39

I installed gitlab on my servers at linode. All services of gitlab are working fantastic. I am able to login, create users, repos etc. But the problem I am facing is when I try to push a repo it prompts a password for the git user as follows:

git@gitlab.myserver.com's password

I have followed the instructions of installing gitlab at: https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md and have disable the login got the user git using the following line mentioned in the installation guide:

sudo adduser --disabled-login --gecos 'GitLab' git

I am using gitlab version 6. What could be the problem?

The output of: ssh -Tvvv git@gitlab.myserver.com is as follows:

OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to gitlab.myserver.com [MY_IP] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/swaroop/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/swaroop/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/swaroop/.ssh/id_rsa-cert type -1
debug1: identity file /home/swaroop/.ssh/id_dsa type -1
debug1: identity file /home/swaroop/.ssh/id_dsa-cert type -1
debug1: identity file /home/swaroop/.ssh/id_ecdsa type -1
debug1: identity file /home/swaroop/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "gitlab.myserver.com" from file "/home/swaroop/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/swaroop/.ssh/known_hosts:92
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 92:57:61:35:b1:e2:16:3b:7f:ae:e7:8a:dc:0c:98:83
debug3: load_hostkeys: loading entries for host "gitlab.myserver.com" from file "/home/swaroop/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/swaroop/.ssh/known_hosts:92
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "MY_IP" from file "/home/swaroop/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/swaroop/.ssh/known_hosts:93
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'gitlab.myserver.com' is known and matches the ECDSA host key.
debug1: Found key in /home/swaroop/.ssh/known_hosts:92
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/swaroop/.ssh/id_rsa (0x7fd470589410)
debug2: key: /home/swaroop/.ssh/id_dsa ((nil))
debug2: key: /home/swaroop/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/swaroop/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/swaroop/.ssh/id_dsa
debug3: no such identity: /home/swaroop/.ssh/id_dsa
debug1: Trying private key: /home/swaroop/.ssh/id_ecdsa
debug3: no such identity: /home/swaroop/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
git@gitlab.myserver.com's password:

Also following is the output when I run: rvmsudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production

System information
System:     Ubuntu 12.04
Current User:   git
Using RVM:  yes
RVM Version:    1.22.3
Ruby Version:   2.0.0p247
Gem Version:    2.0.7
Bundler Version:1.3.5
Rake Version:   10.1.0

GitLab information
Version:    6.0.0
Revision:   6c1c284
Directory:  /home/git/gitlab
DB Adapter: mysql2
URL:        http://gitlab.myserver.com
HTTP Clone URL: http://gitlab.myserver.com/some-project.git
SSH Clone URL:  git@gitlab.myserver.com:some-project.git
Using LDAP: no
Using Omniauth: no

GitLab Shell
Version:    1.7.0
Repositories:   /home/git/repositories/
Hooks:      /home/git/gitlab-shell/hooks/
Git:        /usr/bin/git
swaroopsm
  • 1,389
  • 4
  • 18
  • 34
  • possible duplicate of [GitLab requires git@localhost password to push to a repo](http://stackoverflow.com/questions/11767366/gitlab-requires-gitlocalhost-password-to-push-to-a-repo) – Ciro Santilli OurBigBook.com Jan 10 '14 at 20:43

8 Answers8

20

I had the same problem but it was because my server only accept ssh login from users of "sshusers".

On /etc/ssh/sshd_config I had the following line : 

AllowGroups sshusers

In order to fix this issue, I added git to sshusers group: 

$ sudo adduser git sshusers

And then it's working.

Arturo Volpe
  • 3,442
  • 3
  • 25
  • 40
Kgaut
  • 371
  • 3
  • 9
16

That should only mean that:

  • either the public ssh key was incorrectly registered in the user account

https://intranet.5amsolutions.com/download/attachments/24610136/Git3.png?version=1&modificationDate=1349371375213

  • and/or the public/private ssh keys aren't accessible from the user account (~/.ssh incorrectly protected, incorrect names different from id_rsa, id_rsa.pub, incorrect ~/.ssh/config file).
    See more, for instance, at "Git SSH authentication".

The OP swaroopsm comments:

