在流浪汉+厨师设置上使用带密码的ssh密钥 [英] use ssh keys with passphrase on a vagrant+chef setup
问题描述
我有一个使用流浪汉的虚拟主机,我正和主厨一起配置。其中一个步骤涉及克隆一个git repo,但是我的ssh-key(在我的主机上)有一个密码短语。
当我运行 vagrant up ,这个过程在git clone步骤失败,出现以下错误:
-
Permission denied(publickey)。致命的:远程终端意外挂断
(密钥已经在主机上添加了密码)
我试图用ssh代理转发解决这个问题,方法如下:
添加 config.ssh.forward_agent = true 到 VagrantFile
添加默认值env_keep =SSH_AUTH_SOCK 到 / etc / sudoers 在vm上
现在, vagrant up 在它到达git clone部分时仍然失败,但是如果我之后运行 vagrant provision ,它会通过。我猜这是因为ssh配置当vm被启动并且没有被重新载入时设置
我试图在调整这两个设置后重新加载ssh,但这没有帮助。
p>任何想法如何解决这个问题?
谢谢。
相反,我编写了一个hacky的配方,它找到适当的ssh套接字来使用并更新SSH_AUTH_SOCK环境适合。它还禁用了严格的主机密钥检查,以便自动批准初始出站连接。
将此保存为在第一个ssh连接之前随时执行的配方应与其他发行版一起使用):
pre code目录/root/.ssh
操作:创建
模式0700
结束
文件/root/.ssh/config做
动作:创建
内容主机* \ nStrictHostKeyChecking否
模式0600
结束
ruby_block给予转发的ssh代理的root权限do
block do
#查找父进程的ssh代理套接字
agents = {}
ppid = Process.ppid
Dir.glob('/ tmp / ssh * / agent *')。
agents [fn.match(/ agent \。(\d +)$ /)[1]] = fn
end
while ppid!='1'
if (agent = agents [ppid])
ENV ['SSH_AUTH_SOCK'] =代理
break
end
File.open(/ proc /#{ppid} / status, r)do | file |
ppid = file.read()。match(/ PPid:\s +(\d +)/)[1]
end
end
#取消注释以要求ssh-agent可用
#fail无法找到正在运行的ssh代理程序 - 是否在Vagrantfile中启用了config.ssh.forward_agent?除非ENV ['SSH_AUTH_SOCK']
结束
动作:创建
结束
或者,创建一个包含sudoers更新的框,并将您未来的虚拟机作为基础。
I've got a vm running using vagrant, and I'm provisioning it with Chef. One of the steps involves cloning a git repo, but my ssh-key (on my host machine) has a passphrase on it.
When I run vagrant up, the process fails at the git clone step with the following error:
Permission denied (publickey). fatal: The remote end hung up unexpectedly
(The key has been added on the host machine, with the passphrase)
I tried to solve this with ssh agent forwarding by doing the following:
Added config.ssh.forward_agent = true to the VagrantFile
Added Defaults env_keep = "SSH_AUTH_SOCK to /etc/sudoers on the vm
Now, vagrant up still fails when it gets to the git clone part, but if I run vagrant provision after that, it passes. I'm guessing this is because the ssh configuration is set up when the vm is brought up and isn't reloaded
I have tried to reload ssh after adjusting those two settings, but that hasn't helped.
Any idea how to solve this?
Thanks.
As you noted, updating sudoers during the initial run is too late to be beneficial to that run as chef is already running under sudo by that point.
Instead I wrote a hacky recipe that finds the appropriate ssh socket to use and updates the SSH_AUTH_SOCK environment to suit. It also disables strict host key checking so the initial outbound connection is automatically approved.
Save this as a recipe that's executed anytime prior to the first ssh connection (tested with Ubuntu but should work with other distributions):
Directory "/root/.ssh" do
action :create
mode 0700
end
File "/root/.ssh/config" do
action :create
content "Host *\nStrictHostKeyChecking no"
mode 0600
end
ruby_block "Give root access to the forwarded ssh agent" do
block do
# find a parent process' ssh agent socket
agents = {}
ppid = Process.ppid
Dir.glob('/tmp/ssh*/agent*').each do |fn|
agents[fn.match(/agent\.(\d+)$/)[1]] = fn
end
while ppid != '1'
if (agent = agents[ppid])
ENV['SSH_AUTH_SOCK'] = agent
break
end
File.open("/proc/#{ppid}/status", "r") do |file|
ppid = file.read().match(/PPid:\s+(\d+)/)[1]
end
end
# Uncomment to require that an ssh-agent be available
# fail "Could not find running ssh agent - Is config.ssh.forward_agent enabled in Vagrantfile?" unless ENV['SSH_AUTH_SOCK']
end
action :create
end
Alternatively create a box with the sudoers update already in it and base your future VMs off of that.
这篇关于在流浪汉+厨师设置上使用带密码的ssh密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
