问题描述
我已将 github.com SSH 密钥添加到 /etc/ssh/ssh_kNown_hosts。但是当我跑步时
git clone git@github.com:me/repo
我还是明白了
cloning into 'repo'...
The authenticity of host 'github.com (XXX.XXX.XXX.XXX)' can't be established.
RSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no)?
- 如果我将密钥添加到
~/.ssh/kNown_hosts,它会按预期工作,没有提示。 - 我在 debian 机器上运行它。
- 我希望直接使用文件
/etc/ssh/ssh_kNown_hosts进行此操作,因为有多个用户。 - 我也无法输入
'yes',因为它在puppet中运行。 - 出于安全原因,我们不能使用
StrictHostKeyChecking = no。 - 我没有
~/.ssh/config文件。 - (编辑)自从修改
sshd后,我也重新启动了/etc/ssh/ssh_kNown_hosts。
如何强制 git 使用 /etc/ssh/ssh_kNown_hosts?
编辑 1:
这是文件 /etc/ssh/ssh_config(并且 ~/.ssh/config 不存在):
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users,and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus,host-specific deFinitions should be at the beginning of the
# configuration file,and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options,their meanings and defaults,please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKNownHosts yes
GSSAPIAuthentication yes
这是我的/etc/ssh/ssh_kNown_hosts:
# HEADER: This file was autogenerated at 2020-12-31 10:33:06 +0000
# HEADER: by puppet. While it can still be managed manually,it
# HEADER: is definitely not recommended.
gerrit.wikimedia.org ssh-rsa AAAAB3Nz[...]
github ssh-rsa AAAAB3NzAAAAB3Nz[...]
编辑 2:
所有人都对 /etc/ssh/ssh_kNown_hosts 拥有读取权限:
vagrant@vagrant:~$ ls -la /etc/ssh/ssh_kNown_hosts
-rw-r--r-- 1 root root 795 Dec 31 10:33 /etc/ssh/ssh_kNown_hosts
解决方法
这绝对是 SSH 问题。 SSH(1) 手册页指出:
ssh 会自动维护和检查一个数据库,其中包含曾经使用过的所有主机的标识。主机密钥存储在用户主目录的 @ViewChild('parallex')
el: ElementRef;
@HostListener("window:scroll")
onScroll() {
let pos = window.pageYOffset;
this.renderer.setStyle(this.el.nativeElement,'margin-bottom',pos + "px");
this.renderer.setStyle(this.el.nativeElement,'margin-left',pos + "px");
}
constructor(
private renderer: Renderer2
) {}
中。此外,文件 ~/.ssh/known_hosts 会自动检查已知主机。
您的问题可能是未提升权限的用户无法读取 /etc/ssh/ssh_known_hosts 文件。
ssh 有一个警告,如果您运行 /etc/ssh/ssh_known_hosts 之类的程序,它可以修改您现有的 sudo ssh-keygen -R domain.com 文件,使其只能由 root 用户读取。 (/etc/ssh/ssh_known_hosts/)。您可能希望使用 -rw------- root root 或 chown 更改此文件的权限,以确保它无需 root 权限即可读取。
chmod您已知的主机文件格式不正确。每行的第一个条目是您要连接的系统的名称。在这种情况下,它需要是 github.com,而不是普通的 github。这是 OpenSSH 用来查找适当密钥的技术。
您可以使用 ssh-keyscan github.com 找到正确的格式。