After checking permissions on $HOME and .ssh and running recommended commands am still having trouble getting ssh localhost to work without password. Below is edited history of my commands and output from ssh -vvv localhost. It is failing to load id_rsa and I can not figure out why. Running on Max OSX yosemite 10.10.5
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)
I have remote login enabled from preferences.
zak-keirns-imac:~ zak$ ls -l .ssh
total 40
-rw------- 1 zak staff 2252 Dec 13 12:28 authorized_keys
-rw------- 1 zak staff 668 Dec 13 12:28 id_dsa
-rw-r--r-- 1 zak staff 615 Dec 13 12:28 id_dsa.pub
-rw------- 1 zak staff 1679 Dec 13 11:28 id_rsa
-rw-r--r-- 1 zak staff 407 Dec 13 11:28 id_rsa.pub
zak-keirns-imac:~ zak$ ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa
Generating public/private dsa key pair.
/Users/zak/.ssh/id_dsa already exists.
Overwrite (y/n)? y
Your identification has been saved in /Users/zak/.ssh/id_dsa.
Your public key has been saved in /Users/zak/.ssh/id_dsa.pub.
zak-keirns-imac:~ zak$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
zak-keirns-imac:~ zak$ ssh -vvv localhost
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/zak/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /Users/zak/.ssh/id_rsa type 1
debug1: identity file /Users/zak/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/zak/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /Users/zak/.ssh/id_dsa type 2
debug1: identity file /Users/zak/.ssh/id_dsa-cert type -1
more output:
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug2: fd 5 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
....
debug2: kex_parse_kexinit: none,zlib#openssh.com
debug2: kex_parse_kexinit: none,zlib#openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5-etm#openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug2: mac_setup: found hmac-md5-etm#openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 508/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 02:f8:78:65:22:75:23:44:c4:82:2a:8f:73:4b:f5:6a
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 02:f8:78:65:22:75:23:44:c4:82:2a:8f:73:4b:f5:6a.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
debug1: identity file /Users/zak/.ssh/id_rsa type 1
This line tells you that the identity was loaded successfully.
debug3: Could not load "/Users/zak/.ssh/id_rsa" as a RSA1 public key
This is just low-level notice, that the old key type was not recognized. This part is there for some historic reasons and is a bit confusing, but it is NOT an error, just debug3-level note.
The authenticity of the host is something totally different. The keys you generated are used for authentication, but the authenticity is assured by host keys.
If you wan to make sure that you are connecting to right host, copy the public hostkey from server to your ~/.ssh/known_hosts using different secure channel and you will not see this message again.
ssh does not give special status to localhost; it is treated as just another host. Before ssh will connect to a host, it wants to know that it is connecting to the correct host. There is no way for ssh to be able to answer this a priori. You need to verify the host key and confirm it for ssh. At that time, ssh will save it in your known_hosts file. As Jakuje pointed out, you can also copy the key to this file manually.
For localhost, verifying the key is a little easier because it can be found locally in /etc/ssh/ssh_host_rsa_key.pub (on Red Hat-like systems; location will vary on other OS). Once you identify the host key file, you can get its fingerprint with:
ssh-keygen -l -f /path/to/host_key.pub
When you are asked to verify the host key, you can say yes if the fingerprint presented matches the one you computed.
When connecting to a host for the first time, you should determine the host's key fingerprint in advance; this is more challenging with remote hosts. The reality is that most people do not do this, but it is the correct thing to do.
Related
When I try to connect using Windows ssh to Windows OpenSSH server using a private key, ssh still ask for password.
I have installed OpenSSH by adding OpenSSH Server Windows additional capabilites.
I started manually the OpenSSH SSH Server Windows service using Windows service management console.
Then I created a public/private key pair using ssh-keygen -t ed255519
I have copied the public key in clientssh account .ssh directory with:
PS C:\Users\user> ssh clientssh#127.0.0.1 mkdir C:\Users\clientssh\.ssh\
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:FD9uvvMTBBDMF3jkzZTMEk7iUImY/a7oZRe+wwusCN4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
clientssh#127.0.0.1's password:
PS C:\Users\user> scp .ssh\id_ed25519.pub clientssh#127.0.0.1:C:\Users\clientssh\.ssh\authorized_keys
clientssh#127.0.0.1's password:
id_ed25519.pub 100% 103 51.5KB/s 00:00
And then when I try to connect to clientssh account I am asked the password of the private key which shows that ssh has found it, that it succeeded to uncrypt it (no requested again) but then the key seems to be ignored because I am also requested the clientssh password.
