ssh git commands authenticating with authorized_keys

Question

I have an amazon ec2 cloud server running Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-virtual x86_64). I have gitlab installed using bitnami image. SSH cloning of repos does not work.

I can not log in as git over ssh with ssh key

    ➜  front-end git:(develop) ssh -vT git@cloud.redrockrim.org
    OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
    debug1: Reading configuration data /etc/ssh_config
    debug1: /etc/ssh_config line 20: Applying options for *
    debug1: Connecting to cloud.redrockrim.org [54.229.74.10] port 22.
    debug1: Connection established.
    debug1: identity file /Users/redrockrim/.ssh/id_rsa type 1
    debug1: identity file /Users/redrockrim/.ssh/id_rsa-cert type -1
    debug1: identity file /Users/redrockrim/.ssh/id_dsa type -1
    debug1: identity file /Users/redrockrim/.ssh/id_dsa-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
    debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA 54:52:a4:7c:bf:45:bc:89:b5:7f:ae:59:2d:d6:e2:11
    debug1: Host 'cloud.redrockrim.org' is known and matches the RSA host key.
    debug1: Found key in /Users/redrockrim/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /Users/redrockrim/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /Users/redrockrim/.ssh/id_dsa
    debug1: Next authentication method: password
    git@cloud.redrockrim.org's password:

I can log in using ssh as a different user I created.

    ➜  front-end git:(develop) ssh -vT redrockrim@cloud.redrockrim.org
    OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
    debug1: Reading configuration data /etc/ssh_config
    debug1: /etc/ssh_config line 20: Applying options for *
    debug1: Connecting to cloud.redrockrim.org [54.229.74.10] port 22.
    debug1: Connection established.
    debug1: identity file /Users/redrockrim/.ssh/id_rsa type 1
    debug1: identity file /Users/redrockrim/.ssh/id_rsa-cert type -1
    debug1: identity file /Users/redrockrim/.ssh/id_dsa type -1
    debug1: identity file /Users/redrockrim/.ssh/id_dsa-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
    debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA 54:52:a4:7c:bf:45:bc:89:b5:7f:ae:59:2d:d6:e2:11
    debug1: Host 'cloud.redrockrim.org' is known and matches the RSA host key.
    debug1: Found key in /Users/redrockrim/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /Users/redrockrim/.ssh/id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    debug1: read PEM private key done: type RSA
    debug1: Authentication succeeded (publickey).
    Authenticated to cloud.redrockrim.org ([54.229.74.10]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_IE.UTF-8
    debug1: Sending env LC_CTYPE = en_IE.UTF-8
    Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-virtual x86_64)
           ___ _ _   _  _            _  
          | _ |_) |_| \| |__ _ _ __ (_) 
          | _ \ |  _| .` / _` | '  \| | 
          |___/_|\__|_|\_\__,_|_|_|_|_| 

      *** Welcome to the BitNami GitLab 6.0.0-0 ***
      *** BitNami Wiki:   http://wiki.bitnami.com/ ***
      *** BitNami Forums: http://community.bitnami.com/ ***

What can I try to fix this issue?

On your local machine, run `ssh-keygen -y -f /Users/redrockrim/.ssh/id_rsa` to print out your public key portion. Assuming you have sudo / root access check the contents of `~/.ssh/authorized_keys` for the git@cloud.redrockrim.org user. If you have checked this file and confirm that your public key appears exactly as reported by `ssh-keygen`, could you post a comment confirming this and we'll explore other options. — plasmid87, Nov 14 '13 at 11:35
I checked the authorized_keys file for the git user, and found the key was defined with a command prefix `command="/opt/bitnami/apps/gitlab/gitlab-shell/bin/gitlab-shell key-3",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3...MORE_RSA_KEY_DATA...5sxG8Q== billy@redrockrim.org`. I then added my key by hand, and tried removing all other keys, so can confirm the keys match my local machine keys. — Billy Moon, Nov 14 '13 at 13:16

Rudu · Answer 1 · 2013-11-14T15:59:30.277

1

SSH facilities can be suppressed by adding options to the beginning of a key in authorization_keys. What's happening here is the server is preventing your git user from having complete/open access to the server with that specific key, but rather only allows a very targeted connection... which is what you'd normally want.

If you want to connect as that user you'd remove the preamble before ssh-rsa, although it's all there for good reason. You can still connect as another user and su git once you're on the server... if it's important to be that user for some reason.

The options mean:

command="/opt/bitnami/apps/gitlab/gitlab-shell/bin/gitlab-shell key-3"

Means that this command is executed whenever the connection is made. No command can be supplied by the user.

no-port-forwarding

Prevents TCP forwarding

no-X11-forwarding

Prevents X11 forwarding

no-agent-forwarding

Prevents agent forwarding

no-pty

Prevents TTY allocation - what you likely mostly use in ssh to execute commands on the remote server.

Which can all be found on the ssh(8) man page

edited Nov 14 '13 at 15:59

answered Nov 14 '13 at 15:47

Rudu

301
1
5
8

This is very useful breakdown of the commands. It does not solve my problem. I do need the git user to have key based authentication, to allow `git clone git@server.com/user/repo.git`. For the sake of troubleshooting, I tried replacing all the lines in authorized_keys with only the part from `ssh-rsa ... etc...` and it still does not work. – Billy Moon Nov 14 '13 at 16:21
I just checked, and it is `-rw-rw-r-- 1 git git 2135 Nov 14 10:27 /home/git/.ssh/authorized_keys` that I am modifying, and there is no `authorized_keys2`. – Billy Moon Nov 14 '13 at 16:50
What does `grep "git" /etc/passwd` show on the server? Update `/etc/ssh/sshd_config` line `LogLevel` to `DEBUG1` (or heigher) `service restart sshd` and see what `/var/log/auth.log` shows on the server for the connection attempt {don't forget to switch it back to `INFO` later} – Rudu Nov 14 '13 at 19:19

ssh git commands authenticating with authorized_keys

1 Answers1