[WLUG] remote ssh access problem with gitolite
Jim Irrer
irrer at umich.edu
Wed Dec 21 13:30:51 EST 2016
FYI - Found the problem.
The /etc/shadow file was setting the the git account to 'no login'. I
think this was done by a Puppet process, but I don't administer that.
Thanks for your help guys.
- Jim
Jim Irrer irrer at umich.edu (734) 647-4409
University of Michigan Hospital Radiation Oncology
519 W. William St. Ann Arbor, MI 48103-4943
On Sun, Dec 18, 2016 at 1:06 PM, lanewhoy <lanewhoy at gmail.com> wrote:
> Jim,
>
> Have you verified that public key under /home/$USER/.ssh did not get
> changed to MS Windows file format? According to the debug output you
> posted, it looks like your server cannot parse the key file because it
> cannot find the begin marker, and you email stated that the client is
> cygwin on Windows.
>
> Your new server may be stricter about the key format than the old one was
> due to bug fixes in the open ssl libraries.
>
> Lane Hoy
>
>
>
> Sent via the Samsung Galaxy S7, an AT&T 4G LTE smartphone
>
> -------- Original message --------
> From: "Carl T. Miller" <carl at carltm.com>
> Date: 12/16/16 2:46 PM (GMT-05:00)
> To: "Washtenaw Linux Users Group (WLUG)" <washlug at washlug.org>
> Subject: Re: [WLUG] remote ssh access problem with gitolite
>
> You could get that error for several reasons. The
> first thing I'd check is the permissions on ~/.ssh
> (600) and the key file (600). Do this for client
> and server.
>
> If that doesn't fix it, look at this page.
>
> <http://stackoverflow.com/questions/23392763/aws-ssh-
> connection-error-permission-denied-publickey>
>
> Good luck!
>
> c
>
>
> Jim Irrer wrote:
> > Hi -
> >
> > I'm trying to move our gitolite installation, and am having a problem
> > getting the remote access via ssh to work.
> >
> > This was actually working at one point, so there are a lot of things (ssh
> > keys) that I believe are set up correctly, but as the ssh log
> > below shows, the git server closes the connection, when it should be
> > listing the git repositories.
> >
> > I can't be sure, but it looks like the key exchange is working, and that
> > gitolite is shutting down the connection, but its not
> > obvious why.
> >
> > Full disclosure: The client is Windows running cygwin. It works on our
> > old gitolite installation.
> >
> > Thanks for any insights - Jim
> >
> > Jim Irrer irrer at umich.edu (734) 647-4409
> > University of Michigan Hospital Radiation Oncology
> > 519 W. William St. Ann Arbor, MI 48103
> >
> >
> >
> >
> > *:ssh -vvv git at git2OpenSSH_6.5, OpenSSL 1.0.1f 6 Jan 2014*
> > *debug2: ssh_connect: needpriv 0*
> > *debug1: Connecting to git2 [[**redacted server IP address]] port 22.*
> > *debug1: Connection established.*
> > *debug3: Incorrect RSA1 identifier*
> > *debug3: Could not load "/home/irrer/.ssh/id_rsa" as a RSA1 public key*
> > *debug1: identity file /home/irrer/.ssh/id_rsa type 1*
> > *debug1: identity file /home/irrer/.ssh/id_rsa-cert type -1*
> > *debug1: identity file /home/irrer/.ssh/id_dsa type -1*
> > *debug1: identity file /home/irrer/.ssh/id_dsa-cert type -1*
> > *debug1: identity file /home/irrer/.ssh/id_ecdsa type -1*
> > *debug1: identity file /home/irrer/.ssh/id_ecdsa-cert type -1*
> > *debug1: identity file /home/irrer/.ssh/id_ed25519 type -1*
> > *debug1: identity file /home/irrer/.ssh/id_ed25519-cert type -1*
> > *debug1: Enabling compatibility mode for protocol 2.0*
> > *debug1: Local version string SSH-2.0-OpenSSH_6.5*
> > *debug1: Remote protocol version 2.0, remote software version
> > OpenSSH_6.6.1*
> > *debug1: match: OpenSSH_6.6.1 pat OpenSSH* compat 0x04000000*
> > *debug2: fd 3 setting O_NONBLOCK*
> > *debug3: load_hostkeys: loading entries for host "git2" from file
> > "/home/irrer/.ssh/known_hosts"*
> > *debug3: load_hostkeys: found key type ECDSA in file
> > /home/irrer/.ssh/known_hosts:92*
> > *debug3: load_hostkeys: loaded 1 keys*
> > *debug3: order_hostkeyalgs: prefer hostkeyalgs:
> > ecdsa-sha2-nistp256-cert-v01 at openssh.com
> > <ecdsa-sha2-nistp256-cert-v01 at openssh.com>,ecdsa-sha2-
> nistp384-cert-v01 at openssh.com
> > <ecdsa-sha2-nistp384-cert-v01 at openssh.com>,ecdsa-sha2-
> nistp521-cert-v01 at openssh.com
> > <ecdsa-sha2-nistp521-cert-v01 at openssh.com>,ecdsa-sha2-
> nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521*
> > *debug1: SSH2_MSG_KEXINIT sent*
> > *debug1: SSH2_MSG_KEXINIT received*
> > *debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org
> > <curve25519-sha256 at libssh.org>,ecdh-sha2-nistp256,ecdh-sha2-
> nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> group14-sha1,diffie-hellman-group1-sha1*
> > *debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com
> > <ecdsa-sha2-nistp256-cert-v01 at openssh.com>,ecdsa-sha2-
