Closed amosbird closed 6 years ago
https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#troubleshooting-ssh
✘ ~/dcpj-t4 develop ssh-keygen -t rsa -b 4096 -C "docker-compose-phabricator-jenkins"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/altendky/.ssh/id_rsa): /home/altendky/.ssh/id_rsa_dcpj
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/altendky/.ssh/id_rsa_dcpj.
Your public key has been saved in /home/altendky/.ssh/id_rsa_dcpj.pub.
The key fingerprint is:
SHA256:xb2pi0Ld8gJ11atgI4UbF71Lfat/pbJ4VpoDo5Z5FMc docker-compose-phabricator-jenkins
The key's randomart image is:
+---[RSA 4096]----+
| ..o . |
| o.o.o . |
| =oo.o . |
| +.* Eoo .|
| oS= *oo ..|
| o o =.o ...|
| . . B.o +...|
| . *.ooB.. .|
| o.ooo.+...|
+----[SHA256]-----+
✘ ~/dcpj-t4 develop bash
altendky@lt:~/dcpj-t4$ eval "$(ssh-agent -s)"
Agent pid 9383
altendky@lt:~/dcpj-t4$ ssh-add ~/.ssh/id_rsa_dcpj
Identity added: /home/altendky/.ssh/id_rsa_dcpj (/home/altendky/.ssh/id_rsa_dcpj)
altendky@lt:~/dcpj-t4$ cat ~/.ssh/id_rsa_dcpj.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCb7Tgb6NOP014d84HXmdtisvOhdpEq4nwoLjMBEJWSVlItRYeF045hNGkpWpHnuXydILx0eSHgzkhGVtiG1zbkUftYD1Hgcwp/sA536nbA0rgwfeSojaFFeShlmggK7aEiMsR4VYMRrCJdH1tz3SdTJU39b7a+5iQkIVaOjYDzkOwWBtQeoBwqUUJVcOzYVBJdDQaYrozu64K<snipped for good measure tUUjCQ9pE6TjY2xF2mxUCVzZPb/nAulmAS6l4/i+jLPrFqAMCnnxkGX2cvcU6tKt2JnP+UpaT5HRW992cER0hANqbclxTbXByXUKH7sEBs3SWPXFwPl65JItVxMi+lfkqUfboeDjmPqo9jysJszqWIB4G3vCc+cC1Ge+0XSVKUT2ZqYizmZAaItOAwMfkqczDhMuqjOnBqZZrB0E84jCxWn7kkZ+C/cWz+AWwY68vQZXu2fdmbP4qJgQiQuiBjrJ5OmbRBKhKVDv/g04O+XZ/5yxpMTtf7x/bTLpund51MV70F1xEwMgDHG1Y7O6WFrOPxErn8QlKwaNat2KxPctFc8VnnnmsdHE+eJPseEHOdfK4pauQyeXLU+5yWthMoByQKsUxgJOf6pFh1w== docker-compose-phabricator-jenkins
altendky@lt:~/dcpj-t4$ ssh -T git@phabricator.local
phabricator-ssh-exec: Welcome to Phabricator.
You are logged in as user.
You haven't specified a command to run. This means you're requesting an interactive shell, but Phabricator does not provide an interactive shell over SSH.
Usually, you should run a command like `git clone` or `hg push` rather than connecting directly with SSH.
Supported commands are: conduit, git-lfs-authenticate, git-receive-pack, git-upload-pack, hg, svnserve.
altendky@lt:~/dcpj-t4$
Notice that I am trying to connect as the vcs-user (git
). If you don't get it working please share a full session like this (you can make a new key just for this and throw it away afterwards).
❯ ssh-keygen -t rsa -b 4096 -C "docker-compose-phabricator-jenkins"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/amos/.ssh/id_rsa): /home/amos/.ssh/id_rsa_dcpj
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/amos/.ssh/id_rsa_dcpj.
Your public key has been saved in /home/amos/.ssh/id_rsa_dcpj.pub.
