git - 为什么 authorized_keys 被忽略了？

Question

我全新安装了 CentOS 6.5，我将其用作小型团队的开发服务器。我们有一个中央裸 Git 存储库，我们将通过 ssh 连接到它。

我设置了一个名为 git 的用户和一个名为 test 的用户。 test 的公钥已附加到 git 的 authorized_keys 文件中。据我所知，权限都是正确的:

[test@hackdashit ~]$ ls -aZ ~/.ssh/
drwx------. test developers unconfined_u:object_r:ssh_home_t:s0 .
drwx-----x. test developers unconfined_u:object_r:user_home_dir_t:s0 ..
-rw-------. test developers unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. test developers unconfined_u:object_r:ssh_home_t:s0 config
-rw-------. test developers unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-------. test developers unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub

以及 ssh 目录本身:

[test@hackdashit ~]$ ls -aZ ~
drwx------. test developers unconfined_u:object_r:ssh_home_t:s0 .ssh

从远程机器连接时，使用私钥，无需密码即可连接。但是，当我尝试在本地连接时，我看到了:

[test@hackdashit ~]$ ssh -v hackdashit
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/test/.ssh/config
debug1: Applying options for hackdashit
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/test/.ssh/id_rsa type 1
debug1: identity file /home/test/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00.
Are you sure you want to continue connecting (yes/no)?

注意:我更改了上面的RSA key 指纹

这些是我的 ~/.ssh/config 文件的内容:

Host hackdashit
  Hostname localhost
  User git
  IdentityFile ~/.ssh/id_rsa

当我尝试运行 Git 时，同样的事情发生了:

[test@hackdashit ~]$ git clone ssh://hackdashit/repos/test.git
Initialized empty Git repository in /home/test/test/.git/
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is c3:9f:65:f0:04:39:93:82:7e:1d:57:9b:16:2f:76:59.
Are you sure you want to continue connecting (yes/no)?

谁能告诉我哪里出了问题，让 test 帐户无需密码的 ssh 连接到 git 帐户，这样我就可以在本地使用 Git还是通过 ssh 远程？

注意:我也读过this和 this关于此事的问题，但我认为它们与我无关，因为权限(包括 SELinux)看起来是正确的。

更新

我停止了 sshd 然后运行 ​​sudo/usr/sbin/sshd -d 并尝试连接 ssh test@localhost 和 ~/.ssh/config 文件被删除，得到如下输出:

debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from ::1 port 39980
debug1: Client protocol version 2.0; client software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS

Answer 1

想了解更多，可以试试:

ssh -Tvvv hackdashit

还有:

sudo sshd stop
sudo ssh -Dd

这样，您将从 ssh 守护进程 (sshd) 的角度看到它接收到什么以及完成查询时遗漏了什么(如 this answer 中所示)。

你还可以检查你是否更进一步:

 ssh -o StrictHostKeyChecking=no hackdashit

请注意，用于 git 的 url 将是:

git clone hackdashit:/repos/test.git

---

OP LeonardChallis确认 in the comments :

The StrictHostKeyChecking=no sent my down the right route.
I ran

ssh-keyscan -t rsa localhost > /etc/ssh/ssh_known_hosts 

and it magically works :)