scp requisitos para o modo em lote

0

Estou lançando um script de um servidor Jenkins (no RHEL6) que, entre outras coisas, usa SCP com "BatchMode yes" para copiar um arquivo de uma máquina remota. O script é executado corretamente fora do Jenkins, mas falha dentro dele. O log detalhado do SCP mostra:

debug1: Next authentication method: publickey
debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa

Portanto, há algo faltando no usuário do Jenkins que é necessário para efetuar login. Não é uma entrada known_hosts, ou pelo menos o host correto está listado em /var/lib/jenkins/.ssh/known_hosts. O que mais poderia ser?

Editar : por solicitação, o comando era

scp -vvv -o "BatchMode yes" [email protected]:myfile.txt .

Aqui está um snippet de log mais extenso:

Executing: program /usr/bin/ssh host myserver.com, user myuser, command scp -v -f myfile.txt
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.com [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /var/lib/jenkins/.ssh/identity type -1
debug1: identity file /var/lib/jenkins/.ssh/identity-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 960 bytes for a total of 981
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 1005
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 773/1536
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 208 bytes for a total of 1213
debug3: check_host_in_hostfile: host myserver.com filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: host myserver.com filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: host xxx.xxx.xxx.xxx filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: host xxx.xxx.xxx.xxx filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'myserver.com' is known and matches the RSA host key.
debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:2
debug2: bits set: 759/1536
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1229
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1277
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/lib/jenkins/.ssh/identity ((nil))
debug2: key: /var/lib/jenkins/.ssh/id_rsa (0x7f38a83ee310)
debug2: key: /var/lib/jenkins/.ssh/id_dsa ((nil))
debug2: key: /var/lib/jenkins/.ssh/id_ecdsa ((nil))
debug3: Wrote 64 bytes for a total of 1341
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,gssapi-with-mic,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /var/lib/jenkins/.ssh/identity
debug3: no such identity: /var/lib/jenkins/.ssh/identity
debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1709
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug3: sign_and_send_pubkey: RSA 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_dsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).
    
por Ben Fulton 07.01.2016 / 19:28

2 respostas

0

Depois de um tempo, percebi que tinha criado as chaves sozinho, com apenas "sudo ssh-keygen". Isso significava que a chave realmente pertencia ao usuário root e o usuário não tinha permissão para lê-lo. Se ssh tivesse me dito isso, não há problema. Aparentemente, porém, a primeira coisa que o ssh faz se não puder ler a chave é pedir uma frase-senha. Mas, como estava em execução no modo em lote, não foi possível solicitar uma frase secreta, por isso desistiu e falhou a chave. Depois que eu coloquei os arquivos-chave para o usuário Jenkins, tudo funcionou.

    
por 11.01.2016 / 15:07
0

Aqui está o bit no log que informa o que está acontecendo:

debug1: Trying private key: /var/lib/jenkins/.ssh/identity
debug3: no such identity: /var/lib/jenkins/.ssh/identity
debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1709
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug3: sign_and_send_pubkey: RSA 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_dsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).

Eu vejo algumas coisas ruins acontecendo aqui.

Primeiro, ele oferece até /var/lib/jenkins/.ssh/id_rsa como chave pública, quando deveria ser uma chave privada. Pode ser esclarecedor dar uma olhada no arquivo de configuração do sshd.

Em seguida, ele procura por chaves particulares e não consegue encontrá-las em nenhum desses lugares:

/var/lib/jenkins/.ssh/id_dsa
/var/lib/jenkins/.ssh/id_ecdsa

O que é estranho porque anteriormente no arquivo de log, ele alegava que esses arquivos existiam:

debug1: identity file /var/lib/jenkins/.ssh/identity type -1
debug1: identity file /var/lib/jenkins/.ssh/identity-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1

Aqui estão as coisas que eu tentaria:

  • chmod go-rwx /var/lib/jenkins/.ssh/*
    Isso garantirá que somente o usuário tenha permissões de leitura para os arquivos de chave. Isso é importante, pois o OpenSSH, se configurado para ser seguro, se recusará a trabalhar com arquivos-chave publicamente legíveis.
  • O arquivo de chaves foi criado com uma senha? Os arquivos de chave protegidos por senha não funcionarão para automação, portanto, certifique-se de que os arquivos de chave não sejam protegidos por senha.
  • O arquivo-chave está instalado no myserver.com em /home/myuser/.ssh/authorized_keys e você executou chmod go-rwx /home/myuser/.ssh/* no myserver.com?
por 08.01.2016 / 18:51

Tags