来自 pod 内 docker 容器内的“git push”命令失败,命令如下:
<块引用>debug1: read_passphrase: can't open /dev/tty: No such device or 地址主机密钥验证失败。
启动 git push 的 groovy 代码:
sshagent (['my_deploy_key'])
{
sh "ls -la /dev/tty"
sh "ssh -Tv git@github.xx.xxx.com"
sh "git push origin ${branch}"
}
日志显示 /dev/tty 存在并具有正确的权限:
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
Executing sh script inside container my-project of pod my-project-1611882622034-s6sj2-xnx40
Executing command: "ssh-agent"
exit
SSH_AUTH_SOCK=/tmp/ssh-Dm0jcALohFq6/agent.68; export SSH_AUTH_SOCK;
SSH_AGENT_PID=69; export SSH_AGENT_PID;
echo Agent pid 69;
SSH_AUTH_SOCK=/tmp/ssh-Dm0jcALohFq6/agent.68
SSH_AGENT_PID=69
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/agent/workspace/Test_Dev/mydir@tmp/private_key_6404034659918914698.key (deploy-key)
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
+ ls -la /dev/tty
crw-rw-rw- 1 root root 5, 0 Jan 29 01:10 /dev/tty
[Pipeline] sh
+ ssh -Tv git@github.xx.xxx.com
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to github.xx.xxx.com [153.64.42.159] port 22.
debug1: Connection established.
debug1: SELinux support disabled
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version babeld-7fdd29b
debug1: no match: babeld-7fdd29b
debug1: Authenticating to github.xx.xxx.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:+VP3LqRsSmtwgQhOdiuCaRKG8wTCeNRdwTlOvrILZq8
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification fail
编辑。
请指教
答案 0 :(得分:1)
SSH 协议通常不像 TLS 那样使用传统的证书颁发机构。相反,当您第一次连接到一台机器时,系统会提示您验证它的主机密钥,这通常是在带外进行的。这样,您就可以验证远程系统的身份。
出现此消息是因为通常终端会提示您验证主机密钥,但在这种情况下,没有终端,因此无法提示您。唯一安全的做法是连接失败。
在这种情况下,您需要将 GitHub Enterprise 实例的主机密钥存储为配置的一部分。您可以通过运行 ssh-keyscan github.xx.xxx.com 找到这些。您应该获取此输出(减去以 # 开头的行)并将其存储在容器中的 /etc/ssh/ssh_known_hosts 或给定用户的 ~/.ssh/known_hosts 文件中。
您还可以通过转到 https://github.xx.xxx.com/api/v3/meta 并验证 SHA256:+VP3LqRsSmtwgQhOdiuCaRKG8wTCeNRdwTlOvrILZq8 是密钥的正确指纹来验证指纹是否正确。
请注意,有些人会建议禁用主机密钥验证,但这并不安全,相当于在未加密的连接上操作,因此您不应这样做。您也不应该每次在容器中运行 ssh-keyscan,因为这意味着您将接受提供的任何主机密钥,即使它属于攻击者,这同样不安全。