Git 使用私钥使用 shell_exec 从 PHP 文件中获取

发布于 2024-10-31 03:19:24 字数 2964 浏览 3 评论 0原文

我已经构建了一个在特定文件夹上执行 git fetch 的 php 脚本:

确切的命令是:

usr/bin/git --git-dir=/home/bathan/www/sync_test/repo3//.git --work-tree=/home/bathan/www/sync_test/repo3/ fetch

当然,如果我在命令行上运行它,它会完美运行。

现在,当我使用 shell_exec 运行此命令时,出现以下错误:

权限被拒绝,请重试。
权限被拒绝,请重试。
权限被拒绝(公钥、gssapi-with-mic、密码)。
fatal:远端意外挂断

查看其尝试连接的服务器,确切的错误是:

4 月 8 日 10:52:17 myserver sshd[26230]: git 密码失败 192.15.136.253端口32878 ssh2

那么,好的。我猜想这个 shell_exec 无法读取我设置的 ~/.ssh/id_rsa 密钥。因此,我向该文件授予 777 权限,然后收到此错误。

@@@@@ @警告:不受保护的私人 关键文件! @ @@@ 权限 0777 '/home/bathan/.ssh/id_rsa' 也是 打开。建议您 私钥文件不可访问 由其他人。该私钥将是 被忽略。错误的权限:忽略密钥: /home/bathan/.ssh/id_rsa 权限 被拒绝,请重试。允许 被拒绝,请重试。允许 被拒绝 (公钥、gssapi-with-mic、密码)。 fatal:远端挂断 没想到

所以我猜 git 能够读取密钥文件。如果我将其恢复到正确的权限,我会再次返回到第一个错误。

注意:我的 apache 服务器设置为使用同一用户(bathan)运行,这是一个 ubuntu 盒子。

这是 ssh -v 响应

OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Reading configuration data /home/bathan/.ssh/config
debug1: Applying options for gitserver
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to git.myserver.com [77.171.171.229] port 22.
debug1: Connection established.
debug1: identity file /home/bathan/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1023
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1023
debug1: identity file /home/bathan/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'git.myserver.com' is known and matches the RSA host key.
debug1: Found key in /home/bathan/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found
..
..

有什么想法吗?

I have built a php script that performs a git fetch on a specific folder:

the exact command is :

usr/bin/git --git-dir=/home/bathan/www/sync_test/repo3//.git --work-tree=/home/bathan/www/sync_test/repo3/ fetch

Of course, if I run this on the command line it works perfectly.

Now, when I run this using shell_exec I get the following error:

Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-with-mic,password).
fatal: The remote end hung up unexpectedly

Looking into the server its trying to connect, the exact error is :

Apr 8 10:52:17 myserver sshd[26230]:
Failed password for git from
192.15.136.253 port 32878 ssh2

So, Ok. I guess that this shell_exec is not able to read the ~/.ssh/id_rsa key I have set up. So I give 777 permission to that file and i get this error.

@@@@@
@ WARNING: UNPROTECTED PRIVATE
KEY FILE! @
@@@
Permissions 0777 for
'/home/bathan/.ssh/id_rsa' are too
open. It is recommended that your
private key files are NOT accessible
by others. This private key will be
ignored. bad permissions: ignore key:
/home/bathan/.ssh/id_rsa Permission
denied, please try again. Permission
denied, please try again. Permission
denied
(publickey,gssapi-with-mic,password).
fatal: The remote end hung up
unexpectedly

So I guess that git IS able to read the key file. If I put it back to the correct permissions I go back again to the first error.

Note : my apache server is set to run with my same user (bathan) and this is an ubuntu box.

This is the ssh -v Response

OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Reading configuration data /home/bathan/.ssh/config
debug1: Applying options for gitserver
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to git.myserver.com [77.171.171.229] port 22.
debug1: Connection established.
debug1: identity file /home/bathan/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1023
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1023
debug1: identity file /home/bathan/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'git.myserver.com' is known and matches the RSA host key.
debug1: Found key in /home/bathan/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found
..
..

Any Ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

岁月苍老的讽刺 2024-11-07 03:19:24

您确定 PHP 脚本是使用您设置 ~/.ssh/id_rsa 的同一用户执行的吗?

例如,在许多环境中,网络服务器(例如 Apache)由 www-data 运行。我只是猜测 www-data 不是 $HOME/.ssh/ id_rsa 所在的用户。

尝试在 .ssh/config 中对 ssh 密钥的位置进行硬编码:

Host gitserver
Hostname fqdn.example.org
IdentityFile /home/THE-USER/.ssh/id_rsa

如果这没有帮助,请像这样进行调试:

来自 PHP:

<?php
shell_exec("ssh -v gitserver");

查看在这种情况下使用了哪些密钥来了解一下为什么它可能不起作用。

Are you sure the PHP script is executed with the same user you setup ~/.ssh/id_rsa with?

E.g. in lots of environments the webserver (e.g. Apache) is run by www-data. And I'm only guessing that www-data is not the user in whose $HOME/.ssh/ the id_rsa is located.

Try to hardcode the location of the ssh-key in your .ssh/config:

Host gitserver
Hostname fqdn.example.org
IdentityFile /home/THE-USER/.ssh/id_rsa

If this doesn't help, debug like so:

From PHP:

<?php
shell_exec("ssh -v gitserver");

See which keys are used in this case to get an idea why it may not work.

南烟 2024-11-07 03:19:24

我发现了问题。

rsa_id 使用的是释义,显然它不是由脚本输入的。

我用 ssh-keygen -p 删除了释义,它的效果就像一个魅力。

感谢大家的帮助!

I found the problem.

The rsa_id was using a paraphrase and OBVIOUSLY it was not typed in by the script.

I removed the paraphrase with : ssh-keygen -p and it worked like a charm.

Thanks to everyone for their help!!

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文