gitolite: PTY allocation request failed on channel 0 - gitolite

Both jenkins (the ci-server) and my git repository are hosted on the same server. The git repo is controlled by gitolite. If I access the repository from outside, for instance from my workstation I get
ssh git#arrakis
PTY allocation request failed on channel 0
hello simou, this is git#arrakis running gitolite3 v3.0-12-ge0ed141 on git 1.7.3.4
R W testing
Connection to arrakis closed.
Which is fine I guess (besides the PTY... warning)
Now back to the server, I'd like jenkins to be able to connect to my git repository as well.
jenkins#arrakis:~> ssh git#arrakis
gitolite: PTY allocation request failed on channel 0
Logging onto arrakis as user git (the gitolite user):
git#arrakis:~> cat ~git/.ssh/authorized_keys
command="/home/git/gitServer/gitolite/src/gitolite-shell jenkins",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty ssh-rsa <PUBLIC-KEY> jenkins#arrakis
The "no-pty" entry made me suspicious, so I removed it from authorized_keys and tried again:
jenkins#arrakis:~> ssh git#arrakis
hello jenkins, this is git#arrakis running gitolite3 v3.0-12-ge0ed141 on git 1.7.3.4
R W testing
Connection to arrakis closed.
This solves my issue at this point, but I'm not sure about the consequences of removing "no-pty".
And why does it only affect the local access, since the remote access doesn't seem to be affected at all?
openSUSE 11.4 (x86_64)
VERSION = 11.4
CODENAME = Celadon

The difference in behavior between your workstation and your server is likely due to using different versions of the OpenSSH client (ssh) on each system (not remote versus local). The client will request a pty from the server unless -T is given, or the RequestTTY configuration option is set to no (the latter was first available in OpenSSH 5.9). The difference in behavior arises in how the client deals with having this request denied by the server (e.g. because no-pty is given in the applicable authorized_keys entry):
Before OpenSSH 5.6:
the client will display the “PTY allocation request failed” message, and
continue in “no pty” mode
In OpenSSH 5.6-5.8:
the client will display the “PTY allocation request failed” message, and
abort the connection
In OpenSSH 5.9 (and later):
the client will display the “PTY allocation request failed” message, and
if -t was not given, and RequestTTY is auto (the default), then
continue in “no pty” mode
else (-t given, or the RequestTTY configuration option is yes or force)
abort the connection
Since your server’s ssh appears to abort when its pty allocation request is rejected, it is probably running OpenSSH 5.6-5.8 (at least for the client binary). Likewise, since your workstation’s ssh shows the warning, but continues, it is probably running an OpenSSH from before 5.6, or one that is 5.9-or-later. You can check your versions with ssh -V.
You can prevent the difference in behavior by using always giving the -T option so that the client (any version) never requests a pty from the server:
ssh -T git#YourServer
During actual Git access, the client never tries to allocate a pty because Git will give the client a specific command to run (e.g. ssh server git-upload-pack path/to/repository) instead of requesting an “interactive” session (e.g. ssh server). In other words, no-pty should not have been causing problems for actual Git access; it only affected your authentication testing (depending on which version of the OpenSSH client you were running) because the lack of a command argument causes an implicit pty allocation request (for an “interactive” session).
From the OpenSSH 5.6 release announcement:
Kill channel when pty allocation requests fail. Fixed stuck client
if the server refuses pty allocation (bz#1698)
bz#1698 seems to be a reference to a report logged in the “Portable OpenSSH” Bugzilla.
From the check-in message of OpenSSH clientloop.c rev 1.234:
improve our behaviour when TTY allocation fails: if we are in
RequestTTY=auto mode (the default), then do not treat at TTY
allocation error as fatal but rather just restore the local TTY
to cooked mode and continue. This is more graceful on devices that
never allocate TTYs.
If RequestTTY is set to "yes" or "force", then failure to allocate
a TTY is fatal.

To know why it affects only the local access, you would need to debug it like in this article.
ssh -vvv git#arrakis
If your /etc/ssh/sshd_config SSH daemon config file contains the (un-commented) line SyslogFacility AUTHPRIV, you can have a look at your SSH logs in /var/log/secure.
That being said, check out GitoliteV3: I don't think it uses no-pty in the current setup.

