I'm using Git For Windows (not msys or GitHub) in my build server scripts. We have a self-hosted BitBucket repository with an SSH access key configured. I'm trying to do an initial clone in my build scripts via the command line and it is failing with an SSH error/
Here is my environment:
Windows Server 2012
Git For Windows 1.9.4
SSH key stored in %USERPROFILE%\.ssh
.ssh\config points to proper SSH key for my git server domain
my server is in my known_hosts file
SysInternals ProcMon shows that the ssh key is being checked during the clone operation
The same clone operation works using the Git Bash window that comes with Git for Windows. So this rules out an invalid key (I believe)
Here is the Loglevel DEBUG3 logging from SSH during the clone operation:
[exec] debug3: send packet: type 30
[exec] debug1: sending SSH2_MSG_KEX_ECDH_INIT
[exec] debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[exec] debug3: receive packet: type 31
[exec] debug1: Server host key: ssh-rsa SHA256:K7Y..
[exec] debug3: put_host_port: [x.x.x.x]:7999
[exec] debug3: put_host_port: [xxxmyserverxxx.local]:7999
[exec] debug1: checking without port identifier
[exec] debug1: read_passphrase: can't open /dev/tty: No such device or address
[exec] Host key verification failed.
[exec] fatal: Could not read from remote repository.
[exec]
[exec] Please make sure you have the correct access rights
[exec] and the repository exists.
I can't tell if the "can't open /dev/tty" issue is the real deal breaker. I don't even know what /dev/tty would equate to inside of a Windows command window.
What's more frustrating is this exact type of operation succeeds on another repo I use with the same SSH key pair. I can see no difference in the configuration
read_passphrase: can't open /dev/tty: No such device or address is your deal breaker here. Git needs to get the password of your ssh key but cannot since it has no access to the tty (stdin). Are you running your git command from the Git Bash or from some other terminal?
As a workaround, you can create a passwordless ssh key and use that one instead. To get that working, in your Git Bash home directory, set something similar to this example:
$ ssh-keygen -b 4096 -t rsa -N "" -f "${HOME}/.ssh/id_rsa_passwordless"
$ cat <<EOF >>.ssh/config
Host github.com
HostName github.com
IdentityFile ~/.ssh/id_rsa_passwordless
EOF
Of course, it is better that you use an SSH key with a password under Git Bash, but at least you have a workaround.
Related
I have run command ssh -p [port] -v git#[host] and I get:
debug1: Authentication succeeded (publickey).
Authenticated to stash ([[ip]]:[port]).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
shell request failed on channel 0
When I run git clone --recurse-submodules ssh://git#[host]:[port]/[repo].git I get:
git#[host]: Permission denied (publickey).
fatal: Could not read from remote repository.
I have added public key to my bitbucket server.
I tried to generate different keys several times I have no clue what to do.
git does not ask for password when updating submodules
If those submodules are accessible with the same user as the one identified with your SSH keys, Git should not ask for password anyway.
Even if they are using an HTTPS URL, the user credentials might already be cached locally by a credential helper (git config --global credential.helper to check its value).
So I just created a GitLab project and installed Git for windows, and after I generated/set up my ssh keys, the testing isn't successful:
C:\DiscordBot\SillyBot> ssh -vvvT git#Random-nii-chan
OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4
debug3: Failed to open file:C:\\Users\\Random-nii-chan/.ssh/config error:2
debug3: Failed to open file:C:\\ProgramData\\ssh/ssh_config error:2
debug2: resolving "random-nii-chan" port 22
C:\\WINDOWS\\System32\\OpenSSH\\ssh.exe: Could not resolve hostname random-nii-chan: Unknown host.
I went to my git folder, created a .ssh directory and generated my keys in there (public and private).
What did i do wrong ?
Thanks in advance !
Thanks for your help. I created the conf file in a .ssh folder in %USERPROFILE% as you said, but when i run the test command, it says:
C:\DiscordBot\SillyBot>ssh -vvvT git#Random-nii-chan
OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4
debug1: Reading configuration data C:\\Users\\Random-nii-chan/.ssh/config
debug1: C:\\Users\\Random-nii-chan/.ssh/config line 1: Applying options for Random-nii-chan
debug3: Failed to open file:C:\\ProgramData\\ssh/ssh_config error:2
debug2: resolving "git#random-nii-chan" port 22
ssh: Could not resolve hostname git#random-nii-chan: Une erreur irr\351cup\351rable s\222est produite lors d\222une recherche sur la base de donn\351es.
