I recently installed the Gitlab plugin to my Freenas server. The installation went smoothly, and I was able to interact with projects using username and password-based authentication. However, after adding an SSH key for my user, I found that I was not able to communicate with the server. A sample client-side SSH command using the private key whose public pair is shown as registered in the Gitlab web UI is as follows:
Wes@DESKTOP-CMPA99A MINGW64 ~
$ ssh -Tv git@192.168.0.50
OpenSSH_7.1p2, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /c/Users/Wes/.ssh/config
debug1: /c/Users/Wes/.ssh/config line 1: Applying options for 192.168.0.50
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.0.50 [192.168.0.50] port 22.
debug1: Connection established.
debug1: identity file C:/Users/Wes/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file C:/Users/Wes/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5 FreeBSD-20170903
debug1: match: OpenSSH_7.5 FreeBSD-20170903 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.50:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D5h0p2cG+4CrIay6Ubr09juwtfoMAJmCBlUHs23RHIg
debug1: Host '192.168.0.50' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/Wes/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: C:/Users/Wes/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).
On the server side, in /var/log/auth.log, each attempt produces the following sequence:
May 15 21:25:36 gitlab sshd[62245]: user git login class [preauth]
May 15 21:25:36 gitlab sshd[62245]: user git login class [preauth]
May 15 21:25:36 gitlab sshd[62245]: Connection closed by authenticating user git 192.168.0.27 port 56635 [preauth]
When investigating the problem, I first discovered this bug report which suggested that the git user may be locked, but this was not the case on my installation. I then saw these two posts [1] [2] which both suggest that the problem may lie with the configuration of the home directory for the user. The plugin post install script appears to set the home directory of the git user to /usr/home/git, as well as creating a .ssh directory for the user - however, on my machine, this directory did not exist, although it did appear to be set as the git user's home directory in the master passwords file. I therefore presumed that problem lied in Gitlab being unable to add entries to the .ssh/authorized_keys file to inform sshd that the added keys are acceptable. I've manually introduced those directories and files, ensure they are owned by the git user and group, and both restarted the Gitlab and SSHD services, as well as rebooting the plugin jail and rerunning the entire post install script, to no avail.
I presume that either the failure to initialize the directory in the first instance has resulted in some misconfiguration in Gitlab, such that it's not correctly updating the ssh configuration when new keys are added, or that I'm misunderstanding the the issue entirely.
Has anyone encountered similar problems, or have any suggestions for what I may want to investigate next?
Wes@DESKTOP-CMPA99A MINGW64 ~
$ ssh -Tv git@192.168.0.50
OpenSSH_7.1p2, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /c/Users/Wes/.ssh/config
debug1: /c/Users/Wes/.ssh/config line 1: Applying options for 192.168.0.50
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.0.50 [192.168.0.50] port 22.
debug1: Connection established.
debug1: identity file C:/Users/Wes/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file C:/Users/Wes/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5 FreeBSD-20170903
debug1: match: OpenSSH_7.5 FreeBSD-20170903 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.50:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D5h0p2cG+4CrIay6Ubr09juwtfoMAJmCBlUHs23RHIg
debug1: Host '192.168.0.50' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/Wes/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: C:/Users/Wes/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).
On the server side, in /var/log/auth.log, each attempt produces the following sequence:
May 15 21:25:36 gitlab sshd[62245]: user git login class [preauth]
May 15 21:25:36 gitlab sshd[62245]: user git login class [preauth]
May 15 21:25:36 gitlab sshd[62245]: Connection closed by authenticating user git 192.168.0.27 port 56635 [preauth]
When investigating the problem, I first discovered this bug report which suggested that the git user may be locked, but this was not the case on my installation. I then saw these two posts [1] [2] which both suggest that the problem may lie with the configuration of the home directory for the user. The plugin post install script appears to set the home directory of the git user to /usr/home/git, as well as creating a .ssh directory for the user - however, on my machine, this directory did not exist, although it did appear to be set as the git user's home directory in the master passwords file. I therefore presumed that problem lied in Gitlab being unable to add entries to the .ssh/authorized_keys file to inform sshd that the added keys are acceptable. I've manually introduced those directories and files, ensure they are owned by the git user and group, and both restarted the Gitlab and SSHD services, as well as rebooting the plugin jail and rerunning the entire post install script, to no avail.
I presume that either the failure to initialize the directory in the first instance has resulted in some misconfiguration in Gitlab, such that it's not correctly updating the ssh configuration when new keys are added, or that I'm misunderstanding the the issue entirely.
Has anyone encountered similar problems, or have any suggestions for what I may want to investigate next?