Beside Chris Johnsen very complete answer note that giving explicitely the info command will not show the PTY warning:
ssh git#arrakis info
In that case SSH considers that this is not an interactive session and will not request a TTY.

Related

SSL handshake failed when trying to add remote GitLab account in GitAhead under openSUSE Leap 15

I successfully added remote (private) GitLab account under Windows 10 in GitAhead but under a Linux openSUSE Leap 15 I got "Connection failed: SSL handshake failed".
Note that I can clone, pull, fetch, commit, push in repositories from repositories in the GitLab I want to add, I also tried to reset SSH handshake with:
$ ssh-keygen -R gitlab.mydomain.net
# Host gitlab.mydomain.net found: line 31
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old
$ ssh git#gitlab.mydomain.net
The authenticity of host 'gitlab.mydomain.net (<IP>)' can't be established.
ECDSA key fingerprint is SHA256:**************.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gitlab.mydomain.net,<IP>' (ECDSA) to the list of known hosts.
Welcome to GitLab, #UserName!
Connection to gitlab.mydomain.net closed.
But it still does not work, anyone knows if there is something to configure to allow it under Linux ?
Thanks
For a starter, check the rights on directories on the server-side. The home-dir as well as the .ssh-dir should be treated with chmod 700. The same is true for the key files.
You should aim for a passwordless login on your server. As soon as this works, GitAhead should be fine. If you have a Git-Shell in your server-side /etc/passwd, replace it by /bin/sh for the sake of sending your pubkey: On the client, enter ssh-copy-id -i yourprivatekeyfile somerandomgituser#ipofyourgitserver. After that, if successful, you can reset the /etc/passwd line back to the Git-Shell.

the usage of scp and ssh

I'm newbie to Linux and trying to set up a passphrase-less ssh. I'm following the instructions in this link: http://wiki.hands.com/howto/passphraseless-ssh/.
In the above link, it said:"One often sees people using passphrase-less ssh keys for things like cron jobs that do things like this:"
scp /etc/bind/named.conf* otherdns:/etc/bind/
ssh otherdns /usr/sbin/rndc reload
which is dangerous because the key that's being used here is being offered root write access, when it need not be.
I'm kind of confused by the above commands.
I understand the usage of scp. But for ssh, what does it mean "ssh otherdns /usr/sbin/rndc reload"?
"the key that's being used here is being offered root write access."
Can anyone also help explain this sentence more detail? Based on my understanding, the key is the public key generated by one server and copied
to otherdns. What does it mean "being offered root write access"?
it means to run a command on a remote server.
the syntax is
ssh <remote> <cmd>
so in your case
ssh otherdns /usr/sbin/rndc reload
is basically 4 parts:
ssh: run the ssh executable
otherdns: is the remote server; it's lacking a user information, so the default user (the same as currently logged in; or the one configured in ~/.ssh/config for this remote machine)
/usr/sbin/rndc is a programm on the remote server to be run
reload is an argument to the program to be run on the remote machine
so in plain words, your command means:
run the program /usr/sbin/rndc with the argument reload on the remote machine otherdns

Rsync from Linux to Windows SFTP Server

I'm trying to sync documents to an Windows SFTP server via RSYNC on a Linux Machine.
This is my command
rsync -e ssh /home/antony/Documents/Test user1#172.20.1.18:Test
This is the error
exec request failed on channel 0
rsync connection unexpectedly closed (0 bytes recieved so far)[sender]
rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.0]
The above may happen for several different reasons.
Maybe the SSH subsystem of rsync is refusing the server key, but this is unlikely because from your description seems like the server is "cutting" the connection, not the client.
Another possibility is that there is no SSH/SFTP server listening on the default port on 172.20.1.18
Or maybe password authentication is not enabled on the server, and you need to authenticate via PKI using a key that you (on the client side) do not have...
In any case, the best thing to do is to double check with the administrator who has configured the server side.