PS C:\Users\user> ssh -v clientssh#127.0.0.1 dir .ssh
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\user/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\user/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\user/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\user/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\user/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 127.0.0.1:22 as 'clientssh'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:FD9uvvMTBBDMF3jkzZTMEk7iUImY/a7oZRe+wwusCN4
debug1: Host '127.0.0.1' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\user/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\user/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\user/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\user/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\user/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\user/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\user/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\user/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\user/.ssh/id_ed25519
debug1: read_passphrase: can't open /dev/tty: No such file or directory
Enter passphrase for key 'C:\Users\user/.ssh/id_ed25519':
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: C:\\Users\\user/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
clientssh#127.0.0.1's password:
debug1: Authentication succeeded (password).
Authenticated to 127.0.0.1 ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: Sending command: dir .ssh
Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est FA33-B148
Répertoire de C:\Users\clientssh\.ssh
22/08/2022 16:38 <DIR> .
22/08/2022 16:38 <DIR> ..
22/08/2022 16:38 103 authorized_keys
1 fichier(s) 103 octets
2 Rep(s) 54860242944 octets libres
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2136, received 3084 bytes, in 0.1 seconds
note: I fixed few invalid code page characters in above capture.
I read the other topics close to this one but either they are not applicable because Linux oriented or because there is no real solution. The only thing I get from them is the idea to use -v on ssh. Though this does not helped me a lot...
I finally found Windows OpenSSH troubleshooting documentation that is located on GitHub (not on traditional Microsoft site!):
https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps
As explained in that documentation, I added the DEBUG3 log level to OpenSSH server configuration file (lower debug levels do not reveal the issue). And I found that the access to authorization file in clientssh account was authorized for user account.
16004 2022-08-24 10:01:54.598 debug1: trying public key file C:\\Users\\clientssh\\.ssh/authorized_keys
16004 2022-08-24 10:01:54.599 debug3: Bad permissions. Try removing permissions for user: DESKTOP-N2I2AHF\\user (S-1-5-21-2546763314-2673200902-885207948-1001) on file C:/Users/clientssh/.ssh/authorized_keys.
16004 2022-08-24 10:01:54.599 Authentication refused.
This was surprising because I copied the file using ssh.
But I finally understood how the access rights have been corrupted: I had verified with the user account that the authorized file had been correctly copied. This was possible because user account has administrative privileges. And it appears that when you ask to access to a directory you normally have no access rights, instead of impersonating administrator to get the rights, the Explorer modifies the directory access rights to give you permanent access to the directory!
Removing user access to clientssh account allows OpenSSH to work properly.
Using my current MacBook, at previous companies I've been able to ssh to EC2 instances. At the new company, which has EC2 instances running Centos 6, which is running an old version of OpenSSL, (an old version of libssl) I cannot seem to ssh. I always get:
Permission denied (publickey).
So, for instance, on one server, the devops engineer installed my ssh public key, and they white listed my home IP address.
They sent me this block of text, which I put in my ~/.ssh/config file.
Host never_dev
HostName neverstaydev.com
User neverst
IdentityFile ~/.ssh/id_ed25519
Host beta
HostName 12.18.125.53
User neverst
IdentityFile ~/.ssh/id_ed25519
The only thing I changed was the name of the key, which is correct. But if I try this:
ssh -v never_dev
I get:
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/admin/.ssh/config
debug1: /Users/admin/.ssh/config line 1: Applying options for never_dev
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to neverstaydev.com port 22.
debug1: Connection established.
debug1: identity file /Users/admin/.ssh/id_ed25519 type 3
debug1: identity file /Users/admin/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to neverstaydev.com:22 as 'neverst'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64#openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64#openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:UJ9EFg/QTnxCP+/9/P8b+jSpKozY1IbaN3M5jOoz8e0
debug1: Host 'neverstaydev.com' is known and matches the RSA host key.
debug1: Found key in /Users/admin/.ssh/known_hosts:24
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /Users/admin/.ssh/id_ed25519 ED25519 SHA256:fBRwhBVpzb6ve5cDwmMS1R0UlhzSaVg9E62WW7riRZA explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/admin/.ssh/id_ed25519 ED25519 SHA256:fBRwhBVpzb6ve5cDwmMS1R0UlhzSaVg9E62WW7riRZA explicit
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
neverst#neverstaydev.com: Permission denied (publickey).
All of the developers are sharing one account on this EC2 instance, and everyone else can log in, except me. But my IP address has been whitelisted, since, as you can see above, my machine engages in dialogue with the EC2 instance.
