Gerrit with SSH2
Emmanuel Grumbach
I have a 2.2.1 Gerrit server that runs on an SLES box. All the client
are Ubuntu and have openSSH. I have never had issues with SSH keys
until now.
Now, I want to have Jenkins on the same SLES box, which means that I
need a user for jenkins in Gerrit. This is not a problem at all:
gerrit create-user. But that box doesn't have an openSSH client, it
has SSH2 which is a big pain.
To make it easier to debug, I log in with my account (which is not a
batch account, and can use webUI) and add an SSH key which is in SSH2
format. After I modify a bit the public key file, I could have Gerrit
accept the public key, but I can't have the authentication working.
Does anybody know SSH2 and how it interacts with Gerrit ?
I tried to get debug message from the SSH client, but couldn't find
anything helpful
Thoughts ?
Thanks
Emmanuel Grumbach
egru...@gmail.com
Emmanuel Grumbach
> ssh -vvv MY_US...@X.Y.com -p 29418 gerrit ls-projects
debug: Connecting to X.Y.com, port 29418... (SOCKS not used)
debug: Ssh2Transport/trcommon.c:3823/ssh_tr_create: My version:
SSH-2.0-ReflectionForSecureIT_6.1.2.1 build 3005
debug: client supports 3 auth methods: 'publickey,keyboard-interactive,password'
debug: Ssh2Common/sshcommon.c:497/ssh_common_wrap: local ip = ...,
local port = 52040
debug: Ssh2Common/sshcommon.c:499/ssh_common_wrap: remote ip = ....,
remote port = 29418
debug: SshConnection/sshconn.c:1998/ssh_conn_wrap: Wrapping...
debug: SshReadLine/sshreadline.c:2333/ssh_readline_eloop_initialize:
Initializing ReadLine...
debug: Remote version: SSH-2.0-GerritCodeReview_2.2.1 (SSHD-CORE-0.5.1-R1095809)
debug: Ssh2Transport/trcommon.c:1422/ssh_tr_negotiate: lang s to c:
`', lang c to s: `'
debug: Ssh2Transport/trcommon.c:1488/ssh_tr_negotiate: c_to_s: cipher
aes128-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1491/ssh_tr_negotiate: s_to_c: cipher
aes128-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: SshProtoTrKex/trkex.c:564/ssh_kex_keycheck_callback: Signature
didn't match.
debug: Ssh2Common/sshcommon.c:98/ssh_common_disconnect: DISCONNECT
received: Key exchange failed.
debug: SshReadLine/sshreadline.c:2392/ssh_readline_eloop_uninitialize:
Uninitializing ReadLine...
warning: Authentication failed.
Disconnected; key exchange or algorithm negotiation failed (Key
exchange failed.).
debug: Ssh2Common/sshcommon.c:584/ssh_common_destroy: Destroying
SshCommon object.
debug: SshConnection/sshconn.c:2050/ssh_conn_destroy: Destroying SshConn object.
ls ~/.ssh2
authorization hostkeys id_rsa_2048_a id_rsa_2048_a.pub
identification random_seed ssh2_config
> cat authorization
Key id_rsa_2048_a.pub
> cat identification
IdKey id_rsa_2048_a
Emmanuel Grumbach
egru...@gmail.com
Emmanuel Grumbach
9> cat ~/.ssh2/id_rsa_2048_a.pub
---- BEGIN SSH2 PUBLIC KEY ----
Subject: egrumbac
Comment: "2048-bit rsa, egrumbac@iapp029, Sun Nov 27 2011 16:23:28 +02\
00"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDc9x72YyHoU6I6GLJdYYZ1oJdThTJE1qWsLvYVQc
AKfAC9q0jqUU4rzbT7Vukr/ZZee6wIUeGhimrZMPMx3ThTyDk6BppglFiHXAL5t+x5FUyR
hVMFZJjxOZABJqsphf+SssL0n8pBoBAvoPKNsLun4LF0s/ft2qQB9WJNgWVwA6ZYN2Nr0R
2ra03Ym/0v3CWQ8TamW3DBSuwohQGcDdvxxiYrbsCv6ajcFsMDjD/twkNyIQ8pOZHIzv4E
n/Nt4JYRMZUk3efhD81NXn8Bh5PWYV53rGLPWnkVFNsJyAqXvE4ZrJClJmH+uc8jY4dU4V
zh5bDIFHKgyudPo5DLLbsj
---- END SSH2 PUBLIC KEY ----
select * from account_ssh_keys where account_id = 1;
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc9x72YyHoU6I6GLJdYYZ1oJdThTJE1qWsLvYVQcAKfAC9q0jqUU4rzbT7Vukr/ZZee6wIUeGhimrZMPMx3ThTyDk6BppglFiHXAL5t+x5FUyRhVMFZJjxOZABJqsphf+SssL0n8pBoBAvoPKNsLun4LF0s/ft2qQB9WJNgWVwA6ZYN2Nr0R2ra03Ym/0v3CWQ8TamW3DBSuwohQGcDdvxxiYrbsCv6ajcFsMDjD/twkNyIQ8pOZHIzv4En/Nt4JYRMZUk3efhD81NXn8Bh5PWYV53rGLPWnkVFNsJyAqXvE4ZrJClJmH+uc8jY4dU4Vzh5bDIFHKgyudPo5DLLbsj
| Y | 1 | 3 |
Emmanuel Grumbach
egru...@gmail.com
Emmanuel Grumbach
So I kept on trying to see what is happening here and I could login
from my SSH2 box to my Ubuntu laptop with the key that Gerrit doesn't
like
My SSHD: OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
So the SSHD implemented in Gerrit can't cope with a key that my SSHD
on my box can cope with.
