[WLUG] remote ssh access problem with gitolite
lanewhoy
lanewhoy at gmail.com
Sun Dec 18 13:06:12 EST 2016
Jim,
Have you verified that public key under /home/$USER/.ssh did not get changed to MS Windows file format? According to the debug output you posted, it looks like your server cannot parse the key file because it cannot find the begin marker, and you email stated that the client is cygwin on Windows.
Your new server may be stricter about the key format than the old one was due to bug fixes in the open ssl libraries.
Lane Hoy
Sent via the Samsung Galaxy S7, an AT&T 4G LTE smartphone
-------- Original message --------From: "Carl T. Miller" <carl at carltm.com> Date: 12/16/16 2:46 PM (GMT-05:00) To: "Washtenaw Linux Users Group (WLUG)" <washlug at washlug.org> Subject: Re: [WLUG] remote ssh access problem with gitolite
You could get that error for several reasons. The
first thing I'd check is the permissions on ~/.ssh
(600) and the key file (600). Do this for client
and server.
If that doesn't fix it, look at this page.
<http://stackoverflow.com/questions/23392763/aws-ssh-connection-error-permission-denied-publickey>
Good luck!
c
Jim Irrer wrote:
> Hi -
>
> I'm trying to move our gitolite installation, and am having a problem
> getting the remote access via ssh to work.
>
> This was actually working at one point, so there are a lot of things (ssh
> keys) that I believe are set up correctly, but as the ssh log
> below shows, the git server closes the connection, when it should be
> listing the git repositories.
>
> I can't be sure, but it looks like the key exchange is working, and that
> gitolite is shutting down the connection, but its not
> obvious why.
>
> Full disclosure: The client is Windows running cygwin. It works on our
> old gitolite installation.
>
> Thanks for any insights - Jim
>
> Jim Irrer irrer at umich.edu (734) 647-4409
> University of Michigan Hospital Radiation Oncology
> 519 W. William St. Ann Arbor, MI 48103
>
>
>
>
> *:ssh -vvv git at git2OpenSSH_6.5, OpenSSL 1.0.1f 6 Jan 2014*
> *debug2: ssh_connect: needpriv 0*
> *debug1: Connecting to git2 [[**redacted server IP address]] port 22.*
> *debug1: Connection established.*
> *debug3: Incorrect RSA1 identifier*
> *debug3: Could not load "/home/irrer/.ssh/id_rsa" as a RSA1 public key*
> *debug1: identity file /home/irrer/.ssh/id_rsa type 1*
> *debug1: identity file /home/irrer/.ssh/id_rsa-cert type -1*
> *debug1: identity file /home/irrer/.ssh/id_dsa type -1*
> *debug1: identity file /home/irrer/.ssh/id_dsa-cert type -1*
> *debug1: identity file /home/irrer/.ssh/id_ecdsa type -1*
> *debug1: identity file /home/irrer/.ssh/id_ecdsa-cert type -1*
> *debug1: identity file /home/irrer/.ssh/id_ed25519 type -1*
> *debug1: identity file /home/irrer/.ssh/id_ed25519-cert type -1*
> *debug1: Enabling compatibility mode for protocol 2.0*
> *debug1: Local version string SSH-2.0-OpenSSH_6.5*
> *debug1: Remote protocol version 2.0, remote software version
> OpenSSH_6.6.1*
> *debug1: match: OpenSSH_6.6.1 pat OpenSSH* compat 0x04000000*
> *debug2: fd 3 setting O_NONBLOCK*
> *debug3: load_hostkeys: loading entries for host "git2" from file
> "/home/irrer/.ssh/known_hosts"*
> *debug3: load_hostkeys: found key type ECDSA in file
> /home/irrer/.ssh/known_hosts:92*
> *debug3: load_hostkeys: loaded 1 keys*
> *debug3: order_hostkeyalgs: prefer hostkeyalgs:
> ecdsa-sha2-nistp256-cert-v01 at openssh.com
> <ecdsa-sha2-nistp256-cert-v01 at openssh.com>,ecdsa-sha2-nistp384-cert-v01 at openssh.com
> <ecdsa-sha2-nistp384-cert-v01 at openssh.com>,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> <ecdsa-sha2-nistp521-cert-v01 at openssh.com>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521*
> *debug1: SSH2_MSG_KEXINIT sent*
> *debug1: SSH2_MSG_KEXINIT received*
> *debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org
> <curve25519-sha256 at libssh.org>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1*
> *debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com
> <ecdsa-sha2-nistp256-cert-v01 at openssh.com>,ecdsa-sha2-nistp384-cert-v01 at openssh.com
> <ecdsa-sha2-nistp384-cert-v01 at openssh.com>,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> <ecdsa-sha2-nistp521-cert-v01 at openssh.com>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com
> <ssh-ed25519-cert-v01 at openssh.com>,ssh-rsa-cert-v01 at openssh.com
> <ssh-rsa-cert-v01 at openssh.com>,ssh-dss-cert-v01 at openssh.com
> <ssh-dss-cert-v01 at openssh.com>,ssh-rsa-cert-v00 at openssh.com
> <ssh-rsa-cert-v00 at openssh.com>,ssh-dss-cert-v00 at openssh.com
> <ssh-dss-cert-v00 at openssh.com>,ssh-ed25519,ssh-rsa,ssh-dss*
> *debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com
> <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <rijndael-cbc at lysator.liu.se>*
> *debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com