The key fingerprint is:
8d:68:23:31:65:f9:fb:16:5f:ac:10:4f:ce:30:83:31 docker-compose-phabricator-jenkins
The key's randomart image is:
+--[ RSA 4096]----+
| o. |
| o. E |
| o . + |
| o .oo= . |
| . + S..X . |
| o .. o + o |
| . + o |
| o o |
| . |
+-----------------+
[ 6s465 | Aug 03 02:52PM ]
❯ bash
[amos@dell123 webservices]$ eval "$(ssh-agent -s)"
Agent pid 5901
[amos@dell123 webservices]$ ssh-add ~/.ssh/id_rsa_dcpj
Identity added: /home/amos/.ssh/id_rsa_dcpj (/home/amos/.ssh/id_rsa_dcpj)
[amos@dell123 webservices]$ cat ~/.ssh/id_rsa_dcpj.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChDiF+iiqZkh1jAPJwdReShDsrfeR32MLh5Y0uhwbCvYw39Zm+14eZ9aUSugToxfsJ0ofuR4hmHaxXMz0FmAkvmEoUT7M9QxZlhbu6XPdDkKiqrXq78HVP6rQnfcIWEjLCUAfqpOq3+6i+furN6i0yQc1Rav9SHL5qVdiLqWeaJn7YoycT7vlEPW3yPMIw/+8gZaGlwBEuRZki6pWqMDnLGD5N1Q+B2Tb/nNUE0a3JEMEjRAStCD9I7R6bztAHP6ietZTgSUgmrLgw5wgB6rlmG1KIaNcTMYIIuAoEWVwqWhsDx/DN3THSnihQLzvbG9k98TEgwm7+KwkoSXCqgsNoq92/MlOfsyHoLx339CauKZkkkx6U0HpfO4oCtbATUux0DzOfMysEsJndm5XVLLkzuTDixdtxNQNKJKCJRQQNRJMPDfOwWWc0pq7Erz0JfQIBEq0zaAmQriBRt4nRKDlggYzIerU+CVQ/ibj/nsWwuiTvIg0lzM2gOxC9HwWlByO0dApofCvLMRfXOhT5SqonrDAzUu+j9XVM1TWEs+rP7eaj78xCxKVAClgpce4tO58yW3brqs10mW2JKEo2mbgUTt/yc06CLhzfXsd0xwFtBQDDTndEyUHh2KMBe3GbhTAGyiCdM75jZNxW9ofvOlP2j6vUzLVDbVmw2B0wihlFjQ== docker-compose-phabricator-jenkins
[amos@dell123 webservices]$ ssh -T git@dell123.phabricator
Permission denied (publickey).
[amos@dell123 webservices]$
I also inspected the phabricator ssh hook
❯ docker exec -it webservices_phabricator_1 bash
root@52c0fc82a34f:/# /opt/phabricator-ssh-hook.sh git
command="'/opt/bitnami/phabricator/bin/ssh-exec' '--phabricator-ssh-user' 'amosbird' '--phabricator-ssh-key' '3'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChDiF+iiqZkh1jAPJwdReShDsrfeR32MLh5Y0uhwbCvYw39Zm+14eZ9aUSugToxfsJ0ofuR4hmHaxXMz0FmAkvmEoUT7M9QxZlhbu6XPdDkKiqrXq78HVP6rQnfcIWEjLCUAfqpOq3+6i+furN6i0yQc1Rav9SHL5qVdiLqWeaJn7YoycT7vlEPW3yPMIw/+8gZaGlwBEuRZki6pWqMDnLGD5N1Q+B2Tb/nNUE0a3JEMEjRAStCD9I7R6bztAHP6ietZTgSUgmrLgw5wgB6rlmG1KIaNcTMYIIuAoEWVwqWhsDx/DN3THSnihQLzvbG9k98TEgwm7+KwkoSXCqgsNoq92/MlOfsyHoLx339CauKZkkkx6U0HpfO4oCtbATUux0DzOfMysEsJndm5XVLLkzuTDixdtxNQNKJKCJRQQNRJMPDfOwWWc0pq7Erz0JfQIBEq0zaAmQriBRt4nRKDlggYzIerU+CVQ/ibj/nsWwuiTvIg0lzM2gOxC9HwWlByO0dApofCvLMRfXOhT5SqonrDAzUu+j9XVM1TWEs+rP7eaj78xCxKVAClgpce4tO58yW3brqs10mW2JKEo2mbgUTt/yc06CLhzfXsd0xwFtBQDDTndEyUHh2KMBe3GbhTAGyiCdM75jZNxW9ofvOlP2j6vUzLVDbVmw2B0wihlFjQ==
The full sshd debug log is
OK, it seems ~/.ssh/environment doesn't affect the AuthorizedKeysCommand. I have to add export PATH=/opt/bitnami/php/bin:$PATH
in /opt/phabricator-ssh-hook.sh
What other things have you changed? Can you try it on a fresh build of the docker-compose? I'm testing on 58163793b2e6a3d6854eaebd068b2ee4651521cb. I tried again after creating a new user (even named it amosbird
for consistency) and it worked fine as well.
What was the full command line you ran in the container to get the debug log. Could you run it again as it also seems to be missing the first several startup lines? I want to make sure you had the sshd_config.phabricator
specified.
root@bfce51e89d1f:/# /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator -ddd
It's been awhile but I think that I had a similar issue and that the PermitUserEnvironment
option was important. Though I think this is one of the security hazards present in this image.
root@bfce51e89d1f:/# cat /etc/ssh/sshd_config.phabricator
# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
# was added in this version.
# NOTE: Edit these to the correct values for your setup.
AuthorizedKeysCommand /opt/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser git
AllowUsers git
# You may need to tweak these options, but mostly they just turn off everything
# dangerous.
Port 22
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthorizedKeysFile none
PidFile /var/run/sshd-phabricator.pid
PermitUserEnvironment yes
Also, I would be concerned that manual modifications to /opt/phabricator-ssh-hook.sh
would get overwritten. Maybe check that sooner than later to avoid future confusion.
I used /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator -ddd
as well. I've changed the Dockerfile to this.
