Git权限被拒绝(publickey,gssapi-keyex,gssapi-with-mic)? [英] Git Permission denied (publickey,gssapi-keyex,gssapi-with-mic)?
问题描述
客户端:操作系统Ubuntu,git-2.7.4版。
服务器:OS Centos,git-2.7.4。
我在我的客户端有一个私有的ssh密钥,在服务器有一个公钥。
我可以使用shell进入我的服务器(无密码)。 b
$ b
但是无法推送原点高手!
sudo ssh -i / path / to / key / -vT git@xxx.xx.xxx.xxx
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2,OpenSSL 1.0.2g 2016年3月1日debug1:Reading配置数据/ etc / ssh / ssh_config
debug1:/ etc / ssh / ssh_config第19行:为*
应用选项debug1:连接到xxx.xx.xxx.xxx [xxx.xx.xxx.xxx ]端口22.
debug1:建立连接。
debug1:permanent_set_uid:0/0
debug1:身份文件/home/whj/.ssh/whjwebsite类型1
debug1:key_load_public:没有这样的文件或目录
debug1:identity file /home/whj/.ssh/whjwebsite-cert type -1
debug1:为协议2.0启用兼容模式
debug1:本地版本字符串SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1:远程协议版本2.0,远程软件版本OpenSSH_6.6.1 debug1:match:OpenSSH_6.6.1 pat OpenSSH_6.6.1 * compat 0x04000000
debug1:认证为xxx.xx.xxx.xxx:22为'git'
debug1:SSH2_MSG_KEXINIT发送
debug1:SSH2_MSG_KEXINIT收到
debug1:kex:算法:curve25519-sha256@libssh.org
debug1:kex:主机密钥算法:ecdsa-sha2-nistp256
debug1:kex:server->客户端密码:chacha20-poly1305@openssh.com MAC:< implicit>压缩:无
debug1:kex:客户端 - >服务器密码:chacha20-poly1305@openssh.com MAC:< implicit>压缩:无
debug1:期望SSH2_MSG_KEX_ECDH_REPLY
debug1:服务器主机密钥:ecdsa-sha2-nistp256 SHA256:aC1Ydp + 6x8IP + TV5jEl7WwqW6sEycbznbfL09qON / OA
debug1:主机'xxx.xx.xxx.xxx '是已知的并且与ECDSA主机密钥相匹配。
debug1:在/root/.ssh/known_hosts:1
中发现密钥debug1:在134217728之后重新密钥块
debug1:SSH2_MSG_NEWKEYS发送
debug1:期待SSH2_MSG_NEWKEYS
debug1: 134217728后重新输入块
debug1:SSH2_MSG_NEWKEYS收到
debug1:收到SSH2_MSG_SERVICE_ACCEPT
debug1:可继续的身份验证:publickey,gssapi-keyex,gssapi-with-debug1:下一个身份验证方法:gssapi-keyex
debug1:没有有效的密钥交换上下文
debug1:下一个验证方法:gssapi-with-mic
debug1:未指定的GSS故障。次要代码可能提供更多信息没有可用的Kerberos凭证
debug1:未指定的GSS失败。次要代码可能提供更多信息没有可用的Kerberos凭证
debug1:未指定的GSS失败。次要代码可能提供更多信息debug1:未指定的GSS失败。次要代码可能提供更多信息无Kerberos凭据可用
debug1:下一个身份验证方法:publickey
debug1:提供RSA公钥:/home/whj/.ssh/whjwebsite
debug1:身份验证可以继续:publickey,gssapi-keyex,gssapi-with-debug1:没有更多的身份验证方法可供尝试。权限被拒绝(publickey,gssapi-keyex,gssapi-with-mic)。
'whjwebsite'是我的私人密钥。
drwx ------ .ssh /
server:sshd_config: b
$ b ```
RSAAuthentication yes
PubkeyAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UseDNS no
AddressFamily inet
PermitRootLogin yes
SyslogFacility AUTHPRIV $ b $ PasswordAuthentication no
ChallengeResponseAuthentication no
客户端:ssh_config
我的2美分:在服务器端,禁用
GSSAPIAuthentication
(即由Kerberos支持的SSO),除非您在企业防火墙内的Linux上使用Active Directory身份验证(使用Centrify或SSSD)。 如果您的确在SSO中cenario,但Single Sign-On由于某种原因无法使用,然后使用客户端选项绕过Kerberos,例如 -o GSSAPIAuthentication = no -o GSSAPIKeyExchange = no
Client: OS Ubuntu, git-version 2.7.4.
Server: OS Centos , git-version 2.7.4.
I have a private ssh key in my client and public key in server.
I can use shell to enter my server(no password).
But can't push origin master !
sudo ssh -i /path/to/key/ -vT git@xxx.xx.xxx.xxx
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to xxx.xx.xxx.xxx [xxx.xx.xxx.xxx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /home/whj/.ssh/whjwebsite type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/whj/.ssh/whjwebsite-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to xxx.xx.xxx.xxx:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:aC1Ydp+6x8IP+TV5jEl7WwqW6sEycbznbfL09qON/OA
debug1: Host 'xxx.xx.xxx.xxx' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/whj/.ssh/whjwebsite
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
'whjwebsite 'is my private key.
drwx------ .ssh/
-rw------- whjwebsite
server:sshd_config:
``` RSAAuthentication yes PubkeyAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials no UseDNS no AddressFamily inet PermitRootLogin yes SyslogFacility AUTHPRIV PasswordAuthentication no ChallengeResponseAuthentication no
client:ssh_config
My 2 cents: on server side, disable GSSAPIAuthentication
(i.e. SSO backed by Kerberos) unless you are using Active Directory authentication on Linux (with either Centrify or SSSD) inside a corporate firewall.
If you are indeed in a SSO scenario, but Single Sign-On does not work out of the box for some reason, then use client-side options to bypass Kerberos e.g.
ssh -o GSSAPIAuthentication=no -o GSSAPIKeyExchange=no
这篇关于Git权限被拒绝(publickey,gssapi-keyex,gssapi-with-mic)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!