自升级到macOS 10.12(Sierra)以来，使用Capistrano部署代码时出现问题，“权限被拒绝(公钥)." [英] Problems deploying code with Capistrano since upgrading to macOS 10.12 (Sierra), “Permission denied (publickey).”

问题描述

因此，我刚刚将Mac mini(2012年末)升级到了macOS 10.12(Sierra)，一切似乎都很好，但是在使用

So I just upgraded my Mac mini (Late 2012) to macOS 10.12 (Sierra) and everything seems fine, but I’m running into one odd problem deploying code with Capistrano. I get the following error:

Permission denied (publickey).

在Mac OS X 10.11(El Capitan)或之前的任何版本中，从来没有这个问题.为什么现在突然发生这种情况?以下是失败的Capistrano部署的完整输出:

Never had this problem before in Mac OS X 10.11 (El Capitan) or any version prior to it. Why is this suddenly happening now? Full output of the failed Capistrano deployment below:

jakes_mac:SomeCode jake$ cap staging deploy
INFO [hkdgad21] Running /usr/bin/env mkdir -p /tmp/somecode/ as jake@example.com
DEBUG [hkdgad21] Command: /usr/bin/env mkdir -p /tmp/somecode/
jake@example.com's password:
INFO [hkdgad21] Finished in 5.166 seconds with exit status 0 (successful).
DEBUG Uploading /tmp/somecode/git-ssh.sh 0.0%
INFO Uploading /tmp/somecode/git-ssh.sh 100.0%
INFO [xyz20312] Running /usr/bin/env chmod +x /tmp/somecode/git-ssh.sh as jake@example.com
DEBUG [xyz20312] Command: /usr/bin/env chmod +x /tmp/somecode/git-ssh.sh
INFO [xyz20312] Finished in 0.240 seconds with exit status 0 (successful).
INFO [abcdef01] Running /usr/bin/env git ls-remote --heads git@github.com:SomeUser/SomeCode.git as jake@example.com
DEBUG [abcdef01] Command: ( GIT_ASKPASS=/bin/echo GIT_SSH=/tmp/somecode/git-ssh.sh /usr/bin/env git ls-remote --heads git@github.com:SomeUser/SomeCode.git )
DEBUG [abcdef01]    Permission denied (publickey).
DEBUG [abcdef01]    fatal: Could not read from remote repository.
DEBUG [abcdef01]
DEBUG [abcdef01]    Please make sure you have the correct access rights
DEBUG [abcdef01]    and the repository exists.
(Backtrace restricted to imported tasks)
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as jake@example.com: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

SSHKit::Command::Failed: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Tasks: TOP => git:check
(See full trace by running task with --trace)
The deploy has failed with an error: Exception while executing as jake@example.com: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

请确保您具有正确的访问权限 并且存储库存在.

Please make sure you have the correct access rights and the repository exists.

推荐答案

似乎是一个问题，因为它与以前在Mac OS X 10.11(El Capitan)中一样没有自动添加SSH密钥.是来自macOS Sierra的预期行为还是连接到OpenSSH的某些东西?

Seems like it’s an issue with SSH keys not being automatically added as it used to be in Mac OS X 10.11 (El Capitan). Is this expected behavior from macOS Sierra or something connected to OpenSSH?

所以我找到的一种解决方案是运行 ssh-add 和-A选项-使用存储在钥匙串中的任何密码将所有已知身份添加到SSH代理中，如下所示:

So one solution I found is to run ssh-add with the -A option—which adds all known identities to the SSH agent using any passphrases stored in your keychain—like this:

ssh-add -A

现在可以使用，但不会在重新启动后持续存在.因此，如果您不想再为此担心，只需打开用户的~/.bash_profile文件，如下所示:

Now this works but it won’t persist across reboots. So if you want to never worry about this again, just open up your user’s ~/.bash_profile file like this:

nano ~/.bash_profile

并将此行添加到底部:

ssh-add -A 2>/dev/null;

现在，当您打开一个新的终端"窗口时，一切都会很好！

Now when you open a new Terminal window, all should be good!

因此，尽管ssh-add -A选项适用于大多数基本情况，但最近我遇到了一个问题，在此机器上，我在机器上设置了6-7个Vagrant框(使用SSH密钥/身份进行访问).常见的id_rsa.pub.

So while the ssh-add -A option should work for most basic cases, I ran into an issue recently where I had 6-7 Vagrant boxes (which uses SSH keys/identities for access) setup on a machine on top of the more common id_rsa.pub in place.