(an unfetchable error has occured while browsing the database, sorry if the translation is not correct)
Here is the content of my config file:
Host Random-nii-chan
Hostname git#Random-nii-chan
User git
IdentityFile C:\DiscordBot\SillyBot\.ssh\gitlab
I edited it with the nano command
First, ssh does not look for your keys in "your git folder", but in %USERPROFILE%, in your case C:\Users\Random-nii-chan
Second, make sure you have a C:\Users\Random-nii-chan.ssh\config file (no extension, with LF end of lines, not CRLF) where you define what random-nii-chan is:
Host random-nii-chan
Hostname yourGitLabserver.com
User git
IdentityFile c:/path/to/your/private/key
Then you can try ssh -Tv random-nii-chan (no need to add git#: the User is specified in the config file)
The following is the error I am getting:
no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
I have struggled to this problem for decent time before understanding the basics and root cause. Sharing the experience so it can help someone.
I was trying to ssh to a target server and getting error like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.
Their offer:
hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,
umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
The root cause of this error is on your source machine the supported MAC doesnt contain the MAC from target server.
to see this run in command line on your machine
$ ssh -Q mac # output would be something like
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64#openssh.com
umac-128#openssh.com
So now in order to connect to target server with their choice of mac which your server doesn't support you have to explicitly provide one of the mac supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected
$ ssh -m hmac-sha2-512 -A <someTargetServerNameOrIP>
Another variant of the problem is the mismatch in cipher which looks like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The root cause is mismatch of cipher
Check your supported cipher by
$ ssh -Q cipher # output would be something like
3des-cbc
aes256-cbc
rijndael-cbc#lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm#openssh.com
aes256-gcm#openssh.com
So now in order to connect to target server with their choice of cipher which your server doesnt support you have to explicitly provide one of the cipher supported by target server. For e.g. we take aes128-cbc from the error message and try to connect, and it will be connected
$ ssh -c aes128-cbc -A <someTargetServerNameOrIP>
More details on this can be found
https://diego.assencio.com/?index=688f3a536f63c43566c94f0818d9ecf3
Hope this helps someone.
You are getting this error because the client and the server could not agree upon a hashing algorithm for message authentication code.
More information here:
https://blog.tinned-software.net/debug-ssh-connection-issue-in-key-exchange/
in centOS/RHEL 7 server while trying to access the server via TMA pulse secure tool and getting the below error on /var/log/secure
[root#rhellinuxserver ~]# cat /var/log/secure| grep -iE "no matching"
Aug 24 07:02:07 rhellinuxserver sshd[29958]: Unable to negotiate with 172.21.112.111 port 16899: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160#openssh.com [preauth]
Aug 24 07:15:24 rhellinuxserver sshd[30702]: Unable to negotiate with 172.21.112.111 port 33541: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160#openssh.com [preauth]
To fix the issue edit the sshd_config file as mentioned below
# cat -n /etc/ssh/sshd_config | grep -i MAcs
Find the line
MACs hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
Replace it with
MACs hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
This will add following extra MACs algorithms.
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-ripemd160
Restart the SSHD service now
systemctl restart sshd
now able to access the server find the success result in /var/log/secure log file.
cat /var/log/secure| grep -i Accepted
Aug 24 07:18:24 rhellinuxserver sshd[548]: Accepted password for username from 172.21.112.111 port 53776 ssh2
Important Note:
Do not use this two weak ciphers aes256-cbc & aes128-cbc
This may allow an attacker to recover the plaintext message from the ciphertext.
Disable CBC mode cipher encryption and enable CTR or GCM cipher mode encryption.
Below is the steps to disable SSH weak ciphers aes256-cbc & aes128-cbc
Step 1: Remove AES-128-CBC & AES-256-CBC on this file.
/etc/crypto-policies/state/CURRENT.pol
Step 2: Remove aes256-cbc & aes128-cbc on this file.
/etc/crypto-policies/back-ends/opensshserver.config
Step 3: Restart/Reload the sshd service
$ sudo systemctl restart sshd
$ sudo systemctl status sshd
Step 4: Now you can take the ssh connection without weak ciphers aes256-cbc & aes128-cbc
$ sudo ssh -vvv user-name#IP-Address
For more information's refer this CVE-2008-5161
Latest putty client solved the issue.
I've installed os x server (Mavericks) on my mac and would like to add bot. For some reasons my remote repo is located on other external server and I have access to it by username and password on specified port. I've added remote repo to os x server like this:
ssh://1.2.3.4:PORT/path/to/repo.git
...filled username and password.
Then I've added bot in Xcode but when I hit integrate it fails with logs:
Cloning into 'ssh_myusername_1_2_3_4_PORT_path_to_repo_git'...
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading
configuration data /etc/ssh_config debug1: /etc/ssh_config line 20:
Applying options for * debug1: Connecting to 1.2.3.4 [1.2.3.4] port PORT.
debug1: Connection established.
