I have a fresh gitlab-omnibus installation on a CentOS 6 box, I have configured it correctly and can access the web interface, I've added my SSH key however when I try to Git Clone a newly setup repo, I am asked for a password for the Git user via SSH. I have tried this with three different machines and three different accounts, and still the issue persists.
Here is the output from a verbose SSH
╭─jacobclark#Jacobs-MacBook-Pro ~
╰─$ ssh -vT git#gitlab 130 ↵
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to gitlab [37.26.93.221] port 22.
debug1: Connection established.
debug1: identity file /Users/jacobclark/.ssh/id_rsa type 1
debug1: identity file /Users/jacobclark/.ssh/id_rsa-cert type -1
debug1: identity file /Users/jacobclark/.ssh/id_dsa type -1
debug1: identity file /Users/jacobclark/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA a1:62:aa:51:0c:20:f3:3e:10:17:c7:20:a4:0b:7b:16
debug1: Host 'gitlab.' is known and matches the RSA host key.
debug1: Found key in /Users/jacobclark/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jacobclark/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/jacobclark/.ssh/id_dsa
debug1: Next authentication method: password
git#gitlab's password:
You need to turn off selinux: setenforce 0
I had the exact same issue on CentOs, turned out to be due to Centrify being used to manage ssh keys, which is non standard, but part of our corporate server management processes.
I'm not overly familiar with Centrify as its managed by another team, but I resolved this issue by creating a sym link from the gitlab authorised-keys file into /etc/sshd/auth-keys/git.
The authorizedkeys file value gave me the location the sym link needed to go to, determined with sshd -T
Resulting in this resolving my issue:
ln -s /var/opt/gitlab/.ssh/authorized_keys /etc/ssh/auth-keys/git
Related
I am setting up ssh with public key access, I think I have correctly configured sshd_config and generate id_rsa.pub and authorized_keys.
ssh-kengen -t rsa
cd .ssh
cat id_rsa.pub >> authorized_keys
I also set the permission for these files
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
When I try sudo ssh localhost, it works and no password is asked, but logged in as root.
But when I try ssh localhost, It is still asking for password.
logs generated during this are :-
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/cwei/.ssh/identity type -1
debug1: identity file /home/cwei/.ssh/identity-cert type -1
debug1: identity file /home/cwei/.ssh/id_rsa type 1
debug1: identity file /home/cwei/.ssh/id_rsa-cert type -1
debug1: identity file /home/cwei/.ssh/id_dsa type -1
debug1: identity file /home/cwei/.ssh/id_dsa-cert type -1
debug1: identity file /home/cwei/.ssh/id_ecdsa type -1
debug1: identity file /home/cwei/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/cwei/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-
with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /home/cwei/.ssh/identity
debug1: Offering public key: /home/cwei/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/cwei/.ssh/id_dsa
debug1: Trying private key: /home/cwei/.ssh/id_ecdsa
debug1: Next authentication method: password
cwei#localhost's password:
Ssh public key access is user based. The configuration may be done for the root user. It needs to be done for the local user by configuring local users local .ssh directory.
I have two servers identified as server-1 - 192.168.3.128 and server-2 - 192.168.3.130. I am setting up capifony for automatic deployment from server-1 to server-2 and this is what I have done so far:
In both servers I have created a user deploy without password since that's the user I will use for deployment.
In server-1 I setup a SSH keys by running the command: ssh-keygen and I leave without pass-phrase and default directories.
I have copied the content of /home/deploy/.ssh/id_rsa.pub at server-1 into server-2 at /home/deploy/.ssh/authorized_keys.
From server-1 I try to reach server-2 by running ssh deploy#192.168.3.130 and it's asking for a password (below is the output)
$ ssh deploy#192.168.3.130
The authenticity of host '192.168.3.130 (192.168.3.130)' can't be established.
RSA key fingerprint is 3c:81:da:7a:78:0f:b0:2f:44:3b:62:fb:c9:6f:33:86.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.3.130' (RSA) to the list of known hosts.
deploy#192.168.3.130's password:
This is the -v output of the command above:
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.3.130 [192.168.3.130] port 22.
debug1: Connection established.
debug1: identity file /home/deploy/.ssh/identity type -1
debug1: identity file /home/deploy/.ssh/identity-cert type -1
debug1: identity file /home/deploy/.ssh/id_rsa type 1
debug1: identity file /home/deploy/.ssh/id_rsa-cert type -1
debug1: identity file /home/deploy/.ssh/id_dsa type -1
debug1: identity file /home/deploy/.ssh/id_dsa-cert type -1
debug1: identity file /home/deploy/.ssh/id_ecdsa type -1
debug1: identity file /home/deploy/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.3.130' is known and matches the RSA host key.
debug1: Found key in /home/deploy/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Trying private key: /home/deploy/.ssh/identity
debug1: Offering public key: /home/deploy/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/deploy/.ssh/id_dsa
debug1: Trying private key: /home/deploy/.ssh/id_ecdsa
debug1: Next authentication method: password
deploy#192.168.3.130's password:
Why? What I am doing wrong?
