Windows 10 OpenSSH ssh-add“代理拒绝操作”(GitLab Windows Shared Runner)
Posted
技术标签:
【中文标题】Windows 10 OpenSSH ssh-add“代理拒绝操作”(GitLab Windows Shared Runner)【英文标题】:Windows 10 OpenSSH ssh-add "agent refused operation" (GitLab Windows Shared Runner) 【发布时间】:2021-02-10 08:51:36 【问题描述】:我在 GitLab 的 Windows Shared Runner 上向 ssh-agent 添加 SSH 密钥以随后允许我访问 GitLab 上的私有包时遇到很多麻烦。
实际的 SSH 私钥是使用“文件”环境变量设置的,但通过 ssh-add 直接添加它表明 the permissions are too open,所以我研究了尝试纠正这个问题的方法 - 没有一个有效。
相反,我将密钥回显到手动创建的文件中。直到现在,我在添加密钥时收到“代理拒绝操作”。
为了火上浇油,ssh 代理甚至拒绝在 VM 内部生成的密钥用于测试目的。
SSH 密钥都是 ed25519 类型。
这是我的 gitlab-ci.yml 脚本 - 我错过了什么?
stages:
- test
test_windows:
stage: test
tags:
- shared-windows
- windows
- windows-1809
variables:
CI_ARTIFACTS_PATH_TMP: '"$CI_PROJECT_DIR"'
script:
# ------------------------------------------------------------------------
# Print the contents of some key directories
# ------------------------------------------------------------------------
- ls -l "C:\"
- ls -l "C:\Users\"
- ls -l "C:\Git\"
- ls -l "C:\Git\usr\bin\"
- ls -l "C:\Program Files\"
- ls -l "C:\Windows\System32\OpenSSH\"
# ------------------------------------------------------------------------
# Install dependencies/helpers
# ------------------------------------------------------------------------
# No steps required
# ------------------------------------------------------------------------
# Configure SSH (OpenSSH variant)
# ------------------------------------------------------------------------
- Get-Command ssh-keygen
- Get-Command ssh-add
- Get-Command ssh
- Set-Service -Name ssh-agent -StartupType Manual
- Start-Service ssh-agent
- Get-Service ssh-agent | select * # Check if it has started
# ------------------------------------------------------------------------
# Copy the DK_FILE ssh private key env variable into the id_ed25519 file (create if nonexistent)
# ------------------------------------------------------------------------
- $dk_file_txt = Get-Content $DK_FILE -Raw
- echo $dk_file_txt
- New-Item -ItemType "file" -Force -Path C:\Users\$env:UserName\.ssh\id_ed25519
- echo "$dk_file_txt" > C:\Users\$env:UserName\.ssh\id_ed25519
- (Get-Content C:\Users\$env:UserName\.ssh\id_ed25519 -Raw).Replace("`r`n","`n") | Set-Content C:\Users\$env:UserName\.ssh\id_ed25519 -Force
# ------------------------------------------------------------------------
# Set Key Permissions
# ------------------------------------------------------------------------
# :: Remove Inheritance ::
# - cmd /c icacls "C:\Users\gitlab_runner\.ssh" /c /t /inheritance:d
- cmd /c icacls C:\Users\$env:UserName\.ssh\id_ed25519 /c /t /inheritance:d
# :: Set Ownership to Owner ::
# - cmd /c icacls "C:\Users\gitlab_runner\.ssh" /c /t /grant %username%:F
- cmd /c icacls C:\Users\$env:UserName\.ssh\id_ed25519 /c /t /grant %username%:F
# :: Remove All Users, except for Owner ::
# - cmd /c icacls "C:\Users\gitlab_runner\.ssh" /c /t /remove Administrator BUILTIN\Administrators BUILTIN Everyone System Users
- cmd /c icacls C:\Users\$env:UserName\.ssh\id_ed25519 /c /t /remove Administrator BUILTIN\Administrators BUILTIN Everyone System Users
# :: Verify ::
# - cmd /c icacls "C:\Users\gitlab_runner\.ssh"
- cmd /c icacls C:\Users\$env:UserName\.ssh\id_ed25519
# ------------------------------------------------------------------------
# Add the SSH key via ssh-add
# ------------------------------------------------------------------------
- ssh-add C:\Users\$env:UserName\.ssh\id_ed25519
# ------------------------------------------------------------------------
# Test if it worked
# ------------------------------------------------------------------------
# - ssh -Tvvv git@gitlab.com
# - git config --global core.sshCommand "'C:\Windows\System32\OpenSSH\ssh.exe'"
# - npm install
# - npm run package-win
# ------------------------------------------------------------------------
# Upload artifacts (if any)
# ------------------------------------------------------------------------
# - gitlab-runner artifacts-uploader --verbose --id "$CI_JOB_ID" --token "$CI_JOB_TOKEN" --url "$CI_SERVER_URL" --artifact-format zip --artifact-type archive --path $CI_ARTIFACTS_PATH_TMP || exit 1
