3

I can't push to/clone from a GitLab running on an Amazon EC2 instance. Here is what I did so far

  • Created a keypair on my local machine
  • Created a project in Gitlab (my GitLab user has owner-permissions)
  • Add my public key in the webconfig of my user in Gitlab

When I try to clone that repository via git clone git@11.12.13.154:project-group/project.git I get the infamous message:

Permission denied (publickey).

How can I configure my EC2-instance to accept clone/push/pull requests from users who added their SSH-keys via Gitlabs web-interface?

Hedge
  • 16,142
  • 42
  • 141
  • 246
  • Possible duplicate of [Getting permission denied (public key) on gitlab](http://stackoverflow.com/questions/40427498/getting-permission-denied-public-key-on-gitlab) – Muhammad Laraib Khan Mar 14 '17 at 06:22

1 Answers1

3

User ubuntu? Usually, the user configure for a GitLab instance is git.

Try and modify your .ssh/config file with User git, and use that url:

git clone myhost:project-group/MyRepo.git

Make sure that test.pub (the public key extracted from the pem file) is registered properly on the repo (or in your GitLab account, if you are the owner of that repo). If test.pem is the key used to access the EC2 instance, then you would need to generate a separate public/private set of keys and use those instead in accessing GitLab.

After discussion below, it appears that:

