简短版本:如何禁用/覆盖默认的 SSH 身份文件位置~/.ssh/id_{rsa,dsa}并强制SSH 使用另一个(第一个)?
长版:
我正在尝试使用 ssh 密钥访问设置gitolite。从我的客户端,我想使用我的默认~/.ssh/id_rsa身份访问 gitolite-admin 存储库,而我已经创建了一个单独的身份~/.ssh/id_rsa_git来访问普通存储库。
此外,我在以下位置创建了一个 SSH 别名~/.ssh/config:
Host git
Hostname <servername>
User gitolite
ForwardX11 no
ForwardAgent no
GSSAPIAuthentication no
IdentityFile ~/.ssh/id_rsa_git
现在,当我尝试以非管理员用户身份访问 gitolite 存储库时,我得到
$ ssh -v git true
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/jaap/.ssh/config
debug1: /home/jaap/.ssh/config line 105: Applying options for git
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <servername> port 22.
debug1: Connection established.
debug1: identity file /home/jaap/.ssh/id_rsa_git type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/jaap/.ssh/id_rsa_git-cert type -1
debug1: identity file /home/jaap/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/jaap/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze3
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <...>
debug1: Host '<servername>' is known and matches the RSA host key.
debug1: Found key in /home/jaap/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jaap/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentication succeeded (publickey).
这表明我的默认密钥./ssh/id_rsa首先被提供并被接受。但是此密钥不提供对非管理员存储库的访问权限,因此我希望 SSH 仅提供 /first ./ssh/id_rsa_git。我怎样才能做到这一点?
我试过添加IdentitiesOnly=yes,但这只会禁用 ssh-agent 密钥。ssh 配置(站点范围或每个用户)中似乎没有选项可以禁用默认身份,但我也找不到指定顺序的方法。
小智 8
有一个名为 IdentitiesOnly 的 SSH 配置设置,默认为“no”。在您的配置文件(全局或特定主机)中将其设置为 yes,您的问题应该得到解决。
例如,把它放在 ~/.ssh/config 中:
Host your.server.com
IdentityFile ~/example/your_new.key
User your_user
IdentitiesOnly yes
从 ssh_config 的手册页:
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity
files configured in the ssh_config files, even if ssh-agent(1) or a
PKCS11Provider offers more identities. The argument to this keyword
must be ``yes'' or ``no''. This option is intended for situations
where ssh-agent offers many different identities. The default is
``no''.
我遇到了完全相同的问题(并且被fail2ban锁定了)。这修复了它。
| 归档时间: |
|
| 查看次数: |
10196 次 |
| 最近记录: |