Cannot logon to git user??

[Justin Yaple]

Hello,

I am just starting to get an instance of GitLab CE (version 7) setup.  The host is CentOS 6.5 and is configured for LDAP/Domain authentication using Samba.  GitLab is also configured for LDAP authentication and that is working great.  We can login using our domain credentials to the web interface create projects everything just fine.

When we try to push using git over ssh it constantly prompts for a password.

tail /var/log/messages

Jul 15 12:55:58 git sudo: pam_ldap: ldap_search_s Operations error

Jul 15 12:55:58 git nslcd[1256]: [1d606e] ldap_result() failed: Operations error

Jul 15 12:55:58 git nslcd[1256]: [382503] ldap_result() failed: Operations error

Jul 15 12:55:58 git nslcd[1256]: [b76e28] ldap_result() failed: Operations error

tail /var/log/secure

Jul 15 12:57:42 git sshd[33180]: Failed password for git from 127.0.0.1 port 36709 ssh2

Jul 15 12:57:43 git sshd[33180]: Failed password for git from 127.0.0.1 port 36709 ssh2

Jul 15 12:57:43 git sshd[33181]: Connection closed by 127.0.0.1

Local authentication works because I can login using "root" if I modify /etc/ssh/sshd_config and change PermitRootLogin to yes.

The output of gitlab-rake gitlab:check all seems good.  

I am guessing that its my sshd process trying to authenticate using PAM/Winbind and not allowing the log git user to authenticate. Just a guess and not really sure how/where to fix it so the git user work correctly.

Thanks.

[Justin Yaple]

I have enabled some additional debug in /etc/ssh/sshd_config

LogLevel DEBUG

tail /var/log/secure

Jul 15 16:44:39 git sshd[10429]: debug1: restore_uid: 0/0

Jul 15 16:44:39 git sshd[10429]: debug1: temporarily_use_uid: 500/500 (e=0/0)

Jul 15 16:44:39 git sshd[10429]: debug1: trying public key file /var/opt/gitlab/.ssh/authorized_keys

Jul 15 16:44:39 git sshd[10429]: debug1: Could not open authorized keys '/var/opt/gitlab/.ssh/authorized_keys': No such file or directory

So after some additional digging it looks like selinux might actually be blocking access to this non-standard home directory.

http://arstechnica.com/civis/viewtopic.php?f=20&t=1226871

Now just how to fix the issue.

[Justin Yaple]

I seem to have fixed the problem.

In /var/log/audit/audit.log I found these entries.

type=AVC msg=audit(1405471020.083:1562): avc:  denied  { read } for  pid=20136 comm="sshd" name="authorized_keys" dev=dm-0 ino

=2229106 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

So changing them to the correct context fixed the problem.

chcon -t user_home_dir_t /var/opt/gitlab/

chcon -t ssh_home_t /var/opt/gitlab/.ssh/

chcon -t ssh_home_t /var/opt/gitlab/.ssh/authorized_keys

This might be a bug/problem with the ce package for CentOS.

[Alan Doyle]

I am having the same issue on Ubuntu 14.04, sadly the way you fixed it does not see to work on ubuntu..

[Achilleas Pipinellis]

On 07/16/2014 08:56 AM, Alan Doyle wrote:
> I am having the same issue on Ubuntu 14.04, sadly the way you fixed it
> does not see to work on ubuntu..
>

Hi Alan,

Ubuntu doesn't have SELinux. This is only for RedHat based
distributions. Are you using the package or did you use the manual method?


--
GPG : 0xABF99BE5
Blog: http://axilleas.me

[Alan Doyle]

i am using the package, and yea i know :/ was worth a shot tho :( haha

[Justin Yaple]

Edit your /etc/ssh/sshd_config and turn on DEBUG.  Then restart the sshd service and try to logon as "git" again.

You might also try putting this at the bottom of your /etc/ssh/sshd_config file.

Match User git

    PasswordAuthentication no

    KbdInteractiveAuthentication no

    GSSAPIAuthentication no

    KerberosAuthentication no

    HostbasedAuthentication no

    PubkeyAuthentication yes

    RSAAuthentication yes