为什么 ssh-agent 需要 root 访问权限? [英] Why does ssh-agent need root access?

问题描述

我刚刚安装了 Archbang，正在尝试克隆我的一个 Git 项目，这需要 SSH 密钥.

I've just installed Archbang, and am trying to clone a Git project of mine, which necessitates SSH keys.

我过去曾在 Ubuntu 和 RedHat 机器上遵循 Github 指南获得成功，但由于某种原因，它在我的新 Arch 安装中不起作用.

I've followed the Github guide to success in the past, on Ubuntu and RedHat boxes, but for some reason it's not working out for me on my new Arch install.

我已使用此命令成功生成了我的 SSH 公钥/私钥对:

I've successfully generated my SSH public/private key pairs with this command:

ssh-keygen -t rsa -b 4096 -C "email@address"

但是当我继续启动 SSH 代理并添加我的公钥时，我遇到了问题.

But when I move on to starting up the SSH agent and adding my public key, I run into issues.

[user@arch ~]$ eval "$(ssh-agent -s)"
bind: Permission denied
unix_listener: cannot bind to path: /tmp/ssh-ZqYqSabxjZeA/agent.9328

但是，如果我以 root 身份运行它，这是成功的:

This is successful, however, if I run it as root:

[user@arch ~]$ eval "$(sudo ssh-agent -s)"
[sudo] password for user: 
Agent pid 9146

但我很确定我不想以 root 身份执行 SSH 操作.

But I'm pretty sure I don't want to be doing SSH things as root.

继续前进，当我尝试使用 ssh-add 时，我也收到权限错误，但这次是标准用户和 root 用户:

Continuing forward, when I then try to use ssh-add, I get permissions errors, as well, but this time as both the standard user and root:

[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.
[user@arch ~]$ sudo ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.

所以现在我真的很困惑.

So now I'm really confused.

我已经尝试以 root 用户身份打开一个 bash 进程来做这些事情，但是 1) 我不喜欢这个想法 2) 它仍然不起作用，但这次是出于不同的原因:

I've tried opening up a bash process as root to do this stuff, but 1) I don't like that idea and 2) it still doesn't work, but this time for a different reason:

[user@arch ~]$ sudo ssh-agent -s
[root@arch ~]# ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:

出于某种原因，在 root shell 中执行此操作会导致我的 SSH 密钥密码被拒绝；我已经用最简单的密码尝试了多次，所以我肯定我给了它正确的密码.

For some reason, doing this in a root shell causes my SSH key passphrase to be rejected; I've tried this multiple times, with the simplest of passphrases, so I'm positive I've given it the correct passphrase.

我不知所措.我真的不喜欢所有这些 sudo 的东西，我不知道为什么它似乎是必要的；我已经检查了 .ssh 目录及其文件的权限，甚至删除了整个目录并重新生成密钥，以确保它们没有使用错误的权限生成.

I'm at a loss. I really don't like all this sudo stuff, and I don't know why it seems to be necessary; I've checked the permissions on the .ssh directory and its files, even going as far as deleting the whole directory and regenerating the keys to be sure they aren't being generated with the wrong permissions.

有人可以帮我吗?我做错了什么?

Can someone please help me out here? What am I doing wrong?

为了回应建议的答案，我使用主目录中的套接字位置再次尝试了此操作.结果如下:

In response to suggested answers, I have tried this again using a socket location inside my home directory. These are the results:

[user@arch ~]$ mkdir -m 700 ~/.ssh
[user@arch ~]$ ssh-keygen -t rsa -b 4096 -C "email@address"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
...
[user@arch ~]$ chmod 644 .ssh/id_rsa.pub && chmod 600 .ssh/id_rsa
[user@arch ~]$ eval "$(ssh-agent -sa .ssh-agent.$$)"
Agent pid 1881
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '.ssh/id_rsa.pub' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

此时，我很困惑为什么这些权限是不可接受的，以及为什么它认为我的公钥是私钥.但我很幽默，将权限更改为 600 并尝试再次添加.

At this point, I'm confused as to why those permissions are not acceptable, and as to why it thinks my public key is a private key. But I humor it, changing the permissions to 600 and trying to add it again.

[user@arch ~]$ chmod 600 .ssh/id_rsa.pub
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:

现在我遇到了与以前类似的情况:它不喜欢我为 SSH 密钥创建的密码.这是怎么回事?！这真是令人费解.

And now I've gotten to a similar spot as I was before: it does not like the passphrase I've created for my SSH key. What's going on?! This is truly perplexing.

推荐答案

您运行的用户似乎没有写入默认 ssh-agent 套接字位置的权限.

It seems the user you're running as doesn't have permission to write to the default ssh-agent socket location.

这应该可以解决您的问题:

This should fix your problem:

ssh-agent -a ~/.ssh-agent.$$

这使用 -a 选项指定套接字位置，如 ~/.ssh-agent.$$，即在您的主目录中.

This specifies the socket location with the -a option, as ~/.ssh-agent.$$, ie, inside your home directory.

权限问题可能是由简单的 UNIX 权限(即，/tmp 不能由该用户写入)或 SELinux 或其他原因引起的.

The permissions issue could be caused by something like simple UNIX permissions (ie, /tmp not writeable by that user), or SELinux, or something else.

这篇关于为什么 ssh-agent 需要 root 访问权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！