SVN With Two-Factor Authentication

I work at an organization with stringent security requirements, sometimes excessively so. My project team is trying to create an SVN repository, and we are having difficulties setting one up to comply with both our needs and our security requirements.
Our IT department requires us to authenticate ourselves with two-factor authentication. Each developer has an RSA token that must be used to log in to the repository host machines via SSH. The value displayed on the token changes once per minute and each value can be used only once.
The developers require the capability to store passwords. This prevents us from using svn+ssh to log in to the repository. Since the RSA token changes once a minute, we can't store the SSH passwords. Worse, the RSA token would reduce us to one SVN operation each minute. This is flatly unacceptable, especially since we have scripts that chain multiple SVN operations together.
We attempted to compromise by opening an SSH tunnel with port forwarding. We would open up a tunnel using ssh user#hostmachine -L 3690:localhost:3690 to forward all SVN requests on our local machine to the secure machine, where an svnserve process was running. This meant we could log in with two-factor authentication, and then use a separate SVN username and password (which could be stored) with our utilities.
Unfortunately, we noticed that we didn't need the tunnel; port 3690 was available to any computer for whom the hostname was visible. This is unacceptable to IT, and our sysadmin thinks that svnserve is the problem, so she is wondering if we have to go back to svn+ssh.
Is there any solution that works? Is our sysadmin correct? Is there an option on svnserve that will force it to listen only to traffic from localhost?
use:
svnserve -dr /my/repo --listen-host 127.0.0.1
This way the service will only listen on the loopback interface. When you connect with ssh use:
ssh -L3690:127.0.0.1:3690 user#svnserver.mycompany.com
also see:
vince#f12 ~ > svnserve --help
usage: svnserve [-d | -i | -t | -X] [options]
Valid options:
-d [--daemon] : daemon mode
-i [--inetd] : inetd mode
-t [--tunnel] : tunnel mode
-X [--listen-once] : listen-once mode (useful for debugging)
-r [--root] ARG : root of directory to serve
-R [--read-only] : force read only, overriding repository config file
--config-file ARG : read configuration from file ARG
--listen-port ARG : listen port
[mode: daemon, listen-once]
--listen-host ARG : listen hostname or IP address
[mode: daemon, listen-once]
-T [--threads] : use threads instead of fork [mode: daemon]
--foreground : run in foreground (useful for debugging)
[mode: daemon]
--log-file ARG : svnserve log file
--pid-file ARG : write server process ID to file ARG
[mode: daemon, listen-once]
--tunnel-user ARG : tunnel username (default is current uid's name)
[mode: tunnel]
-h [--help] : display this help
--version : show program version information
svnserve might have options to only listen on localhost, but this sounds like a firewall configuration issue.
If port 3690 isn't meant to accessible externally, it should be blocked by the firewall. It shouldn't matter whether svnserve or anything else is listening on that port. svnserve can then continue to listen on 3690, but will only receive connections from localhost because others are blocked by the firewall.

Tortoise SVN cannot connect to svnserve of newly created Subversion instance on SuSe Linux Server

I just started a new position where none of the code is in version control. One of my duties is to fix that. I have some space on a SuSe 10 box, and subversion 1.6 is installed. Following the instructions in the O'Reilly Subversion book, I've got a subversion repository with code in it, and svnserve running:
#lsof -i :3690
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
svnserve 15115 xxxxxx 3u IPv6 xxxxxxxx TCP *:svn (LISTEN)
Also, this command works
svnlook cat /home/svn/repos/ /project1/trunk/index.php
However, when I try to connect to the subversion repository from my desktop (running Windows) using TortoiseSVN, I get the error
Can't connect to host 'xxx.xxx.xxx.xxx': A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
I have tried multiple repository URLs, including:
svn://internalmachinename.internalnetwork.com/project1
svn://machinename/project1
svn://machinename/repos/project1
svn://machinename/svn/repos/project1
svn://xxx.xxx.xxx.xxx/project1/trunk:3690
I don't have access to Cygwin because of the company's firewall policy, so I can't try to connect via the command line.
Before trying to use svn, use the simple ping command to check the connection between the two computers.
Only if that works, go to the next step (which still isn't using svn!): check if you can reach the correct port using telnet.
Then, and only then should you try to use svn to do the connection.
The firewall suggestion was close - it was the firewall on my Windows desktop that was keeping Subversion from connecting.

Resources