I solved the issue by re-installing gitlab on the server. Now all is fine.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I had pasted my local machine's id_rsa.pub and added to my settings of SSH public keys on gitlab. Still can't get it to work – swaroopsm Aug 29 '13 at 05:30
  • 4
    @swaroopsm double-check the local protection issue. can you do a simple `ssh -T git@gitlab.myserver.com` successfully from a command line in your client? If not, study the output of `ssh -Tvvv git@gitlab.myserver.com` – VonC Aug 29 '13 at 05:45
  • @swaroopsm are you sure you do have a `/home/swaroop/.ssh/id_rsa`? With the right protection? And are your public key visible in the `~git/.ssh/authorized_keys` of the gitlab server? – VonC Aug 29 '13 at 06:59
  • I have an id_rsa.pub because I have no issues in pushing code to github. It's only I am not able to push it on to my server. What are the required file permissions of /home/git/.ssh on my server? – swaroopsm Aug 29 '13 at 07:09
  • @swaroopsm the link in my answer ("Git SSH authentication") details that. – VonC Aug 29 '13 at 07:10
  • Tried the links above. No luck :( – swaroopsm Aug 29 '13 at 07:50
  • @swaroopsm so you do have the id_rsa and id_rsa.pub at the right place, with the right protection, correct? And you do see your public key on the server in `~git/.ssh/authorized_keys`? – VonC Aug 29 '13 at 07:51
  • No, I don't see my public key on in ~git/.ssh.authorized_keys – swaroopsm Aug 29 '13 at 10:49
  • @swaroopsm then the public ssh key has been incorrectly copied in your ssh key section of your profile on GitLab (typically, a copy with newlines in it, instead of a copy of the key with one continuous line). Try to enter it again, and then check `~git/.ssh.authorized_keys` on the GitLab server: as long as your public key isn't here, an ssh from a client will always fail. – VonC Aug 29 '13 at 10:50
  • There are no line breaks. It is the same as the one that is on my github account. It doesn't seem to write it in the authorized_keys on the server. But gitlab shows me my ssh key on the web interface. – swaroopsm Aug 29 '13 at 10:53
  • @swaroopsm then you need to check gitlab logs, and see if there is anything preventing to add that ssh key to the right file: as long as this doesn't work, no ssh request from a client will. – VonC Aug 29 '13 at 10:55
  • This is what the errors logs tel: Started GET "/" for 127.0.0.1 at 2013-08-29 16:28:01 +0530 Processing by DashboardController#show as */* Completed 401 Unauthorized in 0ms – swaroopsm Aug 29 '13 at 10:59
  • @swaroopsm Maybe this is an ssh/environemt issue as in https://github.com/gitlabhq/gitlab-shell/issues/12? – VonC Aug 29 '13 at 11:06
  • I solved the issue by re-installing gitlab on the server. Now all is fine. Thanks for the support @VonC – swaroopsm Aug 30 '13 at 16:16
  • @swaroopsm Great! I have added your conclusion to the answer for more visibility. – VonC Aug 30 '13 at 17:15
  • 1
    I regenerated my ssh key with `ssh-keygen`, and re-added to the Gitlab settings; this worked – Nate Anderson Mar 06 '19 at 03:21
  • I have this problem now. I installed gitlab ce in centos 7. Git user home folder is /var/opt/gitlab, in the .ssh folder, the authorized keys file is empty although I successfully save it through web interface – Mideel Mar 25 '20 at 05:50
  • @Mideel Maybe the authorized_keys is not written, because of the "fast lookup" setting? See https://docs.gitlab.com/ee/administration/operations/fast_ssh_key_lookup.html#setting-up-fast-lookup-via-gitlab-shell – VonC Mar 25 '20 at 05:53
  • @VonC, I have checked the setting and the write to authorized_keys is checked already. But my /var/opt/gitlab folder(git home folder) owner is root and the group is also the root but the .ssh folder is owned by git. Is that a correct setup ? – Mideel Mar 25 '20 at 06:49
  • @Mideel Not sure (I don't have a GitLab instance running at the moment). But if the gitlab process itself runs as git, then there should be a ~git/.ssh/authorized_keys indeed. – VonC Mar 25 '20 at 07:32
  • @VonC, there's aauthorized_keys file but that file is empty although I have successfully added the public key using the web interface – Mideel Mar 25 '20 at 07:37
  • @Mideel then it is best to put a separate question up, to get to the bottom of this. – VonC Mar 25 '20 at 08:23
  • @VonC, I have, https://stackoverflow.com/questions/60844588/gitlab-ce-doesnt-add-a-public-key-to-authorized-keys – Mideel Mar 25 '20 at 08:27
9

I had a similar problem when I set the remote repository with the HTTP URL.

I changed it to use the SSH URL, and it worked fine:

git remote set-url gitlab git@gitlab.devekko.net:niccolox/cirm-website.git
nbro
  • 15,395
  • 32
  • 113
  • 196
niccolox
  • 91
  • 1
  • 2
  • I had the same problem as the OP. I was using the http URL on both RHEL and Mac OS. On Mac OS, it was NOT asking for the password. On RHEL, it was. So, changing the as suggested worked well: `git remote set-url origin https://` – D. Woods Sep 06 '19 at 03:27
8

In my case, I had to add the remote repository with ssh as 

git remote add gitlab ssh://git@your.project:222/git/repo_name.git

which made git not request me the password again. Note the use of ssh:// and port=222.

nbro
  • 15,395
  • 32
  • 113
  • 196
Stanislav Bondar
  • 6,056
  • 2
  • 34
  • 46
6

On systems with SELinux enabled you should not disable SELinux as suggested in some answers.

To get along with the SELinux restrictions (iff they are the reason for the password prompt; check your /var/log/audit/audit.log ) change the security context for gitlab:

chcon -t user_home_dir_t /var/opt/gitlab/
chcon -t ssh_home_t /var/opt/gitlab/.ssh/
chcon -t ssh_home_t /var/opt/gitlab/.ssh/authorized_keys

(as suggested at the gitlab group)

dennis
  • 592
  • 5
  • 10
1

To properly fix the selinux issues, use the following. Note that chcon is only temporary and will not survive a relabel or restorecon, so you should use semanage instead.

semanage fcontext -a -t user_home_dir_t "/var/opt/gitlab(/.*)?"
semanage fcontext -a -t ssh_home_t "/var/opt/gitlab/.ssh(/.*)?"
restorecon -rv /var/opt/gitlab
Andy Fraley
  • 1,043
  • 9
  • 16
0

I tried many options but no success. The only that resolved for me was osxkeychain helper

See the tutorial here.

The tutorial is from github, but works great for gitlab too.

pcsantana
  • 599
  • 5
  • 12
-6

I had same issue. Mine was that SELinux was enabled. Please disabled SELinux here is the link http://www.how2centos.com/disable-selinux-centos-6/

Jaepyoung
  • 71
  • 1
  • 6