一些奇怪的事情,所有的二进制文件都从mashine中消失了(比如yum,python,ruby,mysql等)。我真的不知道它是如何让人高兴的......经过几个小时的重新安装和编译gitlab再次工作。

但是我无法在 gitlab git 用户之间获得ssh密钥。 我已经删除并重新创建了git用户,再次设置了所有权限,重新创建了ssh密钥,重新安装了gitolite等。但没有任何效果我一直得到同样的错误。

git user .ssh文件夹 

-rwx------ 1 git git  557 Mar 27 16:46 authorized_keys

gitlab用户.ssh文件夹 

-rw------- 1 gitlab gitlab 1671 Mar 27 16:45 id_rsa
-rw-r--r-- 1 gitlab gitlab  406 Mar 27 16:45 id_rsa.pub
-rw-r--r-- 1 gitlab gitlab  391 Mar 27 16:50 known_hosts

SSH错误: 

ssh -vvvT git@localhost
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gitlab/.ssh/identity type -1
debug3: Not a RSA1 key file /home/gitlab/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gitlab/.ssh/id_rsa type 1
debug1: identity file /home/gitlab/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2
debug1: match: OpenSSH_4.3p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 502/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/gitlab/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/gitlab/.ssh/known_hosts:1
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/gitlab/.ssh/identity ((nil))
debug2: key: /home/gitlab/.ssh/id_rsa (0x848ba50)
debug2: key: /home/gitlab/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/gitlab/.ssh/identity
debug3: no such identity: /home/gitlab/.ssh/identity
debug1: Offering public key: /home/gitlab/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/gitlab/.ssh/id_dsa
debug3: no such identity: /home/gitlab/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

授权日志告诉我: 

Apr  2 10:19:13 venus sshd[15693]: User git not allowed because account is locked
Apr  2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2

感谢您的帮助。

5 个答案:

答案 0 :(得分:26)

你提到:

Apr 2 10:19:13 venus shd[15693]: User git not allowed because account is locked 
Apr 2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2

This article提及:

  

OpenSSH现在默认检查锁定的帐户   在Linux系统上,锁定帐户定义为密码字段!! /etc/shadow的帐户。
  这是使用useradd命令创建的帐户的默认条目   即使您使用的是GSI身份验证且不需要本地密码,sshd也不会让用户使用此消息登录:

Too many authentication failures for username
  

sshd调试信息中,它将指示该帐户已被锁定:

User username not allowed because account is locked
  

以下是sshd手册中的一些其他信息:

     
    

无论身份验证类型如何,都会检查帐户以确保帐户可以访问     如果帐户被锁定,在DenyUsers中列出或其组在DenyGroups中列出,则无法访问该帐户     锁定帐户的定义取决于系统     某些平台有自己的帐户数据库(例如AIX),有些平台修改Solaris和UnixWare上的passwd字段(“*LK*”,HP-UX上的“*”,包含“Nologin”在Tru64上,FreeBSD上的领先“*LOCKED*”和Linux上的领先“!!”。
    如果需要在允许公钥的同时禁用帐户的密码身份验证,则passwd字段应设置为除这些值之外的其他值(例如“NP”或“{{1 “)。

  
     

修复:更换!! (例如)/ etc / shadow中的NP。

正如jszakmeistercomments)和Yongcan-Frank-Lvcomments)所述:

*NP*

足以 unlock the account

答案 1 :(得分:6)

这个完全相同的问题 gitlab 5.2 (bitnami)中杀了我。

我终于在/var/log/auth.log中跟踪了它,显示:

May 28 11:32:10 ml115 sshd[27779]: User git not allowed because account is locked
May 28 11:32:10 ml115 sshd[27779]: input_userauth_request: invalid user git [preauth]

之后,我花了很长时间才发现git中的/etc/shadow条目有一个!需要替换为*。< / p>

设置了*并设置了所有密钥后,我就可以从另一台计算机上进行ssh(注意ssh -vvT git@gitserver也有助于诊断)。

git push -u origin master

现在有效。

我的系统是Ubuntu 13.04。

答案 2 :(得分:1)

你应该把~gitlab / .ssh / id_rsa.pub放到~git / .ssh / authorized_keys

-rwx ------ 1 git git 557 Mar 27 16:46 authorized_keys

-rw-r - r-- 1 gitlab gitlab 406 Mar 27 16:45 id_rsa.pub

我可以看到大小不匹配,你是否在authorized_keys中添加了一些ssh密钥选项? 你也应该检查sshd的错误日志(例如:/ var / log / auth或/ var / log / secure等)

答案 3 :(得分:1)

虽然接受的答案可能有效,但可能不是首选方法。

至少在Ubuntu 12.04上,passwd -u git会产生此警告:

passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.

听起来不错......除了usermod的手册页警告不要使用-p选项。

Note: This option is not recommended because the password (or encrypted password)
will be visible by users listing the processes.

而不是所有这些,调用passwd -d gitlab将通过删除用户的密码(它将passwd字段设置为空字符串)来完成这一操作。

答案 4 :(得分:0)

解锁用户的最简单解决方案:usermod -p '*' username

相关问题
最新问题