长话短说，由于太多基于SSH密钥/身份的尝试失败，我最终被锁定在远程服务器之外，因为服务器访问基于密码，而SSH密钥/身份是SSH密钥/身份.因此SSH代理尝试了我所有的SSH密钥，但都失败了，甚至无法进入密码提示.

Long story short, I ended up being locked out of a remote server due to too many failed tries based on SSH keys/identities since the server access was based on a password and SSH keys/identities are SSH keys/identities. So the SSH agent tried all of my SSH keys, failed and I couldn’t even get to the password prompt.

问题在于，ssh-add -A只会将您必须拥有的每一个SSH密钥/身份随意添加到代理中，即使没有必要也是如此.例如无业游民"的盒子.

The problem is that ssh-add -A will just arbitrarily add every single SSH key/identity you have to the agent even if it’s not necessary to do so; such as in the case of Vagrant boxes.

经过大量测试后，我的解决方法如下.

My solution after much testing was as follows.

首先，如果添加到代理中的SSH密钥/身份超过了所需的数量(如ssh-add -l所示)，则从代理清除它们，如下所示:

First, if you have more SSH keys/identities added to your agent than you need—as shown with ssh-add -l then purge them all from the agent like so:

ssh-add -D

完成后，像下面这样启动SSH代理作为后台进程:

With that done, then start the SSH agent as a background process like so:

eval "$(ssh-agent -s)"

现在，它变得很奇怪，我不太清楚为什么.在某些情况下，您可以像这样专门为代理添加~/.ssh/id_rsa.pub密钥/身份:

Now, it gets weird and I am not too sure why. In some cases you can specifically add the ~/.ssh/id_rsa.pub key/identity to the agent like so:

ssh-add ~/.ssh/id_rsa.pub

输入您的密码，然后按 Return ，您应该会很好.

Type in your passphrase, hit Return and you should be good to go.

但是在其他情况下，仅运行此命令就足以添加密钥/身份:

But in other cases simply running this is enough to get the key/identity added:

ssh-add -K

如果这一切正常，请键入ssh-add -l，您应该会看到其中列出了一个单独的SSH密钥/身份.

If that’s all worked, type in ssh-add -l and you should see one lone SSH key/identity listed.

一切都好吗?现在打开您的.bash_profile:

All good? Now open up your .bash_profile:

nano ~/.bash_profile

并将此行添加到底部；如果有，请注释或删除-A版本:

And add this line to the bottom; comment or remove the -A version if you have that in place:

ssh-add -K

这将允许在每次启动/重新引导时将SSH密钥/身份重新加载到SSH代理.

That will allow the SSH key/identity to be reloaded to the SSH agent on each startup/reboot.

更新1:基于 davidalger 的答案我发现了一个更好的全局解决方案，它可以适用于系统上的所有用户.只需通过sudo打开位于此处的全局SSH配置:

UPDATE 1: Based on davidalger’s answer I discovered a nicer, global solution that can work for all user’s on a system. Just open up the global SSH config located here via sudo:

sudo nano /etc/ssh/ssh_config

并将此行添加到文件底部:

And add this line to the bottom of the file:

AddKeysToAgent yes

做到这一点-删除.bash_profile修复程序之后，一切都很好.

Did that—after removing the .bash_profile fix and all is good as well.

从macOS Sierra 10.12.2开始，Apple(我假设)为SSH配置添加了UseKeychain配置选项.检查手册页(通过man ssh_config)显示以下信息:

As of macOS Sierra 10.12.2, Apple (I assume) has added a UseKeychain config option for SSH configs. Checking the man page (via man ssh_config) shows the following info:

UseKeychain
        On macOS, specifies whether the system should search for
        passphrases in the user's keychain when attempting to use a par-
        ticular key. When the passphrase is provided by the user, this
        option also specifies whether the passphrase should be stored
        into the keychain once it has been verified to be correct.  The
        argument must be ``yes'' or ``no''.  The default is ``no''.

最终归结为Apple认为该解决方案是在.bash_profile中添加ssh-add -A 如本公开中所述雷达票，或在每个用户~/.ssh/config中添加UseKeychain作为选项之一.

Which boils down to Apple seeing the solution as either adding ssh-add -A to your .bash_profile as explained in this Open Radar ticket or adding UseKeychain as one of the options in a per user ~/.ssh/config.

这篇关于自升级到macOS 10.12(Sierra)以来，使用Capistrano部署代码时出现问题，“权限被拒绝(公钥)."的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！