为什么ssh-agent需要root访问权限? [英] Why does ssh-agent need root access?

问题描述

我刚刚安装了Archbang，并试图克隆我的Git项目，该项目需要SSH密钥.

I've just installed Archbang, and am trying to clone a Git project of mine, which necessitates SSH keys.

过去，我一直在Github上的Ubuntu和RedHat盒上遵循成功指南，但是由于某些原因，在我的新Arch安装中，它对我来说不起作用.

I've followed the Github guide to success in the past, on Ubuntu and RedHat boxes, but for some reason it's not working out for me on my new Arch install.

我已经使用以下命令成功生成了我的SSH公钥/私钥对:

I've successfully generated my SSH public/private key pairs with this command:

ssh-keygen -t rsa -b 4096 -C "email@address"

但是当我继续启动SSH代理并添加我的公钥时，我遇到了问题.

But when I move on to starting up the SSH agent and adding my public key, I run into issues.

[user@arch ~]$ eval "$(ssh-agent -s)"
bind: Permission denied
unix_listener: cannot bind to path: /tmp/ssh-ZqYqSabxjZeA/agent.9328

但是，如果我以root身份运行它，则会成功:

This is successful, however, if I run it as root:

[user@arch ~]$ eval "$(sudo ssh-agent -s)"
[sudo] password for user: 
Agent pid 9146

但是我很确定我不想以root身份进行SSH.

But I'm pretty sure I don't want to be doing SSH things as root.

继续前进，然后当我尝试使用 ssh-add 时，我也会遇到权限错误，但是这次是标准用户和root用户:

Continuing forward, when I then try to use ssh-add, I get permissions errors, as well, but this time as both the standard user and root:

[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.
[user@arch ~]$ sudo ssh-add .ssh/id_rsa.pub
Could not open a connection to your authentication agent.

所以现在我真的很困惑.

So now I'm really confused.

我曾尝试以root身份打开bash进程来执行此操作，但1)我不喜欢该想法，2)仍然不起作用，但这一次是出于不同的原因:

I've tried opening up a bash process as root to do this stuff, but 1) I don't like that idea and 2) it still doesn't work, but this time for a different reason:

[user@arch ~]$ sudo ssh-agent -s
[root@arch ~]# ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:

由于某种原因，在root shell中执行此操作会导致我的SSH密钥密码短语被拒绝；我已经用最简单的密码尝试了多次，所以我很肯定我给了它正确的密码.

For some reason, doing this in a root shell causes my SSH key passphrase to be rejected; I've tried this multiple times, with the simplest of passphrases, so I'm positive I've given it the correct passphrase.

我很茫然.我真的不喜欢所有这些 sudo 东西，而且我也不知道为什么它似乎是必需的.我已经检查了.ssh目录及其文件的权限，甚至删除了整个目录并重新生成了密钥，以确保它们不是由错误的权限生成的.

I'm at a loss. I really don't like all this sudo stuff, and I don't know why it seems to be necessary; I've checked the permissions on the .ssh directory and its files, even going as far as deleting the whole directory and regenerating the keys to be sure they aren't being generated with the wrong permissions.

有人可以在这里帮助我吗?我在做什么错了?

Can someone please help me out here? What am I doing wrong?

编辑:为响应建议的答案，我已经使用主目录中的套接字位置再次尝试了此操作.这些是结果:

In response to suggested answers, I have tried this again using a socket location inside my home directory. These are the results:

[user@arch ~]$ mkdir -m 700 ~/.ssh
[user@arch ~]$ ssh-keygen -t rsa -b 4096 -C "email@address"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
...
[user@arch ~]$ chmod 644 .ssh/id_rsa.pub && chmod 600 .ssh/id_rsa
[user@arch ~]$ eval "$(ssh-agent -sa .ssh-agent.$$)"
Agent pid 1881
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '.ssh/id_rsa.pub' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

在这一点上，我对于为什么这些权限不被接受以及为什么它认为我的公共密钥是私有密钥感到困惑.但是我很幽默，将权限更改为600，然后尝试再次添加.

At this point, I'm confused as to why those permissions are not acceptable, and as to why it thinks my public key is a private key. But I humor it, changing the permissions to 600 and trying to add it again.

[user@arch ~]$ chmod 600 .ssh/id_rsa.pub
[user@arch ~]$ ssh-add .ssh/id_rsa.pub
Enter passphrase for .ssh/id_rsa.pub:
Bad passphrase, try again for .ssh/id_rsa.pub:

现在我到达了和以前相似的地方:它不喜欢我为我的SSH密钥创建的密码短语.这是怎么回事?！这真是令人困惑.

And now I've gotten to a similar spot as I was before: it does not like the passphrase I've created for my SSH key. What's going on?! This is truly perplexing.

推荐答案

您正在运行的用户似乎无权写入默认的ssh-agent套接字位置.

It seems the user you're running as doesn't have permission to write to the default ssh-agent socket location.

这应该可以解决您的问题:

This should fix your problem:

ssh-agent -a ~/.ssh-agent.$$

这用 -a 选项指定套接字位置，作为〜/.ssh-agent.$$ ，即在您的主目录中.

This specifies the socket location with the -a option, as ~/.ssh-agent.$$, ie, inside your home directory.

权限问题可能是由诸如简单的UNIX权限(即该用户不可写的/tmp )，SELinux或其他原因引起的.

The permissions issue could be caused by something like simple UNIX permissions (ie, /tmp not writeable by that user), or SELinux, or something else.

这篇关于为什么ssh-agent需要root访问权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！