说明:下面的演示都是在在一台工作用的Mac中。

阮一峰:SSH登陆基本讲清楚了在类Linux系统下,SSH登陆是怎么工作的,下面是一些实验。

github是不提供SSH的使用方式的,

Screen Shot 2021-02-22 at 6.23.05 PM.png

1. 服务器公钥如何写入know_hosts

ssh连接git@github.com

  1. $ ssh git@github.com
  3. PTY allocation request failed on channel 0
  4. Hi tangyefei! You've successfully authenticated, but GitHub does not provide shell access.
  5. Connection to github.com closed.

authenticated:意思为“证实是真的”,说明github识别到了用户是tangyefei

但因为github不提供shell的使用方式,因此关闭了连接。

删除公钥后ssh连接git@github.com

  1. $ ping github.com
  2. PING github.com (13.250.177.223): 56 data bytes
  4. $ ssh-keygen -R 13.250.177.223
  5. # Host 13.250.177.223 found: line 2
  6. /Users/eleme/.ssh/known_hosts updated.
  7. Original contents retained as /Users/eleme/.ssh/known_hosts.old
  9. $ ssh git@github.com
  10. The authenticity of host 'github.com (13.250.177.223)' can't be established.
  11. RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
  12. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  13. Warning: Permanently added 'github.com,13.250.177.223' (RSA) to the list of known hosts.
  14. PTY allocation request failed on channel 0
  15. Hi tangyefei! You've successfully authenticated, but GitHub does not provide shell access.
  16. Connection to github.com closed.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

意味着我们将服务器公钥的指纹,生成并存储在了know_hosts。以后连接服务器就不用在询问了。

2. 演示如何免密登陆

注:47.111.64.6 是个人在阿里云上的一台服务器。

第一次ssh连接

  1. $ ssh root@47.111.64.6
  2. The authenticity of host '47.111.64.6 (47.111.64.6)' can't be established.
  3. ECDSA key fingerprint is SHA256:P4ZhsDHqBGjUW709RZgzEYWnaYXY5pzEmr8oKs2+Sb0.
  4. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  5. Warning: Permanently added '47.111.64.6' (ECDSA) to the list of known hosts.
  6. root@47.111.64.6's password: 
  8. Welcome to Alibaba Cloud Elastic Compute Service !
  10. Activate the web console with: systemctl enable --now cockpit.socket
  12. Last login: Mon Feb 22 14:56:03 2021 from 106.11.255.72

通过(1)通过yes信任这提啊服务器(2)输入密码 完成登陆。

第二次ssh连接

  1. $ ssh root@47.111.64.6
  2. root@47.111.64.6's password: 
  4. Welcome to Alibaba Cloud Elastic Compute Service !
  6. Activate the web console with: systemctl enable --now cockpit.socket
  8. Last login: Mon Feb 22 18:06:22 2021 from 106.11.255.72

因为已经在know_hosts中存储了服务器公钥的指纹,所以直接输入密码就可以了。

拷贝公钥给服务器后ssh连接

为了方便测试,将 ~/.ssh 文件夹下的 _rsa, _rsa.pub 都删除。测试步骤可以描述为:

  1. 拷贝公钥到服务器,因为还没生成过,所以报Error
  2. 使用ssh-keygen生成公钥
  3. 拷贝公钥到服务器,输入密码后成功
  4. 免密登陆成功
  1. $ ssh-copy-id root@47.111.64.6
  2. /usr/bin/ssh-copy-id: ERROR: No identities found
  1. $ ssh-keygen
  2. Generating public/private rsa key pair.
  3. Enter file in which to save the key (/Users/eleme/.ssh/id_rsa): 
  4. Enter passphrase (empty for no passphrase): 
  5. Enter same passphrase again: 
  6. Your identification has been saved in /Users/eleme/.ssh/id_rsa.
  7. Your public key has been saved in /Users/eleme/.ssh/id_rsa.pub.
  8. The key fingerprint is:
  9. SHA256:Rrhpx0gvMZ6l2kyeJiO/XurTAiSdv2NSWVhc9Lpj0XI eleme@E110147.local
  10. The key's randomart image is:
  11. +---[RSA 3072]----+
  12. |     . oo        |
  13. |      o. .       |
  14. | . . o= o .      |
  15. |. + .o.& o       |
  16. | o . o@ S E      |
  17. |  . +B = =       |
  18. |  .o+oB +        |
  19. |  .o**.. .       |
  20. |   =*=           |
  21. +----[SHA256]-----+
  1. $ ssh-copy-id root@47.111.64.6
  2. /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/eleme/.ssh/id_rsa.pub"
  3. /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
  4. /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
  5. root@47.111.64.6's password: 
  7. Number of key(s) added:        1
  9. Now try logging into the machine, with:   "ssh 'root@47.111.64.6'"
  10. and check to make sure that only the key(s) you wanted were added.
  1. $ ssh root@47.111.64.6
  3. Welcome to Alibaba Cloud Elastic Compute Service !
  5. Activate the web console with: systemctl enable --now cockpit.socket
  7. Last login: Mon Feb 22 18:16:42 2021 from 106.11.255.72

3. Github和SSH

公有repo

在Github上新建一个Public类型的repo,然后在本机执行clone

  1. $ git clone https://github.com/wit-kaizen/note-web.git
  2. Cloning into 'note-web'...
  3. remote: Enumerating objects: 67, done.
  4. remote: Counting objects: 100% (67/67), done.
  5. remote: Compressing objects: 100% (56/56), done.
  6. remote: Total 67 (delta 11), reused 63 (delta 7), pack-reused 0
  7. Unpacking objects: 100% (67/67), done.

可见,克隆Public类型的repo不会要求进行 添加公钥到know_hosts 或 输入密码。

在服务器 47.111.64.6 上,执行clone操作,得到的是一样的结果。

当时,当你进行代码提交时,必然会因为不满足权限而无法提交,从而需要将公钥拷贝配置到Github中。

4. 问题

在本机开启 代理(公司的阿里郎)时,会报

  1. $ git pull
  2. fatal: unable to access 'https://github.com/wit-kaizen/note-web.git/': LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443