由于 ssh 密钥,Git 推送失败:主机密钥验证失败。从码头工人内部
Posted
技术标签:
【中文标题】由于 ssh 密钥,Git 推送失败:主机密钥验证失败。从码头工人内部【英文标题】:Git push fails because of ssh key: Host key verification failed. from inside a docker 【发布时间】:2021-05-02 23:16:48 【问题描述】:来自 pod 内的 docker 容器内的“git push”命令失败并显示以下命令:
debug1: read_passphrase: can't open /dev/tty: No such device or 地址主机密钥验证失败。
启动 git push 的 groovy 代码:
sshagent (['my_deploy_key'])
sh "ls -la /dev/tty"
sh "ssh -Tv git@github.xx.xxx.com"
sh "git push origin $branch"
日志显示 /dev/tty 以正确的权限存在:
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
Executing sh script inside container my-project of pod my-project-1611882622034-s6sj2-xnx40
Executing command: "ssh-agent"
exit
SSH_AUTH_SOCK=/tmp/ssh-Dm0jcALohFq6/agent.68; export SSH_AUTH_SOCK;
SSH_AGENT_PID=69; export SSH_AGENT_PID;
echo Agent pid 69;
SSH_AUTH_SOCK=/tmp/ssh-Dm0jcALohFq6/agent.68
SSH_AGENT_PID=69
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/agent/workspace/Test_Dev/mydir@tmp/private_key_6404034659918914698.key (deploy-key)
[ssh-agent] Started.
[Pipeline]
[Pipeline] sh
+ ls -la /dev/tty
crw-rw-rw- 1 root root 5, 0 Jan 29 01:10 /dev/tty
[Pipeline] sh
+ ssh -Tv git@github.xx.xxx.com
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to github.xx.xxx.com [153.64.42.159] port 22.
debug1: Connection established.
debug1: SELinux support disabled
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version babeld-7fdd29b
debug1: no match: babeld-7fdd29b
debug1: Authenticating to github.xx.xxx.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:+VP3LqRsSmtwgQhOdiuCaRKG8wTCeNRdwTlOvrILZq8
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification fail
编辑。
请指教
【问题讨论】:
【参考方案1】:SSH 协议通常不像 TLS 那样使用传统的证书颁发机构。相反,当您第一次连接到机器时,系统会提示您验证其主机密钥,这通常是在带外进行的。这样,您可以验证远程系统是他们声称的身份。
出现此消息是因为通常会在终端上提示您验证主机密钥,但在这种情况下,没有终端,因此无法提示您。唯一安全的做法是连接失败。
在这种情况下,您需要将 GitHub Enterprise 实例的主机密钥存储为配置的一部分。你可以通过运行ssh-keyscan github.xx.xxx.com 找到这些。您应该获取此输出(减去以 # 开头的行)并将其存储在容器中的 /etc/ssh/ssh_known_hosts 或给定用户的 ~/.ssh/known_hosts 文件中。
您还可以通过转到https://github.xx.xxx.com/api/v3/meta 并验证SHA256:+VP3LqRsSmtwgQhOdiuCaRKG8wTCeNRdwTlOvrILZq8 是密钥的正确指纹来验证指纹是否正确。
请注意,有些人会建议禁用主机密钥验证,但这并不安全,相当于在未加密的连接上操作,因此您不应该这样做。您也不应该每次都在容器中运行ssh-keyscan,因为这意味着您将接受提供的任何主机密钥,即使它属于攻击者,这同样不安全。
【讨论】:
非常感谢!那成功了!您的解释帮助我了解了幕后发生的事情。以上是关于由于 ssh 密钥,Git 推送失败:主机密钥验证失败。从码头工人内部的主要内容,如果未能解决你的问题,请参考以下文章
标准错误:主机密钥验证失败 | GitHub |詹金斯 |视窗
GitLab runner 获取子模块的“主机密钥验证失败”