> nistp384-cert-v01 at openssh.com
> > <ecdsa-sha2-nistp384-cert-v01 at openssh.com>,ecdsa-sha2-
> nistp521-cert-v01 at openssh.com
> > <ecdsa-sha2-nistp521-cert-v01 at openssh.com>,ecdsa-sha2-
> nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-
> ed25519-cert-v01 at openssh.com
> > <ssh-ed25519-cert-v01 at openssh.com>,ssh-rsa-cert-v01 at openssh.com
> > <ssh-rsa-cert-v01 at openssh.com>,ssh-dss-cert-v01 at openssh.com
> > <ssh-dss-cert-v01 at openssh.com>,ssh-rsa-cert-v00 at openssh.com
> > <ssh-rsa-cert-v00 at openssh.com>,ssh-dss-cert-v00 at openssh.com
> > <ssh-dss-cert-v00 at openssh.com>,ssh-ed25519,ssh-rsa,ssh-dss*
> > *debug2: kex_parse_kexinit:
> > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com
> > <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> > <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> > <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,
> blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> > <rijndael-cbc at lysator.liu.se>*
> > *debug2: kex_parse_kexinit:
> > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com
> > <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> > <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> > <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,
> blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> > <rijndael-cbc at lysator.liu.se>*
> > *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> > <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> > <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> > <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> > <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> > <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> > <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> > <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> > <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> > <umac-64 at openssh.com>,umac-128 at openssh.com
> > <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com
> > <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> > *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> > <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> > <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> > <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> > <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> > <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> > <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> > <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> > <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> > <umac-64 at openssh.com>,umac-128 at openssh.com
> > <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com
> > <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> > *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com
> >,zlib*
> > *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com
> >,zlib*
> > *debug2: kex_parse_kexinit: *
> > *debug2: kex_parse_kexinit: *
> > *debug2: kex_parse_kexinit: first_kex_follows 0 *
> > *debug2: kex_parse_kexinit: reserved 0 *
> > *debug2: kex_parse_kexinit:
> > ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-
> exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1*
> > *debug2: kex_parse_kexinit:
> > ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519*
> > *debug2: kex_parse_kexinit:
> > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com
> > <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> > <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> > <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,
> blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> > <rijndael-cbc at lysator.liu.se>*
> > *debug2: kex_parse_kexinit:
> > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com
> > <aes128-gcm at openssh.com>,aes256-gcm at openssh.com
> > <aes256-gcm at openssh.com>,chacha20-poly1305 at openssh.com
> > <chacha20-poly1305 at openssh.com>,aes128-cbc,3des-cbc,
> blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> > <rijndael-cbc at lysator.liu.se>*
> > *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> > <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> > <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> > <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> > <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> > <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> > <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> > <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> > <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> > <umac-64 at openssh.com>,umac-128 at openssh.com
> > <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com