Could not create directory '/var/teamsserver/.ssh'.
debug1: identity file /var/teamsserver/.ssh/id_rsa type -1
debug1: identity file /var/teamsserver/.ssh/id_rsa-cert type -1
debug1: identity file /var/teamsserver/.ssh/id_dsa type -1
debug1: identity file /var/teamsserver/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1
debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b6:b8:0e:e4:25:63:6d:64:a3:d6:6d:7f:46:85:72:0d
debug1: checking without port identifier No RSA host key is known for [1.2.3.4]:PORT
and you have requested strict checking. Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository
exists.
SSH Known Hosts file path is located at
/Library/Server/Xcode/Config/ssh_known_hosts
SSH strict host checking
is enabled (you can disable this by editing the
SSHStrictHostKeyChecking key in
/Library/Server/Xcode/Config/xcsbuildd.plist
Untrusted HTTPS
certificates is disabled (you can enable this by editing the
TrustSelfSignedSSLCertificates key in
/Library/Server/Xcode/Config/xcsbuildd.plist
I assume that there is a problem with permissions but in my /var there are some directories with different permissions and of course there is no teams server folder...
So I don't know how to setup proper permissions (without changing permissions of other subdirectories of /var...). I can try manually make directory "teams server" but don't know with what permissions... ? Do you have any ideas?
EDIT: For test purpose I've created teamsserver directory with 777 but that doesn't solve my problem. Logs looks the same as previous butjust WITHOUT line:
Could not create directory '/var/teamsserver/.ssh'.
Any ideas?
Thanks
I experienced a similar issue with scheme action build scripts when attempting to run git commands against a github repo protected by ssh key pairs.
Bots run builds using a _teamsserver system account. As you've discovered, these accounts don't have home directories by default. To setup builds to access and modify their home directory, I had success with the following (your mileage may vary):
sudo mkdir /var/teamsserver
sudo chown -R _teamsserver:_teamsserver /var/teamsserver/
sudo chmod -R 770 /var/teamsserver/
HTH
Ok, I took some time but I've a solution... Two solutions actually. Ashamed to admit but read and understand logs is enough to solve the problem (again :P).
FIRST ANSWER:
My server host key was added to .ssh/known_hosts BEFORE installing os x server. Server does't use that path of known hosts. As log says server uses:
SSH Known Hosts file path is located at
/Library/Server/Xcode/Config/ssh_known_hosts
and that file was empty in my case. So to solve the problem it is enough to copy known_hosts to ssh_known_hosts:
sudo cp ~/.ssh/known_hosts /Library/Server/Xcode/Config/ssh_known_hosts
It's that simple.
SECOND ANSWER:
Acording to log again
SSH strict host checking is enabled (you can disable this by editing
the SSHStrictHostKeyChecking key in /Library/Server/Xcode/Config/xcsbuildd.plist
Change SSHStrictHostKeyChecking to false.
It's done again.
If you've tried the above and still are getting a permission denied error, you probably don't have the right permissions to that file/directory.
Who are you running as? $id
$ls -al the directory that the server is trying to read the id_rsa from (Probably similar to this path: Library/Server/Xcode/Data/BotRuns/BotRun-a28db5fc-1932-47a0-a528-f52c75e421e2.bundle/credentials/65885363-194e-454b-a3ce-56dcaaf5d3c9/id_rsa)
change ownership of that file ^^ ($sudo chown {#id} {#path})
I did 3 things to allow me to get past this, although I'm not sure which of them solved the problem:
Change all git repositories in my project to use the HTTPS rather than SSH (git) version of the url
Disabled SSHStrictHostKeyChecking as per the instructions from the source control log from the bot.
Enabled TrustSelfSignedSSLCertificates as per the same instructions from the log.
Also check out https://discussions.apple.com/thread/5586872 in case this is a problem for you.
I will back some of these items off and test when I have more time.
1) Run Git Bash (C:\Program Files (x86)\Git\bin\sh.exe --login)
$ ssh -v git#github.com
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /c/Users/Alexander Fedorov/.ssh/config
debug1: Applying options for github.com
debug1: Connecting to github.com [207.97.227.239] port 22.
debug1: Connection established.
...
Hi xpoft! You've successfully authenticated, but GitHub does not provide shell access.
...
Okay! ssh config reading well.
2) Run from cmd.exe
C:\Users\Alexander Fedorov>ssh.exe -v git#github.com
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Connecting to github.com [207.97.227.239] port 22.
...
debug1: No more authentication methods to try.
Permission denied (publickey).
Nooo. ssh config file is missing...
How... how read config from ssh.exe?
What is probably missing is the user environment variable HOME.
If you launch your DOS session from the git-cmd.bat script packaged with msysgit, it should be defined, and you should see %HOME%\.ssh\id_rsa(.pub)
But from any other DOS windows, HOME isn't defined by default (HOMEPATH or USERPROFILE are).
See also "Fix msysGit Portable $HOME location" as an illustration (but you shouldn't need that workaround with recent versions of msysgit and its git-cmd.bat script)