Gerrit installation fails at ssh verification

Question

I used the official guide to install Gerrit on a Debian server. Now I am stuck at the paragraph where I am supposed to verify that the ssh connection works:

ssh bastian@ip.of.the.server -p 29418       <-- home pc to server

This is my situation: On my home PC I have a user account bastian and I generated a key pair for ssh. On the server there is a root account: root, an account for gerrit: gerrit2, and, again, the account bastian. I added the public key into the web interface of gerrit after login in with OpenID. By advise I also added the public key to /root/.ssh/authorized_keys and /home/bastian/.ssh/authorized_keys (on the server). Then I created the file /home/gerrit2/.ssh/config/ (on the server) with the content:

IdentityFile ~/.ssh/id_rsa

Checking the ssh connection verbosely results in:

OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 130.83.160.104 [130.83.160.104] port 29418.
debug1: Connection established.
debug1: identity file /home/bastian/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/bastian/.ssh/id_rsa-cert type -1
debug1: identity file /home/bastian/.ssh/id_dsa type -1
debug1: identity file /home/bastian/.ssh/id_dsa-cert type -1
debug1: identity file /home/bastian/.ssh/id_ecdsa type -1
debug1: identity file /home/bastian/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version GerritCodeReview_2.5.4 (SSHD-CORE-0.5.1-R1095809)
debug1: no match: GerritCodeReview_2.5.4 (SSHD-CORE-0.5.1-R1095809)
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA e9:fc:38:b3:86:f6:72:47:de:79:59:ba:c6:c6:de:7e
debug1: Host '[130.83.160.104]:29418' is known and matches the RSA host key.
debug1: Found key in /home/bastian/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/bastian/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/bastian/.ssh/id_dsa
debug1: Trying private key: /home/bastian/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Why does it say offering public key, but offer up the `id_rsa`, and not the `id_rsa.pub` ? — NickW, May 21 '13 at 10:27

NickW · Accepted Answer · 2013-05-28T12:17:18.457

4

In your .ssh/config file, what is the IdentityFile line referring to? If it is pointing to the .pub file, you will have issues.. also, where you are being prompted for the password in the log, do you actually have the possibility to enter a password? You may need to use something like ssh-agent.

EDIT : After a lot of double checking and reading through logs and program documentation, we found out that the issue was that the username had not been entered during the initial setup process, which can happen, unfortunately the program did not signal this to the user, I've recommended he open a bug with the Gerrit team. BTW, he had created everything correctly on the system for the users, but Gerrit launches it's own instance of Open-SSH, and the usernames are contained in the Gerrit DB, not on the system itself.

edited May 28 '13 at 12:17

answered May 21 '13 at 10:33

NickW

10,183
1
18
26

Also, is `PermitRootLogin` enabled in /etc/ssh/sshd_config? – NickW May 21 '13 at 11:24
`~/.ssh/config` does not exist, but `/home/gerrit2/.ssh/config` does and it contains the line `IdentityFile ~/.ssh/id_rsa`. `PermitRootLogin` is actually enabled. – Bastian May 21 '13 at 13:25
After of the `Enter passphrase for key '/root/.ssh/id_rsa':` lines I can enter a password, so that is 3 times altogether. – Bastian May 21 '13 at 13:29
Cool, so it isn't accepting the password.. can you recreate the id_rsa without a password? Just as a test obviously.. – NickW May 21 '13 at 13:43
I just did and edited the post accordingly. – Bastian May 21 '13 at 17:54
Wait, you say you added the public key to id_rsa.pub? Did you add the public id to /home/bastian/.ssh/authorized_keys? – NickW May 22 '13 at 08:53
First: there is no path `/home/bastian/[...]`, there is `/home/gerrit2/.ssh` and `/root/.ssh` (= `~/.ssh`) on the server. And I created a key pair on my home computer (where I am the user `bastian`). I added the public key on the remote computer to `/root/.ssh/authorized_keys`. – Bastian May 22 '13 at 12:00
Ok, you are connecting as bastian to a server where bastian isn't a user.. try connecting as root. – NickW May 22 '13 at 12:01
Connecting as root works (this is already the ssh connection that I use to administer the server). So is it necessary to have seperate user accounts for each ssh user? – Bastian May 22 '13 at 12:03
1