> <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <rijndael-cbc at lysator.liu.se>*
> *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> <umac-64 at openssh.com>,umac-128 at openssh.com
> <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> <umac-64 at openssh.com>,umac-128 at openssh.com
> <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com>,zlib*
> *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com>,zlib*
> *debug2: kex_parse_kexinit: *
> *debug2: kex_parse_kexinit: *
> *debug2: kex_parse_kexinit: first_kex_follows 0 *
> *debug2: kex_parse_kexinit: reserved 0 *
> *debug2: kex_parse_kexinit:
> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1*
> *debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519*
> *debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com
> <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <rijndael-cbc at lysator.liu.se>*
> *debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com
> <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <rijndael-cbc at lysator.liu.se>*
> *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> <umac-64 at openssh.com>,umac-128 at openssh.com
> <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> <umac-64 at openssh.com>,umac-128 at openssh.com
> <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com>*
> *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com>*
> *debug2: kex_parse_kexinit: *
> *debug2: kex_parse_kexinit: *
> *debug2: kex_parse_kexinit: first_kex_follows 0 *
> *debug2: kex_parse_kexinit: reserved 0 *
> *debug2: mac_setup: found hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com>*
> *debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com> none*
> *debug2: mac_setup: found hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com>*
> *debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com
> <hmac-md5-etm at openssh.com> none*
> *debug1: sending SSH2_MSG_KEX_ECDH_INIT*
> *debug1: expecting SSH2_MSG_KEX_ECDH_REPLY*
> *debug1: Server host key: ECDSA
> e4:23:6e:5e:df:55:60:13:67:fc:76:bf:89:a0:e8:be*
> *debug3: load_hostkeys: loading entries for host "git2" from file
> "/home/irrer/.ssh/known_hosts"*
> *debug3: load_hostkeys: found key type ECDSA in file
> /home/irrer/.ssh/known_hosts:92*
> *debug3: load_hostkeys: loaded 1 keys*
> *debug3: load_hostkeys: loading entries for host "**[redacted server IP
> address]" from file "/home/irrer/.ssh/known_hosts"*
> *debug3: load_hostkeys: found key type ECDSA in file
> /home/irrer/.ssh/known_hosts:92*
> *debug3: load_hostkeys: loaded 1 keys*
> *debug1: Host 'git2' is known and matches the ECDSA host key.*
> *debug1: Found key in /home/irrer/.ssh/known_hosts:92*
> *debug1: ssh_ecdsa_verify: signature correct*
> *debug2: kex_derive_keys*
> *debug2: set_newkeys: mode 1*
> *debug1: SSH2_MSG_NEWKEYS sent*
> *debug1: expecting SSH2_MSG_NEWKEYS*
> *debug2: set_newkeys: mode 0*
> *debug1: SSH2_MSG_NEWKEYS received*
> *debug1: Roaming not allowed by server*
> *debug1: SSH2_MSG_SERVICE_REQUEST sent*
> *debug2: service_accept: ssh-userauth*
> *debug1: SSH2_MSG_SERVICE_ACCEPT received*
> *debug2: key: /home/irrer/.ssh/id_rsa (0x80061df0),*
> *debug2: key: /home/irrer/.ssh/id_dsa (0x0),*
> *debug2: key: /home/irrer/.ssh/id_ecdsa (0x0),*
> *debug2: key: /home/irrer/.ssh/id_ed25519 (0x0),*
> *debug1: Authentications that can continue:
> publickey,password,keyboard-interactive,hostbased*
> *debug3: start over, passed a different list
> publickey,password,keyboard-interactive,hostbased*
> *debug3: preferred publickey,keyboard-interactive,password*
> *debug3: authmethod_lookup publickey*
> *debug3: remaining preferred: keyboard-interactive,password*
> *debug3: authmethod_is_enabled publickey*
> *debug1: Next authentication method: publickey*
> *debug1: Offering RSA public key: /home/irrer/.ssh/id_rsa*
> *debug3: send_pubkey_test*
> *debug2: we sent a publickey packet, wait for reply*
> *debug1: Server accepts key: pkalg ssh-rsa blen 279*
> *debug2: input_userauth_pk_ok: fp
> 4c:08:22:1b:d2:36:de:f2:79:20:03:37:0a:de:0d:6c*
> *debug3: sign_and_send_pubkey: RSA
> 4c:08:22:1b:d2:36:de:f2:79:20:03:37:0a:de:0d:6c*
> *debug1: key_parse_private2: missing begin marker*
> *debug1: read PEM private key done: type RSA*
> *Connection closed by [redacted server IP address]*
> ______________________________________________________
> washlug mailing list washlug web site
> washlug at washlug.org www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>
______________________________________________________
washlug mailing list washlug web site
washlug at washlug.org www.washlug.org
http://linux.marcdatabase.com/mailman/listinfo/washlug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linux.marcdatabase.com/pipermail/washlug/attachments/20161218/103a4c3f/attachment-0001.html>
More information about the washlug
mailing list