FROM bitnami/phabricator
RUN install_packages openssh-server acl
WORKDIR /opt/bitnami/phabricator
RUN bin/config set diffusion.ssh-port 22
RUN bin/config set diffusion.ssh-user git
RUN sed -e 's;/path/to/phabricator;/opt/bitnami/phabricator;' -e 's/vcs-user/git/' resources/sshd/phabricator-ssh-hook.sh > /opt/phabricator-ssh-hook.sh
RUN chmod 755 /opt/phabricator-ssh-hook.sh
RUN sed -e 's/2222/22/' -e 's/vcs-user/git/' -e 's;/usr/libexec/;/opt/;' resources/sshd/sshd_config.phabricator.example > /etc/ssh/sshd_config.phabricator
RUN echo 'PermitUserEnvironment yes' >> /etc/ssh/sshd_config.phabricator
RUN sed -i 's/git:!:/git:*:/' /etc/shadow
RUN sed -i 's;SSHD_OPTS=.*;SSHD_OPTS="-f /etc/ssh/sshd_config.phabricator";' /etc/default/ssh
RUN sed -i 's;\(\$root = \)dirname;\1;' /opt/bitnami/phabricator/bin/ssh-auth
RUN mkdir -p /home/phabricator/.ssh
RUN echo 'PATH=/usr/bin:/opt/bitnami/php/bin' >> /home/phabricator/.ssh/environment
RUN echo 'PATH=/opt/bitnami/php/bin:$PATH' >> /home/phabricator/.bashrc
RUN sed -e '3iexport PATH=/opt/bitnami/php/bin:$PATH' -i /opt/phabricator-ssh-hook.sh
RUN sed -i 's;\(exec .*\);usermod --password \\* git\nusermod --unlock git\nchown git:git ~git/.ssh/environment\nservice ssh start\nsetfacl -Rm d:u:phabricator:rwX,u:phabricator:rwX /bitnami/phabricator/data/\n\1;' /app-entrypoint.sh
EXPOSE 22
WORKDIR /
I'll try again with latest bitnami/phabricator. They certainly could have changed something.
Yeah, I suppose so. I've also encountered another permission issue related to data directory's permission. I have to manually run
chown -R daemon:phabricator /bitnami/phabricator/data
chmod -R 775 /bitnami/phabricator/data
after volume created.
Alrighty, I do see the connection failure with latest. Maybe next time pull a branch and share what you are actually running. :]
Ah, sorry I didn't even realize I've changed the version...
@amosbird, so what prompted you to change the ownership and permissions? This actually looks a bit familiar but I don't recall where from.
https://github.com/bitnami/bitnami-docker-phabricator/issues/70
When creating new users, this error occurs
With latest, it already works for me.
But, this may be a place that user ids mix between container and guest, I'm not sure. What do you get for above before you manually change it? What exactly are you running? I was able to create a new user just fine as well.
I just removed all the related containers and volumes. Then restart it with docker-compose up
. Then I registered a new user with name foo
, it returns the above error page. The compose file is
version: '2'
services:
phabricator_mariadb:
image: 'bitnami/mariadb:latest'
environment:
- ALLOW_EMPTY_PASSWORD=yes
volumes:
- 'phabricator_mariadb_data:/bitnami'
phabricator:
image: 'amosbird/phabricator:latest'
labels:
- "traefik.frontend.rule=Host:dell123.phabricator"
- "traefik.port=80"
environment:
- PHABRICATOR_HOST=dell123.phabricator
- MARIADB_HOST=phabricator_mariadb
ports:
- '2222:22'
volumes:
- 'phabricator_data:/bitnami'
depends_on:
- phabricator_mariadb
volumes:
phabricator_mariadb_data:
driver: local
phabricator_data:
driver: local
Note the amosbird/phabricator
is the Dockerfile I posted here before.
@amosbird could you test with a totally clean checkout? Depending if that works for you or not we will have a better idea where to look.
Side note, why are you changing the name of the mariadb service and why specify MARIADB_HOST
at all? Everything will be named based on the compose directory so they will be grouped already. Also, can't you just configure PHABRICATOR_HOST with external env vars? Maybe a .env
file?
Since you don't actually want Jenkins, but do seem to want Phabricator git access over ssh, perhaps I need to make a bitnami/phabricator fork with the ssh stuff that you can use. As it is, it seems you really aren't using this repository at all, just copying and pasting some stuff. It would make more sense to handle your issues in a repository that you are using.
Yeah, I agree. I don't have the access for my servers in the weekend. Feel free to close it then. Thanks for you help!
@amosbird I think this ticket was addressed anyways with the commit I made. :]
To be clear, I'm not saying I won't try to help. I'm just saying we should be clear about what it is that doesn't work. If it's not a committed version of this repo then whatever it is should be concisely available. Checking for the issue in this repo may also help isolate the problem.
Hello, I've uploaded my ssh pubkey to my account, however, ssh command still yields
permission denied (publickey)
I've tried inspecting the output of
/opt/phabricator-ssh-hook.sh git
inside the container. The output public key is the same of my client machine. I have no idea what went wrong.