I am trying to install an npm package that pulls from our private repo. When I run npm install as myself, I get Please try running this command again as root/Administrator. When I run it as sudo, I get
npm ERR! Error: Command failed: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
I normally don't use sudo to do npm install. I think the issue is that when I run as sudo, it is looking in /var/root/.ssh for the key. I don't have the root user credentials, otherwise I would create a new key as root. Is there another work around?
EDIT: tried the suggestions below, they didn't work. However, the repo in questions is referenced by a dependency below the package root. `./node_modules//package.json. If I change the git url to use http, it works, but it's not a good idea to do it this way because I'll have to change it when I check the package back into the repo.
Try this:
sudo /bin/bash then, run your npm command
I think the issue is that when I run as sudo, it is looking in /var/root/.ssh for the key. I don't have the root user credentials
A workaround would be to change the url of that repo to an http one: it would then query for your login/password instead of relying on ssh keys which you cannot provide as root.
cd /path/to/private/repo
git remote set-url origin https://server/user/repo
If I change the git url to use http, it works, but it's not a good idea to do it this way because I'll have to change it when I check the package back into the repo.
Actually, you can change an url by another without modifying the config of the remote url.
For instance (as in How to use SSH instead of HTTP for Git submodules?)
git config url.https://github.com/.insteadOf ssh://git#github.com/
# or
git config url.https://github.com/.insteadOf git#github.com:
Related
I am having authentication problem when publishing to my private npm registry hosted on my private Nexus.
My Nexus setup is I have npm-proxy, npm-registry (hosted npm with allowRepublish=false), npm-snapshots (hosted npm with allowRepublish=true) and npm-public (group with all other three repositories).
Since I am developing a library, I am using my snapshot repository, so I can redeploy same version constantly (something like snapshot in maven world).
In my library project I have set this option in package.json
"publishConfig": {
"registry": "https://my.nexus.com/repository/npm-snapshots/"
}
Next, I created .npmrc file with following content:
registry=https://my.nexus.com/repository/npm-public/
_auth=RVhBTVBMRQ==
And with this setup I can publish project with no problem. However, what bothers me, is that I have my password (which is just base64 encoded) stored in file, that should be commited, but I can't commit it, due to credentials in it.
I have tried to instead login to npm registry and removed the auth line from .npmrc
npm adduser --registry=https://my.nexus.com/repository/npm-snapshots --always-auth
I got response Logged in as myusername on https://my.nexus.com/repository/npm-snapshots.
However, when I try to run npm publish I get:
npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
npm verb exit [ 1, true ]
npm timing npm Completed in 6867ms
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\XXXX\AppData\Roaming\npm-cache\_logs\2019-07-30T19_31_01_598Z-debug.log
Now in my other project (which is using this library), I simply created .npmrc file with content registry=https://nexus.mjamsek.com/repository/npm-public/ and run command npm adduser --registry=https://my.nexus.com/repository/npm-public --always-auth and I was able to download the published package.
However, the publish still won't work and I don't know why.
EDIT 31.7.2019: On my list of active realms I also have npm Bearer Token Realm
When you do npm login or npm adduser the NPM client creates an authentication token that will be used in future request to the registry. Default NXRM configuration allows only Local Authenticating Realm which doesn't recognise NPM's token. Please make sure you have npm Bearer Token Realm active.
You need a trailing slash on the end of the registry URL passed into npm adduser, otherwise npm will chop off the last segment of the URL, and it won't work.
_auth= replaced with output of btoa('username:userpassword') and it worked for me.
I did use this btoa from chrome as below.
I encountered this problem today, my solution was to delete all registry entry from my npmrc file:
registry=https://my.nexus.com/repository/npm-snapshots/
Idealy delete anything superfluous, back it up before-hand, in my case my file contained only:
strict-ssl=false
Then you can
npm login --registry=https://my.nexus.com/repository/npm-public/ again.
If that's not working, you also bypass npm login with curl, look at this life saving post.
Make sure the _auth token is correct. In my case I changed my system credentials and forgot to generate new _auth token. I was getting the exact same error i.e.
"npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"
once i fixed it, the issue was resolved.
