一次gitlab無法使用ssh登錄的問題解決
阿新 • • 發佈:2018-10-23
auth epo disabled author location sta x11 api g模式 故障現象:
[root@web-m data]# git clone ssh://[email protected]:22022/lxk/core.git Cloning into ‘core‘... [email protected]‘s password: Permission denied, please try again. [email protected]‘s password: Permission denied, please try again. [email protected]‘s password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
本地已經創建密鑰並把私鑰傳至用戶 SSH Keys中,操作過程沒問題,但是只能通過http方式輸入用戶名密碼登錄。
提示中Permission denied已表明是權限問題,因為ssh登錄時不能用密碼登錄,無論輸入的密碼是不是正確,都會提示Permission denied。debug模式下查看登錄過程:
[root@web-m .ssh]# ssh -vT [email protected] -p 22022 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug1: Authenticating to gitlab.lixinkuan.com:22022 as ‘git‘ debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: got SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8 debug1: checking without port identifier The authenticity of host ‘[gitlab.lixinkuan.com]:22022 ([X.X.X.X]:22022)‘ can‘t be established. RSA key fingerprint is SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8. RSA key fingerprint is MD5:14:8c:87:8f:b5:15:75:e1:8a:31:a5:61:ce:9d:68:6c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘[gitlab.lixinkuan.com]:22022,[X.X.X.X]:22022‘ (RSA) to the list of known hosts. #這裏拒絕一次 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex #下一種認證方法:gssapi-keyex debug1: No valid Key exchange context #沒有有效密碼上下文 debug1: Next authentication method: gssapi-with-mic #下一種認證方法:gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:0) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:0) #下面可看到一次次嘗試讀取認證的文件都是/root/.ssh目錄下的文件。而我們是登錄的gitlab,劇本不對,不應該是從這兒讀認證文件的!!! debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug1: Offering DSA public key: /root/.ssh/id_dsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Trying private key: /root/.ssh/id_ed25519 debug1: Next authentication method: password [email protected]‘s password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. [email protected]‘s password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. [email protected]‘s password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
因只是SSH方式登錄有問題,故應該為gitlab的ssh功能模塊文件權限的問題。
查看密鑰文件的權限,只有屬主有權限,屬組及other均無任何權限,.ssh目錄沒問題。
[root@gitlab gitlab]# ll -d .ssh/ drwx------ 2 git git 4096 Jul 18 09:29 .ssh/ [root@gitlab gitlab]# ll .ssh/ total 32 -rw------- 1 git git 28332 Oct 16 20:50 authorized_keys -rw------- 1 git git 0 Oct 16 20:50 authorized_keys.lock
查看gitlab-shell權限
[root@gitlab gitlab]# ll -d gitlab-shell/
drwx------ 2 git root 4096 Oct 16 20:46 gitlab-shell/
[root@gitlab gitlab]# ll gitlab-shell/
total 4
-rw-r--r-- 1 root root 1105 Jul 17 12:52 config.yml
[root@gitlab gitlab-shell]# stat config.yml
File: `config.yml‘
Size: 1105 Blocks: 8 IO Block: 4096 regular file
Device: fc01h/64513d Inode: 132041 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-10-16 18:38:47.356925223 +0800
Modify: 2018-07-17 12:52:10.845000022 +0800
Change: 2018-07-17 12:52:10.847000022 +0800config.yml的屬主、屬組均為root,更改為root git並重啟git服務,故障依舊。
[root@web-m data]# git clone ssh://[email protected]:22022/lxk/core.git
Cloning into ‘core‘...
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.後把config.yml權限改為如下:
[root@gitlab gitlab-shell]# ll
total 4
-rw-r----- 1 root git 1105 Jul 17 12:52 config.yml重啟服務後,恢復正常:
[root@web-m data]# git clone ssh://[email protected]:22022/lxk/core.git
Cloning into ‘core‘...
remote: Counting objects: 5943, done.
remote: Compressing objects: 100% (3822/3822), done.
remote: Total 5943 (delta 2054), reused 5916 (delta 2042)
Receiving objects: 100% (5943/5943), 430.32 MiB | 1.28 MiB/s, done.
Resolving deltas: 100% (2054/2054), done.
Checking out files: 100% (8849/8849), done.問題的原因是文件權限問題,不知道哪個大神把gitlab-shell配置文件的權限改掉了,或者是使用root用戶復制了一份配置文件到gitlab服務器。
此處git使用other的權限讀config.yml理論上是可行的。但是ssh對文件權限要求極為嚴格,所以完全讀不了。
附正常ssh調試模式登錄gitlab服務器結果:
[root@web-m core]# ssh -vT [email protected] -p 22022
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to gitlab.lixinkuan.com:22022 as ‘git‘
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8
debug1: Host ‘[gitlab.lixinkuan.com]:22022‘ is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to gitlab.lixinkuan.com ([X.X.X.X]:22022).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to GitLab, 李心寬!
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3328, received 3664 bytes, in 0.1 seconds
Bytes per second: sent 27166.7, received 29909.5
debug1: Exit status 0一次gitlab無法使用ssh登錄的問題解決