# ------------------------------------------------------------------------
# Finish...
# ------------------------------------------------------------------------
- exit 0
artifacts:
paths:
- .ssh
exclude:
- node_modules
请注意,我还尝试了一个变体,它使用 poshgit 并为指向此安装的 ssh 命令设置不同的别名。
使用 poshgit 变体时,成功添加了 ssh 私钥。但是,当实际尝试运行 ssh 会话时,我收到“主机密钥检查失败”错误。然后这会杀死我的 npm 安装(使用私有存储库作为依赖项)。
stages:
- test
test_windows:
stage: test
tags:
- shared-windows
- windows
- windows-1809
variables:
CI_ARTIFACTS_PATH_TMP: '"$CI_PROJECT_DIR"'
script:
# ------------------------------------------------------------------------
# Print the contents of some key directories
# ------------------------------------------------------------------------
- ls -l "C:\"
- ls -l "C:\Users\"
- ls -l "C:\Git\"
- ls -l "C:\Git\usr\bin\"
- ls -l "C:\Program Files\"
- ls -l "C:\Windows\System32\OpenSSH\"
# ------------------------------------------------------------------------
# Install dependencies/helpers
# ------------------------------------------------------------------------
# ------------------------------------------------------------------------
# Configure SSH (Poshgit variant)
# ------------------------------------------------------------------------
- choco install poshgit -y --limit-output --no-progress
- refreshenv
- Import-Module 'C:\tools\poshgit\dahlbyk-posh-git-9bda399\src\posh-git.psd1'
- refreshenv
- $env:PATH+=";C:\Git\usr\bin"
- Set-Alias ssh-keygen "$env:ProgramFiles\git\usr\bin\ssh-keygen.exe" # Provided by poshgit
- Set-Alias ssh-agent "C:\Git\usr\bin\ssh-agent.exe"
- Set-Alias ssh-add "C:\Git\usr\bin\ssh-add.exe"
- Set-Alias ssh "C:\Git\usr\bin\ssh.exe"
- Start-SshAgent -Quiet
- echo "$env"
- gci env:SSH_AUTH_SOCK
- mkdir .ssh
- Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
# - ssh-keygen -f "$CI_PROJECT_DIR\.ssh\test_rsa" -t rsa -N '""'
# - ssh-keygen -f "$CI_PROJECT_DIR\.ssh\test_ed25519" -t ed25519 -N '""'
- New-Item -ItemType "directory" -Force -Path C:\Users\$env:UserName\.ssh\
- ssh-keygen -a 100 -t ed25519 -f "C:\Users\$env:UserName\.ssh\id_ed25519" -C "MY_SSH_KEY" -N '""'
- Remove-Item -Path "C:\Users\$env:UserName\.ssh\id_ed25519.pub"
# - Set-Content -Path "C:\Users\$env:UserName\.ssh\id_ed25519" -Value $dk_file_txt -Force
- ssh-add "C:\Users\$env:UserName\.ssh\id_ed25519"
# ------------------------------------------------------------------------
# Test if it worked
# ------------------------------------------------------------------------
# - ssh -o StrictHostKeyChecking=no git@gitlab.com uptime
- ls -l "$env:ProgramFiles\"
- ls -l "$env:ProgramFiles\git\"
- ls -l "$env:ProgramFiles\git\bin"
# - Set-Alias -Name git -Value "$env:ProgramFiles\git\bin\git.exe"
# - npm config set git "$env:ProgramFiles\git\bin\git.exe"
# - git config --global core.sshCommand "$env:ProgramFiles\git\usr\bin\ssh.exe"
- ssh -Tvvv git@gitlab.com
# - npm install # Fails with error code 128 (ssh failure)
# - npm run package-win
# ------------------------------------------------------------------------
# Upload artifacts (if any)
# ------------------------------------------------------------------------
- gitlab-runner artifacts-uploader --verbose --id "$CI_JOB_ID" --token "$CI_JOB_TOKEN" --url "$CI_SERVER_URL" --artifact-format zip --artifact-type archive --path $CI_ARTIFACTS_PATH_TMP || exit 1
# ------------------------------------------------------------------------
# Finish...
# ------------------------------------------------------------------------
- exit 0
artifacts:
paths:
- .ssh
exclude:
- node_modules
理想情况下,我更喜欢使用 openssh 而不必添加外部依赖项。我将不胜感激,因为我在这件事上浪费了很多时间。
【问题讨论】:
(在原帖中添加了 poshgit yml 脚本) 【参考方案1】:私钥权限是 600,公钥是 644?
chmod 600 ~/.ssh/id_ed25519 && chmod 644 ~/.ssh/id_ed25519.pub
【讨论】:
正如目前所写,您的答案尚不清楚。请edit 添加其他详细信息,以帮助其他人了解这如何解决所提出的问题。你可以找到更多关于如何写好答案的信息in the help center。以上是关于Windows 10 OpenSSH ssh-add“代理拒绝操作”(GitLab Windows Shared Runner)的主要内容,如果未能解决你的问题,请参考以下文章
通过 ::1 端口 22 重置连接(Windows 10 + PowerShell/cmd + OpenSSH)
无法通过运行 OpenSSH 的 SSH 连接到 Windows 10
sshd 的 Windows 10 OpenSSH 授权密钥错误
OpenSSH WIndows 10 - key_load_private:权限被拒绝
Windows 10 OpenSSH ssh-add“代理拒绝操作”(GitLab Windows Shared Runner)