I've tried different permissions on the private key, both 0400 and 0600. That has no effect.
Likewise, they have AMIs based on these machines, so I spun up a new EC2 instance based on the AMI, creating a new key pair. I then tried to ssh to the new EC2 instance, using the new key pair. But still the same problem:
Permission denied (publickey)
What might cause this?
The devops engineer suggested that I do:
ssh-keygen -t rsa -b 4096 -C "neverstay-key"
Now, and then I gave them my public key, which they installed on their side, and now when I try to ssh to the server, I get:
ssh-keygen -t rsa -b 4096 -C "lawarance-futurestay-key"
I have just set up my own gitea service on the Ubuntu server (the server is run with user gitea). The following steps have been done:
generate ssh key on my windows pc, and store at C:\Users<user_name>\.ssh, namely id_rsa_gitea and id_rsa_gitea.pub
copy and set the public key on my gitea account setting page
There are existing key files for my GitHub account in the directory, namely id_rsa and id_rsa.pub. I modified the file config in the same directory as
Host github.com
HostName github.com
User git
IdentityFile C:/Users/<user_name>/.ssh/id_rsa
IdentitiesOnly yes
Host 192.168.200.101
HostName 192.168.200.101
User gitea
IdentityFile C:/Users/<user_name>/.ssh/id_rsa_gitea
IdentitiesOnly yes
Pushing to GitHub works fine. But when I try to push to gitea, it gets
$ git push -u origin master
gitea#192.168.200.101's password:
Permission denied, please try again.
gitea#192.168.200.101's password:
Permission denied, please try again.
gitea#192.168.200.101's password:
\302\226gitea#192.168.200.101: Permission denied (publickey,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I have tested the ssh connection in the git bash console with ssh -v gitea#192.168.200.101, and gets
OpenSSH_7.6p1, OpenSSL 1.0.2m 2 Nov 2017
debug1: Reading configuration data /c/Users/admin/.ssh/config
debug1: /c/Users/admin/.ssh/config line 26: Applying options for 192.168.200.101
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.200.101 [192.168.200.101] port 22.
debug1: Connection established.
debug1: identity file C:/Users/admin/.ssh/id_rsa_gitea type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:/Users/admin/.ssh/id_rsa_gitea-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.200.101:22 as 'gitea'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm#openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm#openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YqpRDueradBcei52m4ahex5DgTOwI3QvgJohoZSMzTs
debug1: Host '192.168.200.101' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/admin/.ssh/known_hosts:23
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:DCCnO6UzUiXYhZiNxeaS4SV05fIUZhHK/ZGDPPI6cwc C:/Users/admin/.ssh/id_rsa_gitea
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.200.101 ([192.168.200.101]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: PTY allocation disabled.
PTY allocation request failed on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow#openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.200.101 closed.
Transferred: sent 3720, received 3624 bytes, in 0.2 seconds
Bytes per second: sent 15126.0, received 14735.7
debug1: Exit status 1
I've tried multiple variations of this, but none of them seem to work. Any ideas?
Update: Push with http works fine. I switched back to ssh and tried to push again, now I get:
Pushing to gitea#192.168.200.101:guanhuizhe/example-repo.git
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
During this push the sshd log of the ubuntu server is:
Oct 16 18:08:29 DataStorage2 sshd[29981]: Accepted publickey for gitea from 192.168.200.141 port 14967 ssh2: RSA SHA256:DCCnO6UzUiXYhZiNxeaS4SV05fIUZhHK/ZGDPPI6cwc
Oct 16 18:08:29 DataStorage2 sshd[29981]: pam_unix(sshd:session): session opened for user gitea by (uid=0)
Oct 16 18:08:29 DataStorage2 sshd[30017]: Received disconnect from 192.168.200.141 port 14967:11: disconnected by user
Oct 16 18:08:29 DataStorage2 sshd[30017]: Disconnected from 192.168.200.141 port 14967
Oct 16 18:08:29 DataStorage2 sshd[29981]: pam_unix(sshd:session): session closed for user gitea
Update v2:
The problem is caused by the Ubuntu user I used to run the gitea binary. This user does not have shell. I delete the user and configure a normal user. Everything works fine. Thanks for every one!!
\302\226gitea#192.168.200.101 means the origin in the local git config file .git/config is not gitea, but <START OF GUARDED AREA>gitea.
You can change your Host entry (in ~/.ssh/config) with "gitea" (easier to type than 192.168.200.101)
Test it with:
ssh -Tv gitea
Check also the ~gitea/.ssh/authorized_keys file, to ensure the public key has been added by gitea, and is in a SSH forced command line.
