Gitolite git clone requires ssh password

Question

using Gitolite on a Ubuntu server. Have a project im working on that i need a particular syntax for the git command.

Works great:

git clone gitolite@servername:testing.git

Asks for a password

git clone ssh://gitolite@servername/home/gitolite/repositories/testing.git

Ran from the same box, one after another. I can put in the password and it works. But I need to automatically work. Sounds like a problem with ssh pub/private keys. Any ideas?

Update: Was a problem with file permissions. Not sure the difference between the too commands. But the /var/log/auth.log showed some errors

The commands are running as two different users - the first is using gitolite and the second is as the git user. If you need the second to work without a password prompt then remove the password protection from the private key file. If you're using gitolite then you should never use the second option, as you are bypassing gitolite and using SSH directly. — Abe Voelker, Sep 17 '12 at 21:28
Also be sure what is asking for a password. Is your local pub/private key armored and needs a password to decrypt. 'ssh-add' can help unlock the armored local private key, with 'ssh-add -l' to list. Are you sure it is the server asking for a password and not the local SSH client? — Darryl Miles, Sep 17 '12 at 21:36
After ssh-add adding of my identity it is still asking for a password. I created a new pub/priv key when starting. Didn't use a passprhase — Dishcandanty, Sep 17 '12 at 21:45
FWIW I run my special SSH server for git on port 19418 with an sshd_config that has "PasswordAuthentication no" and "AllowUsers git" and a number of other lockdowns. This may not be possible for you using standard SSH port 22 as you may need shell access. But it helps diagnose problem. — Darryl Miles, Sep 17 '12 at 21:50
So you are running a second instance of your ssh server with that configuration? — Dishcandanty, Sep 17 '12 at 22:06
Yes exactly. Copy /etc/sshd/sshd_config and edit. Copy /etc/init.d/sshd to sshd-git and edit (ensuring to use alternative main config location). Enable init scripts to start on bootup via /sbin/chkconfig I am using CentOS server. You need to add the colon port number syntax in the clone URL for ssh:// URLs, like :19418 that end up in .git/config for [remote "origin"] url = ........ — Darryl Miles, Sep 17 '12 at 22:22

Darryl Miles · Accepted Answer · 2012-09-17T22:07:23.843

5

You need to setup ~gitolite/.ssh/authorized_keys with a line like

command="/home/gitolite/bin/gl-auth-command <USERNAME>",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAA...KEY.HERE...ZZZZ== user@label

A random URL with info relating to this (see the bottom of the page)

http://www.geekgumbo.com/2011/10/18/ssh-and-the-gitolite-installation-part-2/

Ensure to change ownership of ~gitolite/.ssh/authorized_keys as per SSH requirements with:

chown gitolite: ~gitolite/.ssh/authorized_keys
chmod go-w ~gitolite/.ssh/authorized_keys

EDIT: to reflect your edits changing 'git' to 'gitolite' system username.

Test your access from the client with:

ssh -l gitolite -i <file_id_rsa_foobar> -v -o PasswordAuthentication=no -T <host>

Added -T seems needed on my local system to get banner (typed in excuse mistakes):

....
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/username/.ssh/id_rsa_foobar
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/username/.ssh/id_dsa_foobar
debug1: Remote: Forced command: /home/gitolite/bin/gl-auth/command <username>
....
hello <username> this is gitolite vX.X.XX-g0123abcd running on git X.X.X
the gitolite config gives you the following access:
    R   W    mydir/project1
....

