You didn't use BouncyCastle when you setup the server, so it had to
use the MINA SSHD custom format for the host key. Both the public and
private halves are stored in the "ssh_host_key" file using a Java
serialization format.
Instead generate your own key pair using ssh-key-gen and add the
public half to the $site_dir/etc/peer_keys files using the standard
OpenSSH authorized_keys file format (one public key per line). The
server will automatically load this file when created/modified, there
isn't a need to restart it when you add keys to it.
It doesn't work
WARN com.google.gerrit.sshd.DatabasePubKeyAuth : Invalid key in
/home/gerrit2/review_site/etc/peer_keys:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTzewbK3HOOc18ru7NoQu1cGM5ElsvYdcS1rM7L2qPp90kRaHlrGMZFx/e6Y0OVrvDy16662MSgMcfnf/xhsQekNsUyrJzXMGujzsnMGB/LPbJK/j8OXJz/BDZnkPtvRfCvmb5ZnVC20lPHOK8jlaBmnNKLwpNto1b/0x5B79iNWrtcVRBPBPkXHfjXQbePboh9nUvscSs5nVcBrssA0k56hh9EDBZIkiSyUwzfPd+QBHQaPlKz87dVUgHMyXcr12FzeVRkAHNwkNsoa8WTiniG/7zdNG260xJXeWSvoWtjynqfyvKn49ieAyRrHMrVdI179uwMYv6loiinMxaM25z
java.lang.IllegalStateException: Bad item length: -1295483218
at org.apache.sshd.common.util.Buffer.getString(Buffer.java:176)
at org.apache.sshd.common.util.Buffer.getRawPublicKey(Buffer.java:230)
at com.google.gerrit.sshd.DatabasePubKeyAuth$PeerKeyCache.read(DatabasePubKeyAuth.java:236)
at com.google.gerrit.sshd.DatabasePubKeyAuth$PeerKeyCache.<init>(DatabasePubKeyAuth.java:219)
at com.google.gerrit.sshd.DatabasePubKeyAuth$PeerKeyCache.reload(DatabasePubKeyAuth.java:265)
at com.google.gerrit.sshd.DatabasePubKeyAuth.getPeerKeys(DatabasePubKeyAuth.java:149)
at com.google.gerrit.sshd.DatabasePubKeyAuth.authenticate(DatabasePubKeyAuth.java:99)
at org.apache.sshd.server.auth.UserAuthPublicKey.auth(UserAuthPublicKey.java:71)
at org.apache.sshd.server.session.ServerSession.userAuth(ServerSession.java:350)
at org.apache.sshd.server.session.ServerSession.handleMessage(ServerSession.java:193)
at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:522)
at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:225)
at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:58)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:692)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:645)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:634)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:66)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1078)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Hmm. Maybe I am wrong. Did you try just the key by itself, without the
ssh-rsa prefix? Looking at the code it seems to Base64 decode the
entire line, without trying to remove that prefix.
Thanks, shawn. After removing the ssh-rsa prefix, it works.