Fault phenomena:
[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git Cloning into 'core'... git@gitlab.lixinkuan.com's password: Permission denied, please try again. git@gitlab.lixinkuan.com's password: Permission denied, please try again. git@gitlab.lixinkuan.com's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
The key has been created locally and passed to the user SSH Keys. The operation is all right, but the user name and password can only be entered through http.
Permission denied has been indicated as a permission issue in the prompt, because ssh can not login with a password, regardless of whether the password entered is correct or not, it will prompt Permission denied. View the login process in debug mode:
[root@web-m .ssh]# ssh -vT git@gitlab.lixinkuan.com -p 22022 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug1: Authenticating to gitlab.lixinkuan.com:22022 as 'git' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: got SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8 debug1: checking without port identifier The authenticity of host '[gitlab.lixinkuan.com]:22022 ([X.X.X.X]:22022)' can't be established. RSA key fingerprint is SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8. RSA key fingerprint is MD5:14:8c:87:8f:b5:15:75:e1:8a:31:a5:61:ce:9d:68:6c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[gitlab.lixinkuan.com]:22022,[X.X.X.X]:22022' (RSA) to the list of known hosts. #Refuse here once debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex #The next authentication method: gssapi-keyex debug1: No valid Key exchange context #No valid password context debug1: Next authentication method: gssapi-with-mic #The next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:0) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:0) #Below you can see that every attempt to read the authenticated files is in the / root/.ssh directory. And we are the gitlab logged in, the script is wrong, should not read the certification file from here!!! debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug1: Offering DSA public key: /root/.ssh/id_dsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Trying private key: /root/.ssh/id_ed25519 debug1: Next authentication method: password git@gitlab.lixinkuan.com's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. git@gitlab.lixinkuan.com's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. git@gitlab.lixinkuan.com's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Because SSH login is only a problem, it should be gitlab SSH function module file permissions.
Only the owner has permission to view the key file, and neither the group nor the other has any permission. The. ssh directory is OK.
[root@gitlab gitlab]# ll -d .ssh/ drwx------ 2 git git 4096 Jul 18 09:29 .ssh/ [root@gitlab gitlab]# ll .ssh/ total 32 -rw------- 1 git git 28332 Oct 16 20:50 authorized_keys -rw------- 1 git git 0 Oct 16 20:50 authorized_keys.lock
View gitlab-shell permissions
[root@gitlab gitlab]# ll -d gitlab-shell/ drwx------ 2 git root 4096 Oct 16 20:46 gitlab-shell/ [root@gitlab gitlab]# ll gitlab-shell/ total 4 -rw-r--r-- 1 root root 1105 Jul 17 12:52 config.yml [root@gitlab gitlab-shell]# stat config.yml File: `config.yml' Size: 1105 Blocks: 8 IO Block: 4096 regular file Device: fc01h/64513d Inode: 132041 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2018-10-16 18:38:47.356925223 +0800 Modify: 2018-07-17 12:52:10.845000022 +0800 Change: 2018-07-17 12:52:10.847000022 +0800
The owner and subgroup of config.yml are all root. Change to root git and restart git service, and the failure remains.
[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git Cloning into 'core'... git@gitlab.lixinkuan.com's password: Permission denied, please try again. git@gitlab.lixinkuan.com's password: Permission denied, please try again. git@gitlab.lixinkuan.com's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
Then the config.yml permission is changed to the following:
[root@gitlab gitlab-shell]# ll total 4 -rw-r----- 1 root git 1105 Jul 17 12:52 config.yml
After restarting the service, it returned to normal:
[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git Cloning into 'core'... remote: Counting objects: 5943, done. remote: Compressing objects: 100% (3822/3822), done. remote: Total 5943 (delta 2054), reused 5916 (delta 2042) Receiving objects: 100% (5943/5943), 430.32 MiB | 1.28 MiB/s, done. Resolving deltas: 100% (2054/2054), done. Checking out files: 100% (8849/8849), done.
The reason for the problem is file permission. I don't know which God changed the permission of gitlab-shell configuration file, or used root user to copy a configuration file to gitlab server.
Here, it is theoretically feasible for git to read config.yml with other permissions. But ssh is so strict about file permissions that it can't read at all.
Attach normal ssh debug mode login gitlab server results:
[root@web-m core]# ssh -vT git@gitlab.lixinkuan.com -p 22022 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug1: Authenticating to gitlab.lixinkuan.com:22022 as 'git' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: got SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8 debug1: Host '[gitlab.lixinkuan.com]:22022' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:0) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:0) debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug1: Offering DSA public key: /root/.ssh/id_dsa debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77 debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Server accepts key: pkalg ssh-dss blen 433 debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77 debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Authentication succeeded (publickey). Authenticated to gitlab.lixinkuan.com ([X.X.X.X]:22022). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Welcome to GitLab, Li Xin Kuan! debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 Transferred: sent 3328, received 3664 bytes, in 0.1 seconds Bytes per second: sent 27166.7, received 29909.5 debug1: Exit status 0