ssh key issues connecting to gerrit
716 views
Skip to first unread message
Paulo Santos
Jul 9, 2015, 9:20:02 AM7/9/15
to repo-d...@googlegroups.com
Hi all,
First of all thanks in advance for all the help you can provide me. I've been struggling with this for the last 2 days, and after reading almost any related post i could find, i decided to post asking for help
I have an installation of gerrit connected to LDAP, running mysql.
Gerrit by itself works fine. I'm able to authenticate, and grand some users admin rights, create projects via web ui, etc.
After adding my sshkey to my account, via "settings > ssh public keys" i'm having trouble connecting to gerrit via ssh.
[psantos@eulab-vm-psantos01 ~]$ ssh -v -p 29418 psa...@eulab-vm-repo01.mydomain.net
OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Connecting to eulab-vm-repo01.mydomain.net [10.45.104.19] port 29418.
debug1: Connection established.
debug1: identity file /home/psantos/.ssh/id_rsa type 1
debug1: identity file /home/psantos/.ssh/id_rsa-cert type -1
debug1: identity file /home/psantos/.ssh/id_dsa type 2
debug1: identity file /home/psantos/.ssh/id_dsa-cert type -1
debug1: identity file /home/psantos/.ssh/id_ecdsa type -1
debug1: identity file /home/psantos/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version GerritCodeReview_2.11.1 (SSHD-CORE-0.14.0)
debug1: no match: GerritCodeReview_2.11.1 (SSHD-CORE-0.14.0)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA f2:7f:83:08:b1:33:0d:6b:4f:eb:54:53:fb:88:41:98
debug1: Host '[eulab-vm-repo01.mydomain.net]:29418' is known and matches the RSA host key.
debug1: Found key in /home/psantos/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/psantos/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering DSA public key: /home/psantos/.ssh/id_dsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/psantos/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
On the gerrit server i see the following
[gerrit2@eulab-vm-repo01 ~]$ tail -1 logs/sshd_log
[2015-07-09 13:10:47,364 +0000] 2313257e psantos - AUTH FAILURE FROM 10.45.104.23 user-not-found
psantos is my account in ldap and i can see it correctly setup on the DB as well
MariaDB [reviewdb]> select * from account_external_ids where email_address="psa...@mydomain.net";
+------------+----------------------+----------+----------------+
| account_id | email_address | password | external_id |
+------------+----------------------+----------+----------------+
| 1 | psa...@mydomain.net | NULL | gerrit:gerrit2 |
| 4 | psa...@mydomain.net | NULL | gerrit:psantos |
+------------+----------------------+----------+----------------+
FYI the gerrit2 account is an LDAP account i created with my email address, so that i can do the read only bind to ldap. Is the problem there, the double email address field complicating things ?
Thanks,
Paulo
Edwin Kempin
Jul 9, 2015, 9:25:09 AM7/9/15
to Paulo Santos, Repo and Gerrit Discussion
Have you set a username under
http://<host>:<port>/#/settings/
?
http://<host>:<port>/#/settings/
?
It seems to be missing in your account_external_ids table.
There should be an entry with an external_id starting with "username:".
There should be an entry with an external_id starting with "username:".
That username you must then use for the SSH command.
FYI the gerrit2 account is an LDAP account i created with my email address, so that i can do the read only bind to ldap. Is the problem there, the double email address field complicating things ?Thanks,Paulo
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Paulo Santos
Jul 9, 2015, 9:29:42 AM7/9/15
to repo-d...@googlegroups.com, paulo...@gmail.com
The username field on the settings is blanked out and doesnt let me set it up.
I wonder if this is supposed to be populated directly from ldap. Shouldn't gerrit populate it directly via my login credentials ?
Edwin Kempin
Jul 9, 2015, 9:36:52 AM7/9/15
to Paulo Santos, Repo and Gerrit Discussion
2015-07-09 15:29 GMT+02:00 Paulo Santos <paulo...@gmail.com>:
The username field on the settings is blanked out
This explains why SSH doesn't work.
and doesnt let me set it up.I wonder if this is supposed to be populated directly from ldap.
Yes, if you are using LDAP it should populated automatically.
Shouldn't gerrit populate it directly via my login credentials ?
Looks like your LDAP configuration in gerrit.config is not correct then.
Paulo Santos
Jul 9, 2015, 9:46:27 AM7/9/15
to repo-d...@googlegroups.com, paulo...@gmail.com
So i've inserted manually the row on the DB, restarted gerrit and now it works.
[psantos@eulab-vm-psantos01 ~]$ ssh -p 29418 psa...@eulab-vm-repo01.mydomain.net gerrit version
gerrit version 2.11.1
regarding my config please find below the LDAP part:
[ldap]
server = ldap://ldap-vip.mydomain.net
username = user=gerrit2,ou=users,dc=mydomain,dc=net
accountBase = ou=users,dc=mydomain,dc=net
accountScope = subtree
accountPattern = (&(user=${username}))
accountFullName = cn
accountEmailAddress = email
sslVerify = false
referral = follow
Thanks again for pointing out the original problem
Edwin Kempin
Jul 9, 2015, 9:58:18 AM7/9/15
to Paulo Santos, Repo and Gerrit Discussion
2015-07-09 15:46 GMT+02:00 Paulo Santos <paulo...@gmail.com>:
So i've inserted manually the row on the DB, restarted gerrit and now it works.[psantos@eulab-vm-psantos01 ~]$ ssh -p 29418 psa...@eulab-vm-repo01.mydomain.net gerrit versiongerrit version 2.11.1regarding my config please find below the LDAP part:[ldap]server = ldap://ldap-vip.mydomain.netusername = user=gerrit2,ou=users,dc=mydomain,dc=netaccountBase = ou=users,dc=mydomain,dc=netaccountScope = subtreeaccountPattern = (&(user=${username}))accountFullName = cnaccountEmailAddress = email
Maybe you also need to set accountSshUserName [1]. Seems the default is not working for you.
[1] https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap.accountSshUserName
[1] https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap.accountSshUserName
Paulo Santos
Jul 9, 2015, 10:04:50 AM7/9/15
to repo-d...@googlegroups.com, paulo...@gmail.com
great. I'll try that out.
Thanks!
Reply all
Reply to author
Forward
0 new messages