edited Sep 17 '12 at 22:07

answered Sep 17 '12 at 21:28

Darryl Miles

4,576
1
21
20

Right, I have: command="/usr/share/gitolite/gl-auth-command dav",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa KEYKEY username@host which is why the first command works if Im guessing right – Dishcandanty Sep 17 '12 at 21:31
So when that key is correctly used, the gitolite system will treat the userid as "dav" but you may need to add lines into the file one per user. – Darryl Miles Sep 17 '12 at 21:33
@DarrylMiles `gl-auth-command` is gitolite v2, please upgrade to V3. – VonC Sep 17 '12 at 21:34
@VonC I'll bear that in mind, v2 is working well for me and no compelling reason to upgrade (have other more useful work to do). Usage is on private network here. – Darryl Miles Sep 17 '12 at 21:51
Command Ouput(trim) debug1: Host 'servername' is known and matches the RSA host key. Permission denied (publickey,password). debug1: Found key in /h/d/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: id_rsa debug1: Offering RSA public key: u@h debug1: No more authentication methods to try. – Dishcandanty Sep 17 '12 at 21:57
Are you 100% sure the "-i " is the SAME key you have installed on the server in authorized_keys file (it is the *.pub part you put on the server) ? Have you looked in /var/log/messages and /var/log/secure (on server) for any SSH warnings (maybe due to incorrect ownership/file permissions of key files) – Darryl Miles Sep 17 '12 at 22:09
@DarrylMiles It is for sure the same key. Scp'd over just incase it was messed up. Ubuntu auth.log shows: Authentication refused: bad ownership or modes for directory /home/gitolite/.ssh that dir: drw-rw-rw- 2 gitolite gitolite 4.0K Sep 17 23:34 .ssh – Dishcandanty Sep 17 '12 at 22:16
@DarrylMiles Found an issue with that. Changed the permissions so SSHD was happy. It doesn't like group write permissions. http://recursive-design.com/blog/2010/09/14/ssh-authentication-refused/ Errors gone away, but still requiring a password – Dishcandanty Sep 17 '12 at 22:24
It will not like world write permission either. 'chmod 600 ~gitolite/.ssh' a similar lockdown to in my answer. drw------- gitolite gitolite (even stricter lockdown as per your URL) – Darryl Miles Sep 17 '12 at 22:27
@DarrylMiles Yup, that did it, it was a permissions thing – Dishcandanty Sep 17 '12 at 23:48

score 0 · Answer 2 · edited Jun 20 '20 at 09:12

0

If the first version works, that means the public keys have been published under the account named 'gitolite': ~gitolite/.ssh/authorized_keys.

The permission issue you have encountered is described here: "Creating SSH keys for Gerrit and Hudson": note that all the parent directories of a .ssh shouldn't have write permission for group or other: /home, /home/yourUser, /home/yourUser/.ssh.

Plus, you shouldn't ever clone a gitolite repo with the full path of the repo: servername/home/gitolite/repositories/testing.git is wrong (and would by-pass gitolite completely).
servername:testing.git is right.

From the gitolite V2 doc:

The following problem(s) indicate that your pubkey is bypassing gitolite and going straight to a shell

running git clone git@server:repositories/reponame (note presence of repositories/ in URL) works.

[A proper gitolite key will only let you git clone git@server:reponame (note absence of repositories/)]

edited Jun 20 '20 at 09:12

Community

1
1

answered Sep 17 '12 at 21:31

VonC

1,262,500
529
4,410
5,250

Ok, messed up with the entry, updated. Have been using the right user i setup with. – Dishcandanty Sep 17 '12 at 21:35
@Dishcandanty I noticed, but the address of your second clone doesn't make sense. Why not using the first one only? – VonC Sep 17 '12 at 21:36
for just simply using the command it makes sense to use the first one. But it is for a plugin on another application with requires the ssh:// path. – Dishcandanty Sep 17 '12 at 21:43
If you have to use `ssh://` why aren't you simply using `ssh://gitolite@servername/testing.git`? – Abe Voelker Sep 17 '12 at 22:14
@AbeVoelker still requires the password with that command. And when i do put the password in it will fail, because it won't find the repository. Otherwise would have to do something like: git clone ssh://git@192.168.2.205/~/repositories/testing.git – Dishcandanty Sep 17 '12 at 22:26
@Dishcandanty please see my edited answer: using a full pass bypass gitolite. – VonC Sep 18 '12 at 05:48

score 0 · Answer 3 · answered Oct 16 '13 at 09:12

0

Yet another thing to try: if AllowGroups is in use for the sshd on the server, check that the git-user is included in one of those groups.

answered Oct 16 '13 at 09:12

kaleissin

1,245
13
19

Gitolite git clone requires ssh password

3 Answers3

Linked