For those who are looking for the command to generate _auth. It is:
btoa('username:userpassword')
I had same problem, my solution was to delete my global .npmrc file, and after login npm login.
I had ended with three versions of node on my machine. It turned out that the ones i installed later had their own local .npmrc files in the node_modules folders. They didn't use the global .npmrc even after i removed the local one so i had to copy it.
I was struggling about this problem last two days, finally the solution was to delete .npmrc file from root (user) directory.
When npm tried to login, it used the creds inside this file and ignore your pass login.
I've had a similar issue. I also have our credentials stored in an npmrc file in my user directory. When set up with node16/npm7, I would receive the error
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`
If I use nvm to downgrade to node12/npm6, it works. I'd prefer a working solution without downgrading, but for now it lets me move on.
UPDATE:
We finally figured it out (a while ago, but I forgot about this answer). In our .npmrc files in our user directories, we needed to add/change our authorization config entry.
Before:
_auth={base64 encoded username:password}
After:
//{path to private repository}:_auth={base64 encoded username:password}
Just enable anonymous access in the nexus dashboard, it will pull from your private registry.
I'm working on a Front End Application that relies on a dependency developed by our organization but is hosted in a separate repository. It's a bitbucket repo hosted by us and is private.
We're using NPM to manage this dependency, and install it via git+https://<the-dependency-repo>.com
This works in our local environment because our credentials are cached. Please note: WE CANNOT SWITCH TO SSH. I'm aware of the ssh solution, I have no control over account management, bitbucket access etc...
When the Jenkins CI runs, it pulls our application from it's repository using credentials stored in the Credentials Plugin, and runs npm install.
The Problem:
The install fails because of authentication failure during the npm install.
What I've tried so far:
Since the git credentials are stored in the Jenkins Credential Plugin, I have access to a git username/password combination.
The precise failure happens when npm attempts to run git ls-remote ...
To circumvent this authentication failure, I am able to run a shell command before the npm install:
git config credential.helper 'cache'
git fetch https://${USERPASSCOMBO}#<repo>
The good news is that this works! NPM is able to run git fetch ls-remote without error
The bad news is that the next command git clone -q <repo> fails.
I've attempted the same solution: adding the following prior to npm install:
git config credential.helper 'cache'
git ls-remote https://${USERPASSCOMBO}#<repo>
git clone https://${USERPASSCOMBO}#<repo>
note: these commands work as expected, prior to npm install
NPM install still fails however, producing the following error output:
[ERROR] npm ERR! Command failed: /bin/git clone -q https://<repo> /var/lib/jenkins/.npm/_cacache/tmp/git-clone-ed5ac1a9
[ERROR] npm ERR! warning: templates not found /tmp/pacote-git-template-tmp/git-clone-49feabe4
[ERROR] npm ERR! fatal: Authentication failed for '<repo>'
[ERROR] npm ERR!
Any help is greatly appreciated, even a pointer towards the right direction. I've exhausted trying everything I can think of.
Try installing from the repository with the URL git+https://user:password#<repo-url>.
Note that this leaves your password out in the open, so I suggest generating an app token or similar if your repository provider supports this.
When I try to create a project I get the error below.
It seems to be network related because it occurs only in company network.
Any idea how to troubleshoot that?
D:\Projects\aurelia>au new test3
. . .
Installing project dependencies. npm ERR! git clone
--template=C:\Users\user\AppData\Roaming\npm-cache_git-r emotes_templates --mirror git://github.com/gulpjs/gulp.git
C:\Users\AppData\Roaming\npm-cache_git-remotes\git-github-com-gulpjs-gulp-git-4-0ecf98f08
: npm ERR! git clone
--template=C:\Users\user\AppData\Roaming\npm-cache_git-remotes_templates --mirror https://github.com/gulpjs/gulp.git
C:\Users\user\AppData\Roaming\npm-cache_git-remotes\git-https-github-com-gulpjs-gulp-git-40-4b46db44: npm ERR! git clone
--template=C:\Users\user\AppData\Roaming\npm-cache_git-remotes_templates --mirror git#github.com:gulpjs/gulp.git
C:\Users\user\AppData\Roaming\npm-cache_git-remotes\git-github-com-gulpjs-gulp-git-4-0-7c06e801:
UPDATE
This what I get when I run npm install
If I copy paste the git command that fails I get this:
error: SSL certificate problem, verify that the CA cert is OK.