In addition to running the client in verbose mode, start a new server instance in debug mode on another port:
server-2 as root:
# /usr/sbin/sshd -p 9999 -d
Then connect in verbose mode to that server on the same port:
server-1 as deploy
$ ssh -vvv -p 9999 server-2
9/10 it has to do with permissions.
(I am very new to git and version control. ) I have several bash scripts that perform nightly backups- I also have a cronjob already set up,. Executing a single script at a time also requires the password even though I have tried my best to enable the scripts to perform ssh authentication but I keep getting prompted for my stash password when they execute(I have looked at several online resources but I think I keep going around in circles- not reaching anywhere close to the solution), if I could get my scripts to execute via ssh authentication then I can go ahead and run the cron job successfully.
I have already created the public - private key pair and my public key has been added to the Stash Project.
A ssh -v 'username'#'server' gives the following output :
`OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to dbstore1 [10.4.2.3] port 22.
debug1: Connection established.
debug1: identity file /home/<myusername>/.ssh/identity type -1
debug1: identity file /home/<myusername>/.ssh/id_rsa type 1
debug1: identity file /home/<myusername>/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'dbstore1' is known and matches the RSA host key.
debug1: Found key in /home/<myusername>/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/<myusername>/.ssh/identity
debug1: Offering public key: /home/<myusername>/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
`
So looking at the above result- the authentication using the SSH public key is successful for my user account, right?
Now, the problem comes in when i execute the schema backup script - sudo ./script.sh
It keeps asking me for my (stash) password when it is about to commit/push. Also, I noticed that when I supply the password and there is a successful commit on Stash - the author is displayed as 'root'.
So my SSH public key is set up for MY user account but the commits are made from root - Could this be a cause of why ssh login doesn't work for me ?
I'm trying to connect to an embedded board of mine through ssh. But upon trying to connect through ssh -v -l root user#xx.xx.xx.xx, I get a series of debug comments:
dico#lithya:~$ sudo ssh -v -l root dico#foxboard2
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: Applying options for *
debug1: Connecting to foxboard2 [10.251.145.180] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 18:14:33:1e:88:5f:ad:13:78:9f:36:10:b9:d2:27:e4
debug1: Host 'foxboard2' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,password).
The connection is being established through port 22 so that isn't the problem. So, clearly there is a problem with public/private key authentication. Therefore, how can I make sure that the private/public keys through both my machine and the board are in sync? Or better yet, how do I solve this issue or completely remove any keys?
UPDATE
I've tried to connect to the board by specifying no public key authentication by ssh -o PubkeyAuthentication=no dico#foxboard2, but now it's asking me for a password. I've checked the site but the password I type is incorrect. How can I remove a password request?
You can copy your public key to the server using:
ssh-copy-id user#xx.xx.xx.xx
It is always better to use keys than passwords.
Make sure your ~/.ssh directory is set to mode 700 (chmod 700 ~/.ssh) and your ~/.ssh/authorized_keys is set to mode 600 (chmod 600 ~/.ssh/authorized_keys).
In your /etc/ssh/sshd_config file set PasswordAuthentication no to turn off password logins.
I can ssh to my linux instance using the following:
ssh -i dj_mongo.pem -v ec2-user#xxx.compute-1.amazonaws.com
But whenever I am trying to copy file from the local computer to server, I am getting the following errors:
scp -i dj_mongo.pem ck.pem root#xxx.compute-1.amazonaws.com:/
Please login as the ec2-user user rather than root user.
scp -i dj_mongo.pem ck.pem ec2-user#xxx.compute-1.amazonaws.com:/
Permission denied (publickey).
lost connection
Both dj_mongo-pem and ck.pem has permissions 600.
Output from terminal is copied below:
Applying options for *
debug1: Connecting to xxx.compute-1.amazonaws.com [xxx] port 22.
debug1: Connection established.
debug1: identity file dj_mongo.pem type -1
debug1: identity file dj_mongo.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxx.compute-1.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/sadmin/.ssh/known_hosts:6
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/sadmin/.ssh/github_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: dj_mongo.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
lost connection
How can I proceed with that?
Please help.
EDITED
Now I can't ssh anymore. I am using the same key as yesterday.
In a typical verbose scp output
debug1: Trying private key: dj_mongo.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to your.server.com ([i.p.v.4]:22).
In your output, after reading the private PEM key, it is skipping it.
Few obvious things -
Was the server launched with a same key corresponding to dj_mongo.pem?
Are you connecting to the same server?
I wasn't able to find out what was a reason of my problem.
I ended it up by creating new Linux Instance, and attaching the EBS of my old instance that stopped responding to it.
I could be wrong, but many flavors of linux block SSH/SCP access via root user. Especially if you're using Amazon AMI, they set up a root user known as ec2-user, which you should have already uploaded your pem key to, so you should be all set on logging in as this user.