1

I have looked all over and cannot find the solution to this. It worked once...a while back.

I am trying to clone a remote repo using git to my local windows 10 workstation. I've tried in VSC, git bash and no luck. I have regenerated ssh keys several times and made sure they are on my account in bitbucket. I also had the admin verify I had permissions in bitbucket. I can clone with https, but I need ssh as well due to the module dependencies for terraform init, because it uses ssh.

This is the error I'm getting

Cloning into 'terraform'...
git@something.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Any ideas on how to get ssh connection to work? I also verified the openssh ssh-agent service was running.

UPDATE with output...i still dont get it

forcing private key

PS C:\Users\me> ssh -i c:\users\me\.ssh\id_rsa -Tv git@something.com -p 7999
OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4
debug1: Connecting to something.com [1.1.1.1] port 7999.
debug1: Connection established.
debug1: identity file c:\\users\\me\\.ssh\\id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file c:\\users\\me\\.ssh\\id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.6
debug1: Remote protocol version 2.0, remote software version APACHE-SSHD-2.4.0
debug1: no match: APACHE-SSHD-2.4.0
debug1: Authenticating to something.com:7999 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:tbUbYIJrt+P7aWKYsn09IsD+iouWjGiR6am8BaXXXXX
debug1: Host '[something.com]:7999' is known and matches the RSA host key.
debug1: Found key in C:\\Users\\me/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:bvs3ECFl7m4r8SN404IIeuiFG6AoNqfdMCFp+AYXXXX c:\\users\\me\\.ssh\\id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: read_passphrase: can't open /dev/tty: No such file or directory
Enter passphrase for key 'c:\users\me\.ssh\id_rsa':
debug1: Authentication succeeded (publickey).
Authenticated to something.com ([1.1.1.1]:7999).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
shell request failed on channel 0

forcing public key

PS C:\Users\aedle> ssh -i c:\users\me\.ssh\id_rsa.pub -Tv git@ssomething.com -p 7999
OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4
debug1: Connecting to something.com [1.1.1.1] port 7999.
debug1: Connection established.
debug1: identity file c:\\users\\me\\.ssh\\id_rsa.pub type 0
debug1: key_load_public: No such file or directory
debug1: identity file c:\\users\\me\\.ssh\\id_rsa.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.6
debug1: Remote protocol version 2.0, remote software version APACHE-SSHD-2.4.0
debug1: no match: APACHE-SSHD-2.4.0
debug1: Authenticating to something.com:7999 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:tbUbYIJrt+P7aWKYsn09IsD+iouWjGiR6am8Ba9XXXX
debug1: Host '[something.com]:7999' is known and matches the RSA host key.
debug1: Found key in C:\\Users\\me/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:bvs3ECFl7m4r8SN404IIeuiFG6AoNqfdMCFp+AXXXXX c:\\users\\me\\.ssh\\id_rsa.pub
debug1: Server accepts key: pkalg ssh-rsa blen 535
Load key "c:\\users\\me\\.ssh\\id_rsa.pub": invalid format
debug1: No more authentication methods to try.
git@something.com: Permission denied (publickey).

I am still completely lost, because when i go back and try to clone, i get this:

git clone ssh://something.com:7999/ter/terraform.git
Cloning into 'terraform'...
git@something.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The overall issue was that the ssh_config for git could not see my private key at ~/.ssh/id_rsa....so I had to specify exactly where on the C: it was...and not my git config looks like this after changing this and uncommenting the line

 Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
   IdentityFile c:\users\me\.ssh\id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 7999
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
# Added by git-extra
dcvl
  • 485
  • 1
  • 7
  • 21
  • 1
    `something.com` seems to be `bitbucket.com`? ;-) Start debugging with `ssh -Tv git@something.com` – phd Mar 03 '21 at 23:23
  • It’s an internal bitbucket. Not cloud. Hence the name ;). That doesn’t work though. Get rejected. I’ve had other people on the same repo confirm they can clone via ssh just fine. This makes me believe it’sa local issue to my machine. I just have no clue what it could be – dcvl Mar 04 '21 at 03:16
  • I’ll add, I’ve tried this with my repo in cloud bitbucket too and get the same results, to rule out possibility of something with the on prem bitbucket. ssh-agent service is running on my machine. Is there any way to force and guarantee that any git command uses a specific ssh key? – dcvl Mar 04 '21 at 03:19
  • Many ways. You can declare [`GIT_SSH_COMMAND`](https://stackoverflow.com/search?q=%5Bgit%5D+%5Bssh%5D+GIT_SSH_COMMAND) or [`git config core.sshCommand`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresshCommand). You can carefully [craft `~/.ssh/config`](https://stackoverflow.com/a/8483960/7976758) and use these invented hosts as your remote names. – phd Mar 04 '21 at 04:43
  • 1
    The `ssh -Tv` method can help you figure out why you're being rejected. Add more `v`s for even-more debug output. Compare the output from someone who can get in that way (have them run `ssh -Tv git@something.com`) to the output you get. There is a lot of debug output, and not everything that shows up as different is the reason for the failure, but *something* that shows up as different is the reason. – torek Mar 04 '21 at 04:51
  • ssh -Tv git@something.com OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4 debug1: Connecting to something.com [1.1.1.1] port 22. debug1: connect to address 1.1.1.1 port 22: Connection refused ssh: connect to host something.com port 22: Connection refused – dcvl Mar 04 '21 at 14:05
  • @dcvl I have edited my answer to address your edited question. – VonC Mar 04 '21 at 15:34

1 Answers1

1

Is there any way to force and guarantee that any git command uses a specific ssh key?

Start with testing authentication access with:

ssh -i C:\path\to\specific\key -Tv git@something.com

Once you get a "Welcome" message, you can start checking your GIT_SSH_COMMAND or your ~/.ssh/config file to make that key use persistent.

First, create a ssh key without passphrase, for testing, in order to not have to deal with ssh-agent (again, for testing)

Second ssh -i references always the private key, never the public key (.pub)

Third: a git clone ssh would always use port 22, not 7999: it is therefore not surprising that git command fails.

So: create a config file in c:\users\me\.ssh\ with:

Host bb
  Hostname something.com
  Port 7999
  User git
  IdentityFile c:\users\me\.ssh\id_rsa

Then use that Host bb entry it for your clone:

git clone bb:ter/terraform.git
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • you sir are my hero. There were compounding issues but this was the last piece i was missing. I had to place this above the default host entry in my git ssh_config file. Something i had tried previously but not after removing all permissions to my ssh keys as stated here https://superuser.com/questions/1296024/windows-ssh-permissions-for-private-key-are-too-open – dcvl Mar 04 '21 at 16:51
  • @dcvl Well done. Permission can be tricky indeed. – VonC Mar 04 '21 at 16:54
  • futher fine tuning revealed the actual problem seemed to be my home path...i had to explicitly state where my private key was under my C: rather than use the ~/.ssh/id_rsa in my ssh_config file in the Git folder – dcvl Mar 04 '21 at 18:14