altendky / docker-compose-phabricator-jenkins

4 stars 2 forks source link

ssh permission denied(publickey) #4

Closed amosbird closed 6 years ago

amosbird commented 6 years ago

Hello, I've uploaded my ssh pubkey to my account, however, ssh command still yields permission denied (publickey)

I've tried inspecting the output of /opt/phabricator-ssh-hook.sh git inside the container. The output public key is the same of my client machine. I have no idea what went wrong.

altendky commented 6 years ago

https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#troubleshooting-ssh

 ✘  ~/dcpj-t4   develop  ssh-keygen -t rsa -b 4096 -C "docker-compose-phabricator-jenkins"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/altendky/.ssh/id_rsa): /home/altendky/.ssh/id_rsa_dcpj
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/altendky/.ssh/id_rsa_dcpj.
Your public key has been saved in /home/altendky/.ssh/id_rsa_dcpj.pub.
The key fingerprint is:
SHA256:xb2pi0Ld8gJ11atgI4UbF71Lfat/pbJ4VpoDo5Z5FMc docker-compose-phabricator-jenkins
The key's randomart image is:
+---[RSA 4096]----+
|         ..o .   |
|        o.o.o .  |
|         =oo.o . |
|        +.* Eoo .|
|       oS= *oo ..|
|      o o =.o ...|
|     . . B.o +...|
|      . *.ooB.. .|
|       o.ooo.+...|
+----[SHA256]-----+
 ✘  ~/dcpj-t4   develop  bash
altendky@lt:~/dcpj-t4$ eval "$(ssh-agent -s)"
Agent pid 9383
altendky@lt:~/dcpj-t4$ ssh-add ~/.ssh/id_rsa_dcpj
Identity added: /home/altendky/.ssh/id_rsa_dcpj (/home/altendky/.ssh/id_rsa_dcpj)
altendky@lt:~/dcpj-t4$ cat ~/.ssh/id_rsa_dcpj.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCb7Tgb6NOP014d84HXmdtisvOhdpEq4nwoLjMBEJWSVlItRYeF045hNGkpWpHnuXydILx0eSHgzkhGVtiG1zbkUftYD1Hgcwp/sA536nbA0rgwfeSojaFFeShlmggK7aEiMsR4VYMRrCJdH1tz3SdTJU39b7a+5iQkIVaOjYDzkOwWBtQeoBwqUUJVcOzYVBJdDQaYrozu64K<snipped for good measure tUUjCQ9pE6TjY2xF2mxUCVzZPb/nAulmAS6l4/i+jLPrFqAMCnnxkGX2cvcU6tKt2JnP+UpaT5HRW992cER0hANqbclxTbXByXUKH7sEBs3SWPXFwPl65JItVxMi+lfkqUfboeDjmPqo9jysJszqWIB4G3vCc+cC1Ge+0XSVKUT2ZqYizmZAaItOAwMfkqczDhMuqjOnBqZZrB0E84jCxWn7kkZ+C/cWz+AWwY68vQZXu2fdmbP4qJgQiQuiBjrJ5OmbRBKhKVDv/g04O+XZ/5yxpMTtf7x/bTLpund51MV70F1xEwMgDHG1Y7O6WFrOPxErn8QlKwaNat2KxPctFc8VnnnmsdHE+eJPseEHOdfK4pauQyeXLU+5yWthMoByQKsUxgJOf6pFh1w== docker-compose-phabricator-jenkins
altendky@lt:~/dcpj-t4$ ssh -T git@phabricator.local
phabricator-ssh-exec: Welcome to Phabricator.

You are logged in as user.

You haven't specified a command to run. This means you're requesting an interactive shell, but Phabricator does not provide an interactive shell over SSH.

Usually, you should run a command like `git clone` or `hg push` rather than connecting directly with SSH.

Supported commands are: conduit, git-lfs-authenticate, git-receive-pack, git-upload-pack, hg, svnserve.
altendky@lt:~/dcpj-t4$

Notice that I am trying to connect as the vcs-user (git). If you don't get it working please share a full session like this (you can make a new key just for this and throw it away afterwards).

amosbird commented 6 years ago
 ❯ ssh-keygen -t rsa -b 4096 -C "docker-compose-phabricator-jenkins"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/amos/.ssh/id_rsa): /home/amos/.ssh/id_rsa_dcpj
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/amos/.ssh/id_rsa_dcpj.
Your public key has been saved in /home/amos/.ssh/id_rsa_dcpj.pub.
The key fingerprint is:
8d:68:23:31:65:f9:fb:16:5f:ac:10:4f:ce:30:83:31 docker-compose-phabricator-jenkins
The key's randomart image is:
+--[ RSA 4096]----+
|      o.         |
|     o. E        |
|    o  . +       |
|     o .oo= .    |
|    . + S..X .   |
|     o .. o + o  |
|         . + o   |
|          o o    |
|         .       |
+-----------------+

[ 6s465 | Aug 03 02:52PM ]