Details:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while
accessing https://github.com/gulpjs/gulp.git/info/refs fatal: HTTP
request failed
UPDATE
I added the missing certificate to git, and now I can run the git command by itself successfully. If I run npm install I still get an error.
I also followed the advice of #Andrew and modified the git config file.
Try configuring your git to use https instead of git. That seems to work more frequently inside work networks.
Type this command into your console:
git config --global url."https://".insteadOf git://
Then you can try to create the project again, or just run npm install if it's already been created and it just failed on the dependency retrieval step.
Additionally, if that doesn't work, you might need to further specify when npm is using git with ssh. In this case, run this command as well:
git config --global url."https://github.com/".insteadOf git#github.com:
I have set up the following command to prevent npm from downloading NPM packages with the GIT protocol, as it is somehow blocked by my server :
git config --global url."https://github.com/".insteadOf git#github.com
However, when running npm install, an error still occurs because a package tries to use the Git protocol, in the context of repo cloning from a mirror :
npm ERR! git clone --template=/home/jenkins/.npm/_git-remotes/_templates --mirror git://github.com/isaacs/js-yaml.git /home/jenkins/.npm/_git-remotes/git-github-com-isaacs-js-yaml-git-dd3d7a8b: Cloning into bare repository '/home/jenkins/.npm/_git-remotes/git-github-com-isaacs-js-yaml-git-dd3d7a8b'...
npm ERR! git clone --template=/home/jenkins/.npm/_git-remotes/_templates --mirror git://github.com/isaacs/js-yaml.git /home/jenkins/.npm/_git-remotes/git-github-com-isaacs-js-yaml-git-dd3d7a8b:
npm ERR! git clone --template=/home/jenkins/.npm/_git-remotes/_templates --mirror git://github.com/isaacs/js-yaml.git /home/jenkins/.npm/_git-remotes/git-github-com-isaacs-js-yaml-git-dd3d7a8b: fatal: unable to connect to github.com:
npm ERR! git clone --template=/home/jenkins/.npm/_git-remotes/_templates --mirror git://github.com/isaacs/js-yaml.git /home/jenkins/.npm/_git-remotes/git-github-com-isaacs-js-yaml-git-dd3d7a8b: github.com[0: 192.30.252.129]: errno=Connection refused
I compared the modules that were installed into node_modules and the one that are declared in package.json, and the only missing one is grunt-contrib-nodeunit, which strangely doesn't depend on js-yaml... So why does it want to clone its repo then ? In any case, is there a way to force using HTTPS when specifying mirrors ?
I was able to get around this using (git:// instead of git#)
git config --global url."http://github.com".insteadOf git://github.com
I could not get around this problem with Gitlab CI. For some reason npm won't use my insteadOf rule, even though nothing is printed on the logs.
My solution is to edit the original file directly using sed :
sed -i -e "s/ssh\:\/\/git\#myrepo\.com\:/https\:\/\/myrepo\.com\//g" package.json
This will replace all ssh://git#myrepo.com: with https://myrepo.com/ (note the trailing : is replaced by /).
In short...
First of all, why does npm suggest that it should only run as non-root? I highly disbelieve that every other package manager (apt, yum, gem, pacman) is wrong for requiring sudo.
Second, when I follow their suggestion (and run npm install as non-root), it won't work (because non-root doesn't have permission to /usr/local/lib). How do I follow their suggestion? I am not going to chown -R $USER /usr/local/lib, because that seems like a very bad idea to me.
Full description...
I installed npm via curl http://npmjs.org/install.sh | sudo sh (the instruction in their README).
When I run sudo npm install mongoose, npm tells me not to run it as root:
npm ERR! sudon't!
npm ERR! sudon't! Running npm as root is not recommended!
npm ERR! sudon't! Seriously, don't do this!
npm ERR! sudon't!
