ssh Permission denied (public key)

[Kari Klein]

Hi,

I can do a git clone on my repository through https, but with ssh I get the following error. I am attempting this on a linux command line. I have tried doing many things with my public key, but cannot get past the error. I am setting up a key with my gerrit email, adding the public key in the gerrit settings panel for my user and adding the private info to my keystore on my linux box. Any pointers would be appreciated. I cannot figure out what I'm doing wrong. Do I need to do anything on the Apache server side? I have only configured it for HTTPS, do I also need to do some configuring for SSH? If so, are there docs on that somewhere? The other thing is that when I set up the key I am using my email. Should I be using my username instead? I don't think that I have tried that because all the documentation I saw used email, but it's a thought I just had.

thanks,

Kari

@pop-os:~/git$ git clone ssh://gerrit.rumission.com/test-vs.git test-vs
Cloning into 'test-vs'...
<my email>: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The repository is hosted on a GCS VM behind an Apache2 webserver. The gerrit error log shows:

[Tue Mar 14 00:00:03.594500 2023] [mpm_event:notice] [pid 1220559:tid 139684817177920] AH00489: Apache/2.4.54 (Debian) OpenSSL/1.1.1n configured -- resuming normal operations
[Tue Mar 14 00:00:03.594547 2023] [core:notice] [pid 1220559:tid 139684817177920] AH00094: Command line: '/usr/sbin/apache2'

The config looks like:

[gerrit]
        basePath = git
        canonicalWebUrl = https://gerrit.rumission.com
        serverId = <id>
[container]
        javaOptions = "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
        javaOptions = "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
        user = gerrit
        javaHome = /usr/lib/jvm/java-11-openjdk-amd64
[index]
        type = lucene
[auth]
        type = OAUTH
        userNameCaseInsensitive = true
        gitBasicAuthPolicy = HTTP
[receive]
        enableSignedPush = false
[sendemail]
        smtpServer = localhost
[sshd]
        listenAddress = *:29418
        advertisedAddress = *:22
[httpd]
        listenUrl = proxy-http://*:8081
[cache]
        directory = cache
[plugins]
        allowRemoteAdmin = true
[plugin "gerrit-oauth-provider-google-oauth"]
        client-id =<id>
        fix-legacy-user-id = false

[Sven Selberg]

On Tuesday, March 14, 2023 at 4:10:26 PM UTC+1 Kari Klein wrote:

Hi,

I can do a git clone on my repository through https, but with ssh I get the following error. I am attempting this on a linux command line. I have tried doing many things with my public key, but cannot get past the error. I am setting up a key with my gerrit email, adding the public key in the gerrit settings panel for my user and adding the private info to my keystore on my linux box. Any pointers would be appreciated. I cannot figure out what I'm doing wrong. Do I need to do anything on the Apache server side? I have only configured it for HTTPS, do I also need to do some configuring for SSH? If so, are there docs on that somewhere? The other thing is that when I set up the key I am using my email. Should I be using my username instead? I don't think that I have tried that because all the documentation I saw used email, but it's a thought I just had.

thanks,

Kari

@pop-os:~/git$ git clone ssh://gerrit.rumission.com/test-vs.git test-vs
Cloning into 'test-vs'...
<my email>: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Have you added your public ssh key to Gerrit?

To debug run `$ ssh -vvv -p 29418 gerrit.rumission.com`.
Should tell you exactly which keys are used etc.

[Kari Klein]

Hi Sven,

Yes, I mention that in the first paragraph. Every time I create a new key to try something out, I add it to linux box keystore and my settings page in gerrit and see that it is a valid key

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/cM-OS3bdJaE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/f355b290-f6aa-4374-80d1-5745a6cbd4acn%40googlegroups.com.

--

Kari Klein (she/her)

Co-Founder and CTO, Rumission

Software Engineer and Atmospheric Scientist

https://rumission.com/ | linkedin

Schedule a meeting

[Kari Klein]

Another question. My husband uses gerrit through github, and for github ssh he has to create an .ssh/config file. Do I have to do something similar for talking directly to a gerrit git that I host myself? I have not done anything like this:

From ~/.ssh/config

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/github_upstream

[Matthias Sohn]

On Tue, Mar 14, 2023 at 4:39 PM Kari Klein <kkl...@rumission.com> wrote:

Another question. My husband uses gerrit through github, and for github ssh he has to create an .ssh/config file. Do I have to do something similar for talking directly to a gerrit git that I host myself? I have not done anything like this:

From ~/.ssh/config

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/github_upstream

You don't need to use a ssh config file but it can help a lot to reduce the number of options

you need to type explicitly and repetitively for each ssh command you are sending to a server.