 ❯ bash
[amos@dell123 webservices]$ eval "$(ssh-agent -s)"
Agent pid 5901
[amos@dell123 webservices]$ ssh-add ~/.ssh/id_rsa_dcpj
Identity added: /home/amos/.ssh/id_rsa_dcpj (/home/amos/.ssh/id_rsa_dcpj)
[amos@dell123 webservices]$ cat ~/.ssh/id_rsa_dcpj.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChDiF+iiqZkh1jAPJwdReShDsrfeR32MLh5Y0uhwbCvYw39Zm+14eZ9aUSugToxfsJ0ofuR4hmHaxXMz0FmAkvmEoUT7M9QxZlhbu6XPdDkKiqrXq78HVP6rQnfcIWEjLCUAfqpOq3+6i+furN6i0yQc1Rav9SHL5qVdiLqWeaJn7YoycT7vlEPW3yPMIw/+8gZaGlwBEuRZki6pWqMDnLGD5N1Q+B2Tb/nNUE0a3JEMEjRAStCD9I7R6bztAHP6ietZTgSUgmrLgw5wgB6rlmG1KIaNcTMYIIuAoEWVwqWhsDx/DN3THSnihQLzvbG9k98TEgwm7+KwkoSXCqgsNoq92/MlOfsyHoLx339CauKZkkkx6U0HpfO4oCtbATUux0DzOfMysEsJndm5XVLLkzuTDixdtxNQNKJKCJRQQNRJMPDfOwWWc0pq7Erz0JfQIBEq0zaAmQriBRt4nRKDlggYzIerU+CVQ/ibj/nsWwuiTvIg0lzM2gOxC9HwWlByO0dApofCvLMRfXOhT5SqonrDAzUu+j9XVM1TWEs+rP7eaj78xCxKVAClgpce4tO58yW3brqs10mW2JKEo2mbgUTt/yc06CLhzfXsd0xwFtBQDDTndEyUHh2KMBe3GbhTAGyiCdM75jZNxW9ofvOlP2j6vUzLVDbVmw2B0wihlFjQ== docker-compose-phabricator-jenkins
[amos@dell123 webservices]$ ssh -T git@dell123.phabricator
Permission denied (publickey).
[amos@dell123 webservices]$

I also inspected the phabricator ssh hook

 ❯ docker exec -it webservices_phabricator_1 bash
root@52c0fc82a34f:/# /opt/phabricator-ssh-hook.sh git
command="'/opt/bitnami/phabricator/bin/ssh-exec' '--phabricator-ssh-user' 'amosbird' '--phabricator-ssh-key' '3'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChDiF+iiqZkh1jAPJwdReShDsrfeR32MLh5Y0uhwbCvYw39Zm+14eZ9aUSugToxfsJ0ofuR4hmHaxXMz0FmAkvmEoUT7M9QxZlhbu6XPdDkKiqrXq78HVP6rQnfcIWEjLCUAfqpOq3+6i+furN6i0yQc1Rav9SHL5qVdiLqWeaJn7YoycT7vlEPW3yPMIw/+8gZaGlwBEuRZki6pWqMDnLGD5N1Q+B2Tb/nNUE0a3JEMEjRAStCD9I7R6bztAHP6ietZTgSUgmrLgw5wgB6rlmG1KIaNcTMYIIuAoEWVwqWhsDx/DN3THSnihQLzvbG9k98TEgwm7+KwkoSXCqgsNoq92/MlOfsyHoLx339CauKZkkkx6U0HpfO4oCtbATUux0DzOfMysEsJndm5XVLLkzuTDixdtxNQNKJKCJRQQNRJMPDfOwWWc0pq7Erz0JfQIBEq0zaAmQriBRt4nRKDlggYzIerU+CVQ/ibj/nsWwuiTvIg0lzM2gOxC9HwWlByO0dApofCvLMRfXOhT5SqonrDAzUu+j9XVM1TWEs+rP7eaj78xCxKVAClgpce4tO58yW3brqs10mW2JKEo2mbgUTt/yc06CLhzfXsd0xwFtBQDDTndEyUHh2KMBe3GbhTAGyiCdM75jZNxW9ofvOlP2j6vUzLVDbVmw2B0wihlFjQ==