You should see something like:
command="/path/to/gitea --config='/path/to/app.ini' serv key-2",\
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty \
ssh-rsa <yourPublicKey>
If you want to use your ~/.ssh/config entry, then you will need to change your remote:
cd /path/to/repo
git remote set-url origin gitea:<me>/myrepo
I'm using -oBatchMode=yes to suppress the interactive password, in case the keys are misconfigured.
I've used 'diff' to compare the debug output, and there's no change until 'Server accepts key: pkalg ssh-rsa blen 279', where the next line is either 'Authentication succeeded' or trying more private keys.
From the script and from the command-line, running without batch mode results in a successful login:
$ ssh -v qa#192.168.19.81 uptime
.
.
Warning: Permanently added '192.168.19.81' (ECDSA) to the list of known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/tim/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
--- things change from here
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.19.81 ([192.168.19.81]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: Requesting authentication agent forwarding.
debug1: Sending command: uptime
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow#openssh.com reply 0
13:24 up 3 days, 3:04, 2 users, load averages: 1.76 1.62 1.61
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2768, received 3080 bytes, in 0.0 seconds
Bytes per second: sent 129171.8, received 143731.6
debug1: Exit status 0
But the same fails with -oBatchMode=yes:
$ ssh -v -oBatchMode=yes qa#192.168.19.81 uptime
OpenSSH_7.4p1, LibreSSL 2.5.0
.
.
debug1: Offering RSA public key: /Users/tim/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
--- things change from here
debug1: Trying private key: /Users/tim/.ssh/id_dsa
debug1: Trying private key: /Users/tim/.ssh/id_ecdsa
debug1: Trying private key: /Users/tim/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).
$
Remote machine:
Darwin qa-ffc-mbp-2.lnd 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64
My machine:
Darwin TimBs-MacBook-Pro-3483.local 16.6.0 Darwin Kernel Version 16.6.0: Fri Apr 14 16:21:16 PDT 2017; root:xnu-3789.60.24~6/RELEASE_X86_64 x86_64
update: I copied the id_rsa and id_rsa.pub from an account that doesn't have this problem, and it started working. But my id_rsa.pub is correctly listed in the target machine's authorized_keys. I even regenerated my public key from the private one, in case it had become corrupted. No dice. I'm reluctant to change my key for obvious reasons.
You can try adding these lines to your ~/.ssh/config file:
Host *
UseKeychain yes
AddKeysToAgent yes
Seems Apple's integration of keychain is disabled by BatchMode=yes
If I eval $(ssh-agent) and ssh-add my identity, everything works.
The reason the other account's key worked was because it had an empty passphrase.
I am in the process of installing the latest version of gitolite on an osx mountain lion server. I set it up under it's own 'git' user account and followed the instructions here: https://github.com/sitaramc/gitolite
I am getting stuck in trying to check-out the gitolite-admin repo from the server on my workstation. I run this command:
git clone git#gitserver:gitolite-admin
but get this in return:
Cloning into 'gitolite-admin'...
Connection closed by gitserver
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
It seems that I got the SSH set-up correctly because it's not asking for a PWD but I am stuck on where to look to try to debug the problem.
Thanks,
Grant
result from ssh -v
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to gitserver [gitserver] port 22.
debug1: Connection established.
debug1: identity file /Users/xxx/.ssh/id_rsa type 1
debug1: identity file /Users/xxx/.ssh/id_rsa-cert type -1
debug1: identity file /Users/xxx/.ssh/id_dsa type -1
debug1: identity file /Users/xxx/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
debug1: match: OpenSSH_5.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA xxxxx
debug1: Host 'gitserver' is known and matches the RSA host key.
debug1: Found key in /Users/xxx/.ssh/known_hosts:5
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/xxx/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
Connection closed by gitserver
Looks OK here unless I am missing some detail.
I had a similar issue configuring a bare git repo in mountain lion. I uncommented the following lines of /etc/sshd_config:
PubkeyAuthentication yes
PermitUserEnvironment yes
The last one was related to the missing PATH error in .ssh/environment, but the first one was the one that allowed connections from ie. msysgit.
PS (edit): In the case of msysgit, I also setup the SSH agent (eval $(ssh-agent) && ssh-add) with OpenSSH key imported in pageant (as my GIT_SSH=path_to_plink). That did the trick.
On osx server, at least since 2015, also enable ssh access explicitly for the repository owner. In my case I have my server configured to allow only a few users. This caused very similar problems like you had.