But when I run npm install mongoose without sudo I get the following:
npm info it worked if it ends with ok
npm info using npm#0.2.17
npm info using node#v0.4.0-pre
npm info fetch http://registry.npmjs.org/mongoose/-/mongoose-1.0.7.tgz
npm info calculating sha1 /tmp/npm-1297199132405/1297199132406-0.7044695958029479/tmp.tgz
npm info shasum b3573930a22066fbf3ab745a79329d5eae75b8ae
npm ERR! Could not create /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! This is very rare. Perhaps the 'gzip' or 'tar' configs
npm ERR! are set improperly?
npm ERR!
npm ERR! couldn't pack /tmp/npm-1297199132405/1297199132406-0.7044695958029479/contents/package to /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Error installing mongoose#1.0.7
npm ERR! Error: EACCES, Permission denied '/usr/local/lib/node/.npm/.cache/mongoose'
npm ERR! There appear to be some permission problems
npm ERR! See the section on 'Permission Errors' at
npm ERR! http://github.com/isaacs/npm#readme
npm ERR! This will get better in the future, I promise.
npm not ok
So it tells me I shouldn't use sudo, and then doesn't work if I follow their suggestion.
Which leads to my initial questions above.
Actually, npm does not recommend not running as root. Well, not any more.
It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: "Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts." It was explained later in more detail as "Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you're insane for doing this."
See: https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044d3a22e#readme
Now it is actually considered a recommended technique of installing npm:
Simple Install - To install npm with one command, do this:
curl http:/ /npmjs.org/install.sh | sudo sh
See: https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#readme
My advice would be to never do it because it means basically this:
find out what the local DNS (or anyone else spoofing the DNS response or poisoning the DNS cache) says is the IP address of npmjs.org
connect with insecure TCP with that IP (or with whoever says it's his IP) on port 80
trust the router that you think you should talk to (or anyone who gave you the DHCP response said you should talk to) to deliver packets to the right host
possibly go through another layer of transparent caching proxy
trust all other networks between you and the other end of the TCP connection
don't know for sure who you are connected with
cross your fingers
request install.sh script over insecure HTTP with no verification whatsoever
and then run whatever was returned by whoever you're talking to with maximum privileges on your machine without even checking what is it.
As you can see this is really, literally, with no exaggeration giving root shell to whatever you get after asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:
DHCP spoofing
ARP spoofing
DNS cache poisoning
DNS response spoofing
TCP session hijacking
Also note that using 'sh' instead of 'sudo sh' is usually not any less risky unless you run it as a different user who doesn't have access to your private data, which is usually not the case.
You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn't run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn't really help in this case.
Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn't use insecure connections to download the files that it downloads - there should be an option in npm config.
Hope it helps. Good luck!
The simple answer is web servers should never be run as root for well known security reasons, so this goes for npm commands as well.
To start fresh, remove prior Node.js and npm installs as well as these files/directories:
mv ~/.npmrc ~/.npmrc~prior
mv ~/.npm ~/.npm~prior
mv ~/tmp ~/tmp.~prior
mv ~/.npm-init.js ~/.npm-init.js~prior
Solution: Install Node.js (which comes with npm) as NON root (no sudo)
Download Source Code directly from https://nodejs.org/en/download/
Execute the below as yourself (Linux/OS X)
cd node-v8.1.2 # into expanded source dir
export NODE_PARENT=${HOME}/node-v8.1.2 # put this into your ~/.bashrc
Feel free to change above export to whatever location is appropriate
./configure --prefix=${NODE_PARENT}
make -j4 # for dual core ... use -j8 for quad core CPU
make install
which puts the binaries for Node.js and npm as well as its modules repository into $NODE_PARENT, a $USER owned dir which then allows you to issue subsequent npm install xxx commands as yourself.
To reach the binaries for node and npm alter your PATH environment variables in your ~/.bashrc:
export PATH=${NODE_PARENT}/bin:${PATH}
export NODE_PATH=${NODE_PARENT}/lib/node_modules
Then to install packages into that directory (global), as opposed to the current directory (local) always pass in the -g flag (global):
npm install -g someModule
NOTE - at no time are you executing anything npm or node related as root / sudo.
Another reason for not installing NPM packages under root is that it will cause you to face file access problem with packages that are using node-gyp (ex: node-sass) because it builds C++ libs and those are not in the local node_modules folder.