gerrit peer host key ring?

162 views
Skip to first unread message

shaheen

unread,
Apr 22, 2012, 4:46:05 PM4/22/12
to repo-d...@googlegroups.com
the suexec documentation mentions gerrit's peer host key ring.  what does this mean?  i understand the use of the host key itself, but how do i get gerrit to trust access from a different machine without using the same key on both of them?

Shawn Pearce

unread,
Apr 22, 2012, 9:19:22 PM4/22/12
to shaheen, repo-d...@googlegroups.com

Its just a text file in $SITE_PATH/etc/peer_keys in the OpenSSH
authorized_keys file format, that is one public key per line.

shaheen

unread,
Apr 26, 2012, 8:14:24 PM4/26/12
to repo-d...@googlegroups.com, shaheen
thanks for the clarification.  i've added the public key in etc/peer_keys and restarted gerrit.  i have to assume that gerrit actually read it.

i tried logging in using the private key as Gerrit Code Review and i wasn't able to do so.  here's the command i tried.  should i have expected this to work?

ssh -v -p 29418 -l "Gerrit Code Review" -i /tmp/gerrit_peer_key localhost
debug1: Next authentication method: publickey
debug1: Offering public key: /tmp/gerrit_peer_key
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Shawn Pearce

unread,
Apr 26, 2012, 8:29:44 PM4/26/12
to shaheen, repo-d...@googlegroups.com
On Thu, Apr 26, 2012 at 17:14, shaheen <visi...@gmail.com> wrote:
> thanks for the clarification.  i've added the public key in etc/peer_keys
> and restarted gerrit.  i have to assume that gerrit actually read it.

No restart was necessary, the server will re-read the file anytime an
authentication attempt is made for user "Gerrit Code Review" and if
the file's mtime is more recent than the last time it read the file.

> i tried logging in using the private key as Gerrit Code Review and i wasn't
> able to do so.  here's the command i tried.  should i have expected this to
> work?
>
> ssh -v -p 29418 -l "Gerrit Code Review" -i /tmp/gerrit_peer_key localhost
> debug1: Next authentication method: publickey
> debug1: Offering public key: /tmp/gerrit_peer_key
> debug1: Authentications that can continue: publickey
> debug1: No more authentication methods to try.
> Permission denied (publickey).

Hmm. That should have worked. Are you sure you put the correct public
key into the etc/peer_keys file?

Shaheen Gandhi

unread,
Apr 26, 2012, 9:36:09 PM4/26/12
to repo-d...@googlegroups.com
yup; i did a diff (it's the only key in that file in my test setup).

i was running gerrit inside a debugger, so i stopped it in eclipse and
ran it from the command line so that there were no unexpected working
directory issues and i still ran into the problem.

~s

Shaheen Gandhi

unread,
Apr 27, 2012, 7:59:03 PM4/27/12
to repo-d...@googlegroups.com
i tail -f'd the error log and found the root cause, though i don't
know the solution. anyone know the best way to fix this?

[2012-04-27 16:54:44,088] WARN
com.google.gerrit.sshd.DatabasePubKeyAuth : Invalid key in
/var/lib/gerrit2/slayer/etc/peer_keys:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyzA/IrK8YXgZZTCYceRxi0ttukVe4Fy9sOgHgtytxo4dz8Weyrm2L7e1qZEVJZrELJKbQ7CQXMt+FmhnW8bOD2S00RlwIy9eLA71eCGQF+7dSlVAzdJZovsGVVdXgSOSmjTwIpKU0SAguVFcwD1axrZk+4fn1ddX2Dyt1xwWTBi4D6GUY56Pg7Iqu8myFt6565sGiT7f6FYpYqI26CWGQBPAv4Q9gIIdAiEuJfVr7K4/Lq8z40HcSpLEFu5kdlckJYwWTYDlJxr2XyvASNWlZU2DMTXYSPlxgWKKtGK/EEr4YNCOR8MN7RVjNZbAArsrAWJDCq4JHNlvRVnQQmyk9w==
user@host
java.lang.IllegalStateException: Bad item length: -1295483218
at org.apache.sshd.common.util.Buffer.getString(Buffer.java:176)
at org.apache.sshd.common.util.Buffer.getRawPublicKey(Buffer.java:230)
at com.google.gerrit.sshd.DatabasePubKeyAuth$PeerKeyCache.read(DatabasePubKeyAuth.java:236)
at com.google.gerrit.sshd.DatabasePubKeyAuth$PeerKeyCache.<init>(DatabasePubKeyAuth.java:219)
at com.google.gerrit.sshd.DatabasePubKeyAuth$PeerKeyCache.reload(DatabasePubKeyAuth.java:265)

~s

Shaheen Gandhi

unread,
Apr 27, 2012, 8:00:46 PM4/27/12
to repo-d...@googlegroups.com
ah, after some hunting, this is the fix:
https://groups.google.com/d/msg/repo-discuss/VsvsK_us51Q/daXrfOWwmQ0J
~s
Reply all
Reply to author
Forward
0 new messages