Yes it is, if you're going to connect to the server as a user, that user has to have an account (with password, shell, home directory, etc) on the remote server as well. – NickW May 22 '13 at 12:07
So, does it work if you add the bastian user and add the public id to his .ssh/authorized keys? – NickW May 22 '13 at 13:07
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/8879/discussion-between-nickw-and-bastian) – NickW May 22 '13 at 14:19
I just corrected the misleading description of this thread and summarized what I thought was relevant. – Bastian May 28 '13 at 10:31
So, what user are you logged in as on your home pc, `bastian` correct? On the server, bastian is now a user, is he listed in `/etc/ssh/sshd_config` under Allowed Users ? – NickW May 28 '13 at 10:36
I was just looking through the Gerrit documentation again, and I noticed the section on the config stuff, it seems that Gerrit runs its own copy of SSHD, so you've probably done everything correctly in the regular SSHD config, we probably need to confirm that everything is correct for the Gerrit version of SSHD as well. – NickW May 28 '13 at 10:45
Yes, `bastian` is my home pc's user name. `AllowUsers` was not there, yet. I added it and it did not change anything. One thing might be important, I guess: If I leave out the port number the connection works. So ssh generally works, just not the gerrit part. – Bastian May 28 '13 at 10:50
Yeah, It's all in Gerrit, did you check to ensure the `id_rsa.pub` string you posted in the wizard had no spaces? – NickW May 28 '13 at 10:54
Yes, it did not (I just re-checked) - I just used copy & paste. So do you know where the sshd part of Gerrit is? Could it be a file permission related problem? – Bastian May 28 '13 at 10:59
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/8967/discussion-between-nickw-and-bastian) – NickW May 28 '13 at 11:01

score 2 · Answer 2 · answered May 22 '13 at 14:15

2

Put your id_rsa.pub into ~/.ssh/authorized_keys (/home/bastian/.ssh/authorized_keys).

Remember to:

make ~/.ssh directory owned by bastian and chmod it to 700
make ~/.ssh/authorized_keys file owned by bastian and chmod it to 600

You can make sure above is correct with:

cat id_rsa.pub > /home/bastian/.ssh/authorized_keys
chown -R bastian /home/bastian/.ssh
chmod -R go-rwx /home/bastian/.ssh

Then use this command to connect:

ssh -i id_rsa bastian@localhost -p 29418

answered May 22 '13 at 14:15

Mike

598
7
16

1

@Bastian, @Mike just got to the point, since you are connecting from `root` account to `bastian` account, the key must be authorized to `bastian`. If you happen to try and connect from `bastian` to `bastian`, then you will have to create another set of keys to this user and add a copy of `bastian`'s `id_rsa.pub` into `authorized_keys`. – fboaventura May 23 '13 at 18:22
If you read through the comments under mine, we arrived at that a day or so before.. – NickW May 24 '13 at 08:20

score 0 · Answer 3 · answered May 11 '13 at 14:42

0

You should move your id_rsa and your id_rsa.pub under .ssh directory. That is the default place where ssh client will be looking for private key. And in your case I see it in /root directory and needs to be in /root/.ssh/ If you want to change that default location you need to modify either your .ssh/config file for local changes to your ssh client settings or in /etc/ssh/ssh_config.

answered May 11 '13 at 14:42

Danila Ladner

5,241
21
30

Well I forgot to mention that these files are already in `/root/.ssh/`. So this cannot be the cause. Any other suggestions? – Bastian May 12 '13 at 07:58

Gerrit installation fails at ssh verification

3 Answers3