> > <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> > *debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com>,hmac-sha1-etm at openssh.com
> > <hmac-sha1-etm at openssh.com>,umac-64-etm at openssh.com
> > <umac-64-etm at openssh.com>,umac-128-etm at openssh.com
> > <umac-128-etm at openssh.com>,hmac-sha2-256-etm at openssh.com
> > <hmac-sha2-256-etm at openssh.com>,hmac-sha2-512-etm at openssh.com
> > <hmac-sha2-512-etm at openssh.com>,hmac-ripemd160-etm at openssh.com
> > <hmac-ripemd160-etm at openssh.com>,hmac-sha1-96-etm at openssh.com
> > <hmac-sha1-96-etm at openssh.com>,hmac-md5-96-etm at openssh.com
> > <hmac-md5-96-etm at openssh.com>,hmac-md5,hmac-sha1,umac-64 at openssh.com
> > <umac-64 at openssh.com>,umac-128 at openssh.com
> > <umac-128 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com
> > <hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96*
> > *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com>*
> > *debug2: kex_parse_kexinit: none,zlib at openssh.com <zlib at openssh.com>*
> > *debug2: kex_parse_kexinit: *
> > *debug2: kex_parse_kexinit: *
> > *debug2: kex_parse_kexinit: first_kex_follows 0 *
> > *debug2: kex_parse_kexinit: reserved 0 *
> > *debug2: mac_setup: found hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com>*
> > *debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com> none*
> > *debug2: mac_setup: found hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com>*
> > *debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com
> > <hmac-md5-etm at openssh.com> none*
> > *debug1: sending SSH2_MSG_KEX_ECDH_INIT*
> > *debug1: expecting SSH2_MSG_KEX_ECDH_REPLY*
> > *debug1: Server host key: ECDSA
> > e4:23:6e:5e:df:55:60:13:67:fc:76:bf:89:a0:e8:be*
> > *debug3: load_hostkeys: loading entries for host "git2" from file
> > "/home/irrer/.ssh/known_hosts"*
> > *debug3: load_hostkeys: found key type ECDSA in file
> > /home/irrer/.ssh/known_hosts:92*
> > *debug3: load_hostkeys: loaded 1 keys*
> > *debug3: load_hostkeys: loading entries for host "**[redacted server IP
> > address]" from file "/home/irrer/.ssh/known_hosts"*
> > *debug3: load_hostkeys: found key type ECDSA in file
> > /home/irrer/.ssh/known_hosts:92*
> > *debug3: load_hostkeys: loaded 1 keys*
> > *debug1: Host 'git2' is known and matches the ECDSA host key.*
> > *debug1: Found key in /home/irrer/.ssh/known_hosts:92*
> > *debug1: ssh_ecdsa_verify: signature correct*
> > *debug2: kex_derive_keys*
> > *debug2: set_newkeys: mode 1*
> > *debug1: SSH2_MSG_NEWKEYS sent*
> > *debug1: expecting SSH2_MSG_NEWKEYS*
> > *debug2: set_newkeys: mode 0*
> > *debug1: SSH2_MSG_NEWKEYS received*
> > *debug1: Roaming not allowed by server*
> > *debug1: SSH2_MSG_SERVICE_REQUEST sent*
> > *debug2: service_accept: ssh-userauth*
> > *debug1: SSH2_MSG_SERVICE_ACCEPT received*
> > *debug2: key: /home/irrer/.ssh/id_rsa (0x80061df0),*
> > *debug2: key: /home/irrer/.ssh/id_dsa (0x0),*
> > *debug2: key: /home/irrer/.ssh/id_ecdsa (0x0),*
> > *debug2: key: /home/irrer/.ssh/id_ed25519 (0x0),*
> > *debug1: Authentications that can continue:
> > publickey,password,keyboard-interactive,hostbased*
> > *debug3: start over, passed a different list
> > publickey,password,keyboard-interactive,hostbased*
> > *debug3: preferred publickey,keyboard-interactive,password*
> > *debug3: authmethod_lookup publickey*
> > *debug3: remaining preferred: keyboard-interactive,password*
> > *debug3: authmethod_is_enabled publickey*
> > *debug1: Next authentication method: publickey*
> > *debug1: Offering RSA public key: /home/irrer/.ssh/id_rsa*
> > *debug3: send_pubkey_test*
> > *debug2: we sent a publickey packet, wait for reply*
> > *debug1: Server accepts key: pkalg ssh-rsa blen 279*
> > *debug2: input_userauth_pk_ok: fp
> > 4c:08:22:1b:d2:36:de:f2:79:20:03:37:0a:de:0d:6c*
> > *debug3: sign_and_send_pubkey: RSA
> > 4c:08:22:1b:d2:36:de:f2:79:20:03:37:0a:de:0d:6c*
> > *debug1: key_parse_private2: missing begin marker*
> > *debug1: read PEM private key done: type RSA*
> > *Connection closed by [redacted server IP address]*
> > ______________________________________________________
> > washlug mailing list washlug web site
> > washlug at washlug.org www.washlug.org
> > http://linux.marcdatabase.com/mailman/listinfo/washlug
> >
>
>
> ______________________________________________________
> washlug mailing list washlug web site
> washlug at washlug.org www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>
> ______________________________________________________
> washlug mailing list washlug web site
> washlug at washlug.org www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linux.marcdatabase.com/pipermail/washlug/attachments/20161221/c5429118/attachment-0001.html>
More information about the washlug
mailing list