Git权限被拒绝（publickey，gssapi-keyex，gssapi-with-mic）？ [英] Git Permission denied (publickey,gssapi-keyex,gssapi-with-mic)?

问题描述

客户端：操作系统Ubuntu，git-2.7.4版。

服务器：OS Centos，git-2.7.4。

我在我的客户端有一个私有的ssh密钥，在服务器有一个公钥。

我可以使用shell进入我的服务器（无密码）。 b
$ b

但是无法推送原点高手！

sudo ssh -i / path / to / key / -vT git@xxx.xx.xxx.xxx

OpenSSH_7.2p2 Ubuntu-4ubuntu2.2，OpenSSL 1.0.2g 2016年3月1日debug1：Reading配置数据/ etc / ssh / ssh_config
debug1：/ etc / ssh / ssh_config第19行：为*
应用选项debug1：连接到xxx.xx.xxx.xxx [xxx.xx.xxx.xxx ]端口22.
debug1：建立连接。
debug1：permanent_set_uid：0/0
debug1：身份文件/home/whj/.ssh/whjwebsite类型1
debug1：key_load_public：没有这样的文件或目录
debug1：identity file /home/whj/.ssh/whjwebsite-cert type -1
debug1：为协议2.0启用兼容模式
debug1：本地版本字符串SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1：远程协议版本2.0，远程软件版本OpenSSH_6.6.1 debug1：match：OpenSSH_6.6.1 pat OpenSSH_6.6.1 * compat 0x04000000
debug1：认证为xxx.xx.xxx.xxx:22为'git'
debug1：SSH2_MSG_KEXINIT发送
debug1：SSH2_MSG_KEXINIT收到
debug1：kex：算法：curve25519-sha256@libssh.org
debug1：kex：主机密钥算法：ecdsa-sha2-nistp256
debug1：kex：server->客户端密码：chacha20-poly1305@openssh.com MAC：< implicit>压缩：无
debug1：kex：客户端 - >服务器密码：chacha20-poly1305@openssh.com MAC：< implicit>压缩：无
debug1：期望SSH2_MSG_KEX_ECDH_REPLY
debug1：服务器主机密钥：ecdsa-sha2-nistp256 SHA256：aC1Ydp + 6x8IP + TV5jEl7WwqW6sEycbznbfL09qON / OA
debug1：主机'xxx.xx.xxx.xxx '是已知的并且与ECDSA主机密钥相匹配。
debug1：在/root/.ssh/known_hosts:1
中发现密钥debug1：在134217728之后重新密钥块
debug1：SSH2_MSG_NEWKEYS发送
debug1：期待SSH2_MSG_NEWKEYS
debug1： 134217728后重新输入块
debug1：SSH2_MSG_NEWKEYS收到
debug1：收到SSH2_MSG_SERVICE_ACCEPT
debug1：可继续的身份验证：publickey，gssapi-keyex，gssapi-with-debug1：下一个身份验证方法：gssapi-keyex
debug1：没有有效的密钥交换上下文
debug1：下一个验证方法：gssapi-with-mic
debug1：未指定的GSS故障。次要代码可能提供更多信息没有可用的Kerberos凭证
debug1：未指定的GSS失败。次要代码可能提供更多信息没有可用的Kerberos凭证
debug1：未指定的GSS失败。次要代码可能提供更多信息debug1：未指定的GSS失败。次要代码可能提供更多信息无Kerberos凭据可用
debug1：下一个身份验证方法：publickey
debug1：提供RSA公钥：/home/whj/.ssh/whjwebsite
debug1：身份验证可以继续：publickey，gssapi-keyex，gssapi-with-debug1：没有更多的身份验证方法可供尝试。权限被拒绝（publickey，gssapi-keyex，gssapi-with-mic）。


'whjwebsite'是我的私人密钥。

drwx ------ .ssh /

-rw ------- whjwebsite

server：sshd_config： b
$ b ```
RSAAuthentication yes
PubkeyAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UseDNS no
AddressFamily inet
PermitRootLogin yes
SyslogFacility AUTHPRIV $ b $ PasswordAuthentication no
ChallengeResponseAuthentication no

客户端：ssh_config

在这里输入图片描述

我的2美分：在服务器端，禁用 GSSAPIAuthentication （即由Kerberos支持的SSO），除非您在企业防火墙内的Linux上使用Active Directory身份验证（使用Centrify或SSSD）。

如果您的确在SSO中cenario，但Single Sign-On由于某种原因无法使用，然后使用客户端选项绕过Kerberos，例如 -o GSSAPIAuthentication = no -o GSSAPIKeyExchange = no

Client: OS Ubuntu, git-version 2.7.4.

Server: OS Centos , git-version 2.7.4.

I have a private ssh key in my client and public key in server.

I can use shell to enter my server(no password).

But can't push origin master !

sudo ssh -i /path/to/key/ -vT git@xxx.xx.xxx.xxx OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to xxx.xx.xxx.xxx [xxx.xx.xxx.xxx] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /home/whj/.ssh/whjwebsite type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/whj/.ssh/whjwebsite-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: Authenticating to xxx.xx.xxx.xxx:22 as 'git' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:aC1Ydp+6x8IP+TV5jEl7WwqW6sEycbznbfL09qON/OA debug1: Host 'xxx.xx.xxx.xxx' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/whj/.ssh/whjwebsite debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

'whjwebsite 'is my private key.

drwx------ .ssh/

-rw------- whjwebsite

server:sshd_config:

``` RSAAuthentication yes PubkeyAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials no UseDNS no AddressFamily inet PermitRootLogin yes SyslogFacility AUTHPRIV PasswordAuthentication no ChallengeResponseAuthentication no

client:ssh_config

enter image description here

解决方案

My 2 cents: on server side, disable GSSAPIAuthentication (i.e. SSO backed by Kerberos) unless you are using Active Directory authentication on Linux (with either Centrify or SSSD) inside a corporate firewall.

If you are indeed in a SSO scenario, but Single Sign-On does not work out of the box for some reason, then use client-side options to bypass Kerberos e.g.

ssh -o GSSAPIAuthentication=no -o GSSAPIKeyExchange=no

这篇关于Git权限被拒绝（publickey，gssapi-keyex，gssapi-with-mic）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！