See e.g. https://linuxhandbook.com/ssh-config-file 

-Matthias

[Kari Klein]

So I tried that by removing the line "advertisedAddress = *:22" in the config and opening up that port firewall settings via tcp and udp for all incoming IP addresses on my vm and also running "sudo ufw allow 29418/tcp" and "sudo ufw allow 29418/udp" on the vm, but that connection times out when I run this:

:~$ git clone ssh://gerrit.rumission.com:29418/test-vs.git test-vs
Cloning into 'test-vs'...
ssh: connect to host gerrit.rumission.com port 29418: Connection timed out

fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

[Matthias Sohn]

On Tue, Mar 14, 2023 at 9:08 PM Kari Klein <kkl...@rumission.com> wrote:

So I tried that by removing the line "advertisedAddress = *:22" in the config and opening up that port firewall settings via tcp and udp for all incoming IP addresses on my vm and also running "sudo ufw allow 29418/tcp" and "sudo ufw allow 29418/udp" on the vm, but that connection times out when I run this:

Please avoid top posting on this list, use interleaved posting instead.

See https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

Try if you can connect using this command

ssh -v -p 29418 username@host

-v should give you some details about what's going wrong

[Kari Klein]

On Tue, Mar 14, 2023 at 2:15 PM Matthias Sohn <matthi...@gmail.com> wrote:

On Tue, Mar 14, 2023 at 9:08 PM Kari Klein <kkl...@rumission.com> wrote:

So I tried that by removing the line "advertisedAddress = *:22" in the config and opening up that port firewall settings via tcp and udp for all incoming IP addresses on my vm and also running "sudo ufw allow 29418/tcp" and "sudo ufw allow 29418/udp" on the vm, but that connection times out when I run this:

Please avoid top posting on this list, use interleaved posting instead.

See https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

Try if you can connect using this command

ssh -v -p 29418 username@host

-v should give you some details about what's going wrong

Thanks for the tip on interleaving.

I finally got it working. I needed to do a few things. My port firewall settings weren't quite right on the VM, then I needed to use ED25519 for the encryption for my key, and  then I had to use the command with my username: git clone ssh://kkl...@gerrit.rumission.com:29418/test-vs.git test-vs

Having the -v was really helpful once I got the port opened correctly! I really appreciate the suggestion.

-Kari 

[Clark Boylan]

On Tue, Mar 14, 2023 at 3:39 PM Kari Klein <kkl...@rumission.com> wrote:
>
>
>
> On Tue, Mar 14, 2023 at 2:15 PM Matthias Sohn <matthi...@gmail.com> wrote:
>>
>> On Tue, Mar 14, 2023 at 9:08 PM Kari Klein <kkl...@rumission.com> wrote:
>>>
>>> So I tried that by removing the line "advertisedAddress = *:22" in the config and opening up that port firewall settings via tcp and udp for all incoming IP addresses on my vm and also running "sudo ufw allow 29418/tcp" and "sudo ufw allow 29418/udp" on the vm, but that connection times out when I run this:
>>
>>
>> Please avoid top posting on this list, use interleaved posting instead.
>> See https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
>>
>> Try if you can connect using this command
>>
>> ssh -v -p 29418 username@host
>>
>> -v should give you some details about what's going wrong
>
>
> Thanks for the tip on interleaving.
>
> I finally got it working. I needed to do a few things. My port firewall settings weren't quite right on the VM, then I needed to use ED25519 for the encryption for my key, and then I had to use the command with my username: git clone ssh://kkl...@gerrit.rumission.com:29418/test-vs.git test-vs
>

If your previous key was an RSA key then it is possible you ran into
issues with the new OpenSSH clients disallowing RSA + SHA1 by default
and older Gerrit servers not understanding how to negotiate RSA + SHA2
with these clients. This was fixed in Gerrit 3.6 and newer and
eventually backported to Gerrit 3.5. This means that an up to date
Gerrit 3.5 or newer should work with RSA keys and new OpenSSH clients.
That said, ED25519 keys should work fine. I'm mostly calling this out
should anyone else run into similar problems.