Suggestions ?
Shawn Pearce
> I can also add my keys if someone sees a problem in the way I put it in Gerrit:
>
>
> 9> cat ~/.ssh2/id_rsa_2048_a.pub
> ---- BEGIN SSH2 PUBLIC KEY ----
> Subject: egrumbac
> Comment: "2048-bit rsa, egrumbac@iapp029, Sun Nov 27 2011 16:23:28 +02\
> 00"
> AAAAB3NzaC1yc2EAAAADAQABAAABAQDc9x72YyHoU6I6GLJdYYZ1oJdThTJE1qWsLvYVQc
> AKfAC9q0jqUU4rzbT7Vukr/ZZee6wIUeGhimrZMPMx3ThTyDk6BppglFiHXAL5t+x5FUyR
> hVMFZJjxOZABJqsphf+SssL0n8pBoBAvoPKNsLun4LF0s/ft2qQB9WJNgWVwA6ZYN2Nr0R
> 2ra03Ym/0v3CWQ8TamW3DBSuwohQGcDdvxxiYrbsCv6ajcFsMDjD/twkNyIQ8pOZHIzv4E
> n/Nt4JYRMZUk3efhD81NXn8Bh5PWYV53rGLPWnkVFNsJyAqXvE4ZrJClJmH+uc8jY4dU4V
> zh5bDIFHKgyudPo5DLLbsj
> ---- END SSH2 PUBLIC KEY ----
>
> select * from account_ssh_keys where account_id = 1;
> | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc9x72YyHoU6I6GLJdYYZ1oJdThTJE1qWsLvYVQcAKfAC9q0jqUU4rzbT7Vukr/ZZee6wIUeGhimrZMPMx3ThTyDk6BppglFiHXAL5t+x5FUyRhVMFZJjxOZABJqsphf+SssL0n8pBoBAvoPKNsLun4LF0s/ft2qQB9WJNgWVwA6ZYN2Nr0R2ra03Ym/0v3CWQ8TamW3DBSuwohQGcDdvxxiYrbsCv6ajcFsMDjD/twkNyIQ8pOZHIzv4En/Nt4JYRMZUk3efhD81NXn8Bh5PWYV53rGLPWnkVFNsJyAqXvE4ZrJClJmH+uc8jY4dU4Vzh5bDIFHKgyudPo5DLLbsj
> | Y | 1 | 3 |
Perhaps this is stupid, but did you try putting a comment into the
public key field, to make it have the form "ssh-rsa
AAAAB3N...Po5DLLbsj egrumbac"? This shouldn't matter, the comment
after the key data is supposed to be optional.
Have you tried generating the key pair using OpenSSH keygen and
converting the key over to the SSH2 format? OpenSSH's keygen has an
flag to convert the key. I wonder if its just something strange about
the key material that makes this hard to work with.
I can't test/debug Apache MINA SSHD against the commercial SSH2
clients, as I nor anyone I know uses it. Pretty much everyone has
standardized their environments around OpenSSH. You may want to try
contacting the Apache MINA SSHD project[1] about the SSH2
compatibility.
Emmanuel Grumbach
>
> Perhaps this is stupid, but did you try putting a comment into the
> public key field, to make it have the form "ssh-rsa
> AAAAB3N...Po5DLLbsj egrumbac"? This shouldn't matter, the comment
> after the key data is supposed to be optional.
Well... didn't work
> Have you tried generating the key pair using OpenSSH keygen and
> converting the key over to the SSH2 format? OpenSSH's keygen has an
> flag to convert the key. I wonder if its just something strange about
> the key material that makes this hard to work with.
Actually I couldn't make OpenSSH create a SSH2 key. I created the key
with OpenSSH in its native format and converted it with SSH2's keygen.
Didn't work either.
>
> I can't test/debug Apache MINA SSHD against the commercial SSH2
> clients, as I nor anyone I know uses it. Pretty much everyone has
> standardized their environments around OpenSSH.
Yes but I can't choose... *sigh*
> You may want to try
> contacting the Apache MINA SSHD project[1] about the SSH2
> compatibility.
>
> [1] http://mina.apache.org/sshd/
>
Sent a mail to their ML. Will keep you informed for the next generations...
Emmanuel Grumbach
>> You may want to try
>> contacting the Apache MINA SSHD project[1] about the SSH2
>> compatibility.
>>
Did that, and they wanted me to set an SSHD up and add debug flags
etc... While this is completely understandable I hadn't the time to do
it. Moreover, I just noticed (stupid of me) that Jenkins actually uses
the embedded SSH client and not the ssh client installed on the
system. Which means that I just needed to create an OpenSSH key pair
on another machine, copy the key pair to my "SSH2 machine" and let
Jenkins use it :-)
So, I still don't know how to make Gerrit work with SSH2 keys, but now
I just don't need to any more.
Emmanuel Grumbach
Dear Emmanuel and Shawn,
This thread is old but it was incredibly useful (along with this post by Jason), so I wanted to help back by providing you with the resolution to the problem with described by Emmanuel, assuming you don't go the Jenkins way (using Jenkins' OpenSSH client).