使用ssh从github部署到linux服务器，但是权限被拒绝（公钥）。 PHP脚本

Question

I am trying to use a deployment php script on my shared linux server to pull in a private repo from github.com using their web-hooks feature, using ssh for the first time .

essentially: everytime i commit to github the web-hook sends a post request to my php file, i want to use this to issue a simple git pull command, thus keeping my server and github in sync and meaning I have a decent workflow that will help me stop editing stuff on a production server.

I am using terminal for my ssh connections.

I used ssh to go to my server and create a clone of my private repo and this worked.

I can, therefore, ssh in to my server and issue a git pull and it works perfectly. But of course i would like to automate this process. If I can get this to work I would like to do the same for a couple of other repos.

I have followed github's guide on creating keys and adding them to ssh keys section of my account on github.com, i can see the keys exist in /.ssh/ folder on my host. the private keys have chmod 600, public keys are 644. I have deleted these, recreated new ones and deleted/re-added the public keys on github several times.

I have currently have these keys:

  1024 03:c4:16:45:40:77:a4:94:a4:... /home/username/.ssh/id_dsa (DSA)
  2048 b3:62:87:e0:4b:39:aa:06:97... /home/username/.ssh/id_github (RSA)

I have a /.ssh/config file with the following (in the hope github uses the id_github key based on this SO answer :

 # Default GitHub
Host github_server
HostName github.com
user git
ForwardAgent yes
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_github

and i have updated my .git/config to change the command to git@github_server:username/repo

I have copied the keys to authorized_keys using

 cat id_github.pub >> authorized_keys

But when i make a commit I get an email saying permissions denied (publickey) (my php script issues emails for success/failure and is based on this repo :

this uses a simple git pull in a shell_exec function I have added 2>&1 to the end for debugging.

I changed my command to (trying to add the key for the user)

  `ssh-add -l git pull 2>&1` 

and got the message

   `Could not open a connection to your authentication agent.`

So I then attempted to start the ssh-agent using

  `eval $(ssh-agent) ssh-add ssh-add -l git pull` 

it returns an agent pid.

  Agent pid 944568
  ssh-add: No such file or directory
  -l: No such file or directory
  git: No such file or directory
  pull: No such file or directory

no good, so i tried just:

  `eval $(ssh-agent) ssh-add git pull` 

and that returned:

  Agent pid 949815
  git: No such file or directory
  pull: No such file or directory

and for completion just this:

  `eval $(ssh-agent) ssh-add -l git pull` 

and that returned:

 Agent pid 952014
 The agent has no identities.

additionally at some point, trying anything,

**edit: later worked out it was this: [^] **

 eval $(ssh-agent) ssh-add ~/.ssh/id_github git pull 2>&1

i added something else to my command that gave me this:

 Agent pid 940365
 Enter passphrase for /home/username/.ssh/id_github: 
 ssh-add: No such file or directory
 -l: No such file or directory
 git: No such file or directory
 pull: No such file or directory

which suggests i need to add the passphrase for the user and then it would work using the keys, but how can i do this from a php shell_exec command without it being a security issue?

to me this also implies my keys are not set for this user correctly but the output below suggest it is.

more info:

running ps aux | grep ssh ps aux | grep ssh shows quite a few ssh-agents listed. I don't know if this is a problem

 940006  0.0  0.0  57708   784 ?        Ss   23:22   0:00 ssh-agent  
 940365  0.0  0.0  57708   768 ?        Ss   23:24   0:00 ssh-agent  
 944222  0.0  0.0  57708   784 ?        Ss   23:42   0:00 ssh-agent  
 944568  0.0  0.0  57708   772 ?        Ss   23:44   0:00 ssh-agent  
 944854  0.0  0.0  57708   772 ?        Ss   23:45   0:00 ssh-agent  
 945103  0.0  0.0  57708   772 ?        Ss   23:47   0:00 ssh-agent  
 945188  0.0  0.0  57708   784 ?        Ss   23:47   0:00 ssh-agent

running the following command based on this SO answer on ssh

# ssh -i ~/.ssh/id_github -vT git@github.com

i get this...

 OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
 debug1: Reading configuration data /home/username/.ssh/config
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: Applying options for *
 debug1: Connecting to github.com [192.30.252.129] port 22.
 debug1: Connection established.
 debug1: identity file /home/username/.ssh/id_github type 1
 debug1: identity file /home/username/.ssh/id_github-cert type -1
 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-    5ubuntu1+github5
 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1+github5 pat OpenSSH*
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_5.3
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: server->client aes128-ctr hmac-md5 none
 debug1: kex: client->server aes128-ctr hmac-md5 none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 debug1: Host 'github.com' is known and matches the RSA host key.
 debug1: Found key in /home/username/.ssh/known_hosts:2
 debug1: ssh_rsa_verify: signature correct
 ...
 debug1: Authentications that can continue: publickey
 debug1: Next authentication method: publickey
 debug1: Offering public key: /home/username/.ssh/id_github
 debug1: Server accepts key: pkalg ssh-rsa blen 277
 debug1: Authentication succeeded (publickey).
 debug1: channel 0: new [client-session]
 debug1: Requesting no-more-sessions@openssh.com
 ...
 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
 Hi username! You've successfully authenticated, but GitHub does not provide shell access.
 debug1: channel 0: free: client-session, nchannels 1
 Transferred: sent 2440, received 2920 bytes, in 0.2 seconds
 Bytes per second: sent 12993.2, received 15549.2
 debug1: Exit status 1

I've trimmed out some of the stuff i didn't think was relevant, it looks like the keys exist and are accepted - which is the important bit right?

So what am i missing?

ps i definitely have the keys added to github.

thanks

^ edit

running this: eval $(ssh-agent) ssh-add ~/.ssh/id_github in terminal returned:

 Agent pid 958924
 Enter passphrase for /home/username/.ssh/id_github: (i added passphrase)
 Identity added: /home/username/.ssh/id_github (/home/username/.ssh/id_github) 

UPDATE:

I deleted all my keys, started again with a keygen using the default id_rsa filename, I left the passphrase blank and it works!! Email received and a git pull command and a test file deployed. Super.

Looking at github guidance for passphrases I went in and edited my key adding a passphrase and i'm back to square one. Permission denied (publickey).

Answer 1

Github also allows deploy keys, these are the same as the normal ssh keys, but generally don't come with a passphrase. I am able to deploy without a passphrase as stated in my question earlier.

This seems to be working ok, so will accept it as an answer.

Answer 2

Try in your config file the following:

User git

Instead of

user git