20

我现在每周呆在这里两天。

我有一台带有 Gitlab4 和 gitolite 的 CentOs 机器。几个星期以来一切正常,但上周末突然发生了一些奇怪的事情,所有的二进制文件都从 mashine 中消失了(比如 yum、python、ruby、mysql 等。)我真的不知道这是怎么发生的......经过数小时的重新安装和编译 gitlab 又开始工作了。

但我无法让gitlabgit用户之间的 ssh 密钥正常工作。我已经删除并重新创建了 git 用户,再次设置了所有权限,重新创建了 ssh 密钥,重新安装了 gitolite 等。但没有任何效果,我不断收到同样的错误。

git 用户 .ssh 文件夹

-rwx------ 1 git git  557 Mar 27 16:46 authorized_keys

gitlab 用户 .ssh 文件夹

-rw------- 1 gitlab gitlab 1671 Mar 27 16:45 id_rsa
-rw-r--r-- 1 gitlab gitlab  406 Mar 27 16:45 id_rsa.pub
-rw-r--r-- 1 gitlab gitlab  391 Mar 27 16:50 known_hosts

SSH 错误:

ssh -vvvT git@localhost
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/gitlab/.ssh/identity type -1
debug3: Not a RSA1 key file /home/gitlab/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/gitlab/.ssh/id_rsa type 1
debug1: identity file /home/gitlab/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2
debug1: match: OpenSSH_4.3p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 502/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/gitlab/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/gitlab/.ssh/known_hosts:1
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/gitlab/.ssh/identity ((nil))
debug2: key: /home/gitlab/.ssh/id_rsa (0x848ba50)
debug2: key: /home/gitlab/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/gitlab/.ssh/identity
debug3: no such identity: /home/gitlab/.ssh/identity
debug1: Offering public key: /home/gitlab/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/gitlab/.ssh/id_dsa
debug3: no such identity: /home/gitlab/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

身份验证日志给了我:

Apr  2 10:19:13 venus sshd[15693]: User git not allowed because account is locked
Apr  2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2

谢谢你的帮助。

4

5 回答 5

27

你提到:

Apr 2 10:19:13 venus shd[15693]: User git not allowed because account is locked 
Apr 2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2

这篇文章提到:

OpenSSH 现在默认检查锁定的帐户。
在 Linux 系统上,锁定的帐户被定义为!!在密码字段中具有/etc/shadow.
这是使用 useradd 命令创建的帐户的默认条目
即使您使用 GSI 身份验证并且不需要本地密码,sshd也不会让用户使用此消息登录:

Too many authentication failures for username

sshd调试信息中,它将表明该帐户已被锁定:

User username not allowed because account is locked

以下是 sshd 手册中的一些附加信息:

无论身份验证类型如何,都会检查帐户以确保其可访问。
如果帐户被锁定、在 DenyUsers 中列出或其组在 DenyGroups 中列出,则无法访问该帐户。
锁定帐户的定义取决于系统。
有些平台有自己的帐户数据库(例如 AIX),有些平台修改 passwd 字段(*LK*在 Solaris 和 UnixWare 上为“ *”,在 HP-UX 上包含“ Nologin”,在 Tru64 上包含“”,在 FreeBSD 上包含前导“ *LOCKED*”,在 FreeBSD 上包含前导“ !!”,在Linux)。
如果需要在仍然允许公钥的同时禁用帐户的密码验证,则该passwd字段应设置为这些值以外的其他值(例如“ NP*NP*

修复:替换!!在 /etc/shadow 中使用(例如)NP。

正如jszakmeister评论)和Yongcan -Frank-Lv评论)所提到的:

sudo passwd -u git

将足以解锁帐户

于 2013-04-02T10:37:51.033 回答
6

这个完全相同的问题gitlab 5.2 (bitnami) 中杀死了我。

我终于找到了它,/var/log/auth.log其中显示:

May 28 11:32:10 ml115 sshd[27779]: User git not allowed because account is locked
May 28 11:32:10 ml115 sshd[27779]: input_userauth_request: invalid user git [preauth]

之后,没过多久我就发现里面的git条目/etc/shadow有 a!需要替换为*.

*设置好所有密钥后,我就可以从另一台机器上 ssh 进入(注意这也ssh -vvT git@gitserver有助于诊断)。

git push -u origin master

现在工作。

我的系统是 Ubuntu 13.04。

于 2013-05-28T03:48:55.570 回答
1

你应该把 ~gitlab/.ssh/id_rsa.pub 放到 ~git/.ssh/authorized_keys

-rwx------ 1 git git 557 Mar 27 16:46 authorized_keys

-rw-r--r-- 1 gitlab gitlab 406 Mar 27 16:45 id_rsa.pub

我可以看到大小不匹配,您是否在authorized_keys 中添加了一些 ssh 密钥选项?您还应该检查 sshd 的错误日志(例如:/var/log/auth 或 /var/log/secure 等)

于 2013-03-28T10:04:33.980 回答
1

尽管接受的答案可能有效,但它可能不是解决此问题的首选方法。

至少在 Ubuntu 12.04 上,passwd -u git将导致此警告:

passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.

听起来不错...除了手册页usermod警告不要使用该-p选项。

Note: This option is not recommended because the password (or encrypted password)
will be visible by users listing the processes.

而不是所有这些,调用passwd -d gitlab将通过删除用户的密码来解决问题(它将 passwd 字段设置为空字符串)。

于 2014-01-02T21:15:36.127 回答
0

解锁用户的最简单解决方案:usermod -p '*' username

于 2019-08-19T22:10:27.050 回答