  • GitLab is installed on an EC2 instance with Omnibus-gilab
  • Omnibus-gitlab means using gitlab-rake some_task (not 'rake' directly)
  • a gitlab-rake gitlab:check points out that the authorized_keys file resides in /var/opt/gitlab/.ssh/authorized_keys
  • the git account was locked (unlocking it made the Gitlab work: git:!: to git:*: in the file /etc/shadow).
    This is similar to the "Trouble Shooting Guide - SSH" section.
Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I used the bare repositories so far without GitLab. How do I register that test.pem.pub and where do I get it? I only use the private key so far to authenticate via ssh / and to use the bare repositories. – Hedge Oct 07 '15 at 08:31
  • @Hedge ssh means you have a private and a public key. See http://stackoverflow.com/a/10271238/6309 – VonC Oct 07 '15 at 08:32
  • Yes, I am aware of that but where do I get the public key of the EC2 instance. All I have is the private one. – Hedge Oct 07 '15 at 08:35
  • @Hedge the pem should include both, hence my link to http://stackoverflow.com/a/10271238/6309. See also http://stackoverflow.com/a/24143976/6309. The point is to generate your own private / public key and register the public one to the repo or the GitLab account. It is *not* to use the EC2 instance private key, which is just for you to access that instance, and has nothing to do with user authentication in GitLab. – VonC Oct 07 '15 at 08:37
  • Oh sorry, of course you are right about the .pem containing both. Ok, what I did is create my own public-key (stored in ~/.ssh/id_rsa.pub). I saved this key in the Gitlab-configuration for my user. Created a project in Gitlab. My user with the associated public key has full permissions yet I get `permission denied` when cloning to my private computer. – Hedge Oct 07 '15 at 08:41
  • @Hedge Does your config file reference the right *private* key? (with git user) – VonC Oct 07 '15 at 08:42
  • I only used to config file for the bare repositories before I installed Gitlab so I don't have to write `ssh -i ~/.ssh/test.pem ...` all the time. To clone from Gitlab I'm trying a command in the style `git@11.12.13.14:group/project.git` so its not using the host I specified in the `~/.ssh/config` – Hedge Oct 07 '15 at 08:46
  • @Hedge ok: use the config file with `myhost:project-group/MyRepo.git`. Make sure the `myhost` entry do use the right private key. Or make a new entry, if you were already using that one. – VonC Oct 07 '15 at 08:48
  • I set up a new host like this `Host newhost Hostname 11.12.13.14 user git IdentityFile ~/.ssh/id_rsa` (this key is the private key matching to `~/.ssh/id_rsa.pub` I saved for my Gitlab user. Then I tried `git clone newhost:group/project.git` but I still get the error :( – Hedge Oct 07 '15 at 08:53
  • @Hedge what a `ssh -Tvv newhost` return? – VonC Oct 07 '15 at 09:05
  • yeah, I tried it with different usernames in the config. I updated the gist using the `git` username. – Hedge Oct 07 '15 at 09:17
  • @Hedge I have removed my previous comment, to not display the actual server name. So a simple `ssh -T newhost` would return what? Still permission denied. Is there a `/home/git/.ssh/authorized_keys` file on the server side? – VonC Oct 07 '15 at 09:20
  • No, there is no such file. I was under the impression that I don't have to add my public key to the authorized_keys manually because GitLab takes care of the keys. – Hedge Oct 07 '15 at 09:23
  • @Hedge yes, GitLab is supposed to managed that for you. First, do you confirm that GitLab is using the git account? (in config/gitlab.yml) – VonC Oct 07 '15 at 09:24
  • Yes, it is using the (default) git account according to `/var/opt/gitlab/gitlab-rails/etc/gitlab.yml` What else could cause this problem? – Hedge Oct 07 '15 at 13:11
  • @Hedge As long as /home/git/.ssh/authorized_keys doesn't reflect properly your public key, nothing will work properly: see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Trouble-Shooting-Guide#authorized_keys-file-is-out-of-sync if that help (that section, or the rest of the page too) – VonC Oct 07 '15 at 13:25
  • I used the Omnibus package to install Gitlab. Should I install bundler etc. to execute the rake task specified on the Wiki page or is there a simpler way to resynchronise the authorized_keys? I looked in the file `/var/log/gitlab/gitlab-shell/gitlab-shell.log`. There is a new entry that states the the key was added but the git-user doesn't even have a .ssh directory. – Hedge Oct 07 '15 at 13:48
  • @Hedge Not usre actually. Unless you follow https://gitlab.com/gitlab-org/gitlab-ce/issues/363 – VonC Oct 07 '15 at 13:53
  • 1
    @Hedge Wait: http://stackoverflow.com/a/27816590/6309: With GitLab omnibus you can use `gitlab-rake some_task`. – VonC Oct 07 '15 at 13:54
  • I can run the tasks as you specified. It also warns me about `You will lose any data stored in authorized_keys file.` but after typing in `yes` nothing happens. I'm starting to think that a co-worker created the user `git` manually before I took over the EC2-instance. – Hedge Oct 07 '15 at 14:01
  • @Hedge I agree: as long as this isn't working properly, any ssh url won't reach Gitlab successfully. – VonC Oct 07 '15 at 14:03
  • Can I somehow delete the user and let omnibus re-create it without me having to set up the whole EC2 once again? – Hedge Oct 07 '15 at 14:04
  • @Hedge That I don't know – VonC Oct 07 '15 at 14:06
  • I did a quick gitlab-rake gitlab:check and found out authorized_keys reside in `/var/opt/gitlab/.ssh/authorized_keys`. Then I created a symbolic link to the .ssh folder via `sudo ln -s /var/opt/gitlab/.ssh /home/git/` but it still doesn't work. – Hedge Oct 07 '15 at 14:17
  • @Hedge probably because the ssh daemon is configure to not look for key there (or across a symlink) – VonC Oct 07 '15 at 14:21
  • @Does `gitlab-rake gitlab:env:info` and `gitlab-rake gitlab:check` report any issue at all? – VonC Oct 07 '15 at 14:22
  • @Hedge See also https://gitlab.com/gitlab-org/omnibus-gitlab/issues/538 for other suggestions to be tested. – VonC Oct 07 '15 at 14:23
  • No issues are reported with both commands. `check` does even say: Check directories and files: /var/opt/gitlab/git-data/repositories: OK /var/opt/gitlab/.ssh/authorized_keys: OK – Hedge Oct 07 '15 at 14:27
  • 1
    I can push and pull now. I set `git:!: to git:*:` in the file `/etc/shadow`. Is this ok? – Hedge Oct 07 '15 at 14:45
  • 2
    @Hedge I suppose it is OK: see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Trouble-Shooting-Guide#ssh. I have edited the answer accordingly. (also mentioned in https://github.com/gitlabhq/gitlabhq/issues/5304) – VonC Oct 07 '15 at 14:50
  • Thanks a lot for your patience @VonC :) – Hedge Oct 08 '15 at 08:28