1

Admins at my company are at a loss. I am trying to connect to my company's gitlab instance using the following but even this password is denied:

ssh -Tv git@host.company.com

My pub/priv keys are in ~/.ssh and I've added the key to the GitLab account. I get these results:

debug1: Connecting to host.company.com [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type 0
debug1: identity file /home/me/.ssh/id_rsa-cert type -1
debug1: identity file /home/me/.ssh/id_dsa type -1
debug1: identity file /home/me/.ssh/id_dsa-cert type -1
debug1: identity file /home/me/.ssh/id_ecdsa type -1
debug1: identity file /home/me/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/me/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/me/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/me/.ssh/id_ed25519 type 3
debug1: identity file /home/me/.ssh/id_ed25519-cert type -1
debug1: identity file /home/me/.ssh/id_ed25519_sk type -1
debug1: identity file /home/me/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/me/.ssh/id_xmss type -1
debug1: identity file /home/me/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x03000000
debug1: Authenticating to host.company.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
...
debug1: Host 'host.company.com' is known and matches the ECDSA host key.
debug1: Found key in /home/emp/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/me/.ssh/id_ed25519 ED25519SHA256:ABCDEFGHIJKLMNOPQRSTUVWXYZ agent
debug1: Will attempt key: /home/me/.ssh/id_rsa RSA SHA256:ABCDEFGHIJKLMNOPQRSTUVWXYZ agent
debug1: Will attempt key: /home/me/.ssh/id_dsa 
debug1: Will attempt key: /home/me/.ssh/id_ecdsa 
debug1: Will attempt key: /home/me/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/me/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/me/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/me/.ssh/id_ed25519 ED25519 SHA256:ABCDEFGHIJKLMNOPQRSTUVWXYZ agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/me/.ssh/id_rsa RSA SHA256:ABCDEFGHIJKLMNOPQRSTUVWXYZ agent
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/me/.ssh/id_ed25519_sk
debug1: Trying private key: /home/me/.ssh/id_xmss
debug1: Next authentication method: password
git@host.company.com's password:

It always ends up asking for the password. Same results if I use my username in this.

ssh -Tv me@host.company.com

Anyone have thoughts?

Ender
  • 1,652
  • 2
  • 25
  • 50
  • I have never use hosted version of gitlab, but I am pretty sure ssh keys to access machine are not the same as the one to access gitlab repositories. Someone who already has access need to add your public key to know host of machine that hosts gitlab – kosciej16 Jan 11 '22 at 16:23
  • I created the ed25519 key specifically for accessing this GitLab account. I actually have a few keys, I've tried rsa and ed25519. Though, I don't understand why the same keys can't be used. – Ender Jan 11 '22 at 16:26
  • Your client, according to its debug output, *did* use the keys. They just didn't *work*. The server side logs may (depending on log setup) have the information you need about why they didn't work. – torek Jan 12 '22 at 02:36
  • I have not set up GitLab, but I have set up software that predated GitLab. In general these things use an sshd setup where sshd reads ~git's .ssh/authorized_keys file, which is specially formatted with explicit keys and commands. When the key matches the authorized key, the command runs. This works well for small key-sets but not so well for very large ones, so I imagine GitLab may have alternative setups. – torek Jan 12 '22 at 02:39

1 Answers1

1

First, I confirm me@host.company.com will never work: 'me' does not have a homedir on that server.
The public key you must register on your GitLab server is managed by the service account git.

Try for testing a key with the old PEM format, just in case:

ssh-keygen -t ed25519 -P "" -m PEM -f ~/.ssh/mygitlab
ssh -Tv -i ~/.ssh/mygitlab git@host.company.com
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I got the same results. Asking for a password. Should I post it in the OP? – Ender Jan 11 '22 at 17:01
  • @Ender Did you register the public key to your enterprise GitLab user account settings? – VonC Jan 11 '22 at 17:06
  • Yes, I copied the public key into the account's SSH keys page. I do this all the time w/ GitLab and have never had issues like this before. – Ender Jan 11 '22 at 17:09
  • @Ender Do you mean it was working before with that same server, and it stopped working? – VonC Jan 11 '22 at 17:17
  • No, I mean I've done this process using gitlab.com to access repos with keys, but never with my company instance. – Ender Jan 11 '22 at 17:19
  • @Ender OK, so you need to contact the admin of that enterprise instance, in order for them to check the logs, see if they at least see the SSH connection getting to their server, and if SSH logs would show anything. – VonC Jan 11 '22 at 17:21