The full sshd debug log is

Click for sshd debug log ``` debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 369 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 172.18.0.1 port 37050 on 172.18.0.8 port 22 debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3 debug1: Enabling compatibility mode for protocol 2.0 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing seccomp filter sandbox debug2: Network child is on pid 2838 debug3: preauth child monitor started debug3: privsep user:group 101:65534 [preauth] debug1: permanently_set_uid: 101/65534 [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug3: send packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug3: receive packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth] debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth] debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth] debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: compression ctos: none,zlib@openssh.com [preauth] debug2: compression stoc: none,zlib@openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss [preauth] debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth] debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth] debug2: MACs ctos: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: MACs stoc: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: compression ctos: none,zlib@openssh.com,zlib [preauth] debug2: compression stoc: none,zlib@openssh.com,zlib [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1-etm@openssh.com compression: none [preauth] debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1-etm@openssh.com compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: receive packet: type 30 [preauth] debug3: mm_key_sign entering [preauth] debug3: mm_request_send entering: type 6 [preauth] debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect entering: type 7 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign debug3: mm_answer_sign: hostkey proof signature 0x7f990ef0dfe0(100) debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: send packet: type 31 [preauth] debug3: send packet: type 21 [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: rekey after 4294967296 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug3: receive packet: type 21 [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: rekey after 4294967296 blocks [preauth] debug1: KEX done [preauth] debug3: receive packet: type 5 [preauth] debug3: send packet: type 6 [preauth] debug3: receive packet: type 50 [preauth] debug1: userauth-request for user git service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: mm_getpwnamallow entering [preauth] debug3: mm_request_send entering: type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect entering: type 9 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 369 debug3: auth_shadow_acctexpired: today 17746 sp_expire -1 days left -17747 debug3: account expiration disabled debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for git [preauth] debug3: mm_inform_authserv entering [preauth] debug3: mm_request_send entering: type 4 [preauth] debug2: input_userauth_request: try method none [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth] debug3: send packet: type 51 [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, style=, role= debug2: monitor_read: 4 used once, disabling now debug3: receive packet: type 50 [preauth] debug1: userauth-request for user git service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:kggAprKE8wznm7KmACRPJeq6y2Op7kzLfCtRdksZo3g [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x7f990ef0dda0 debug3: subprocess: AuthorizedKeysCommand command "/opt/phabricator-ssh-hook.sh git" running as git debug1: temporarily_use_uid: 1002/1002 (e=0/0) debug1: restore_uid: 0/0 debug3: subprocess: AuthorizedKeysCommand pid 2839 debug1: temporarily_use_uid: 1002/1002 (e=0/0) debug2: key not found AuthorizedKeysCommand /opt/phabricator-ssh-hook.sh git failed, status 127 debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x7f990ef0dda0 is not allowed Failed publickey for git from 172.18.0.1 port 37050 ssh2: RSA SHA256:kggAprKE8wznm7KmACRPJeq6y2Op7kzLfCtRdksZo3g debug3: mm_request_send entering: type 23 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth] debug3: send packet: type 51 [preauth] Connection closed by 172.18.0.1 port 37050 [preauth] debug1: do_cleanup [preauth] debug3: mm_request_receive entering debug1: do_cleanup debug1: Killing privsep child 2838 debug1: audit_event: unhandled event 12 ```
amosbird commented 6 years ago

OK, it seems ~/.ssh/environment doesn't affect the AuthorizedKeysCommand. I have to add export PATH=/opt/bitnami/php/bin:$PATH in /opt/phabricator-ssh-hook.sh

altendky commented 6 years ago

What other things have you changed? Can you try it on a fresh build of the docker-compose? I'm testing on 58163793b2e6a3d6854eaebd068b2ee4651521cb. I tried again after creating a new user (even named it amosbird for consistency) and it worked fine as well.

What was the full command line you ran in the container to get the debug log. Could you run it again as it also seems to be missing the first several startup lines? I want to make sure you had the sshd_config.phabricator specified.

root@bfce51e89d1f:/# /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator -ddd
Click for sshd debug log ``` root@bfce51e89d1f:/# /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator -ddd debug2: load_server_config: filename /etc/ssh/sshd_config.phabricator debug2: load_server_config: done config len = 369 debug2: parse_server_config: config /etc/ssh/sshd_config.phabricator len 369 debug3: /etc/ssh/sshd_config.phabricator:6 setting AuthorizedKeysCommand /opt/phabricator-ssh-hook.sh debug3: /etc/ssh/sshd_config.phabricator:7 setting AuthorizedKeysCommandUser git debug3: /etc/ssh/sshd_config.phabricator:8 setting AllowUsers git debug3: /etc/ssh/sshd_config.phabricator:13 setting Port 22 debug3: /etc/ssh/sshd_config.phabricator:14 setting Protocol 2 debug3: /etc/ssh/sshd_config.phabricator:15 setting PermitRootLogin no debug3: /etc/ssh/sshd_config.phabricator:16 setting AllowAgentForwarding no debug3: /etc/ssh/sshd_config.phabricator:17 setting AllowTcpForwarding no debug3: /etc/ssh/sshd_config.phabricator:18 setting PrintMotd no debug3: /etc/ssh/sshd_config.phabricator:19 setting PrintLastLog no debug3: /etc/ssh/sshd_config.phabricator:20 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config.phabricator:21 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config.phabricator:22 setting AuthorizedKeysFile none debug3: /etc/ssh/sshd_config.phabricator:24 setting PidFile /var/run/sshd-phabricator.pid debug3: /etc/ssh/sshd_config.phabricator:25 setting PermitUserEnvironment yes debug1: sshd version OpenSSH_6.7, OpenSSL 1.0.1t 3 May 2016 debug1: private host key: #0 type 1 RSA debug1: private host key: #1 type 2 DSA debug1: private host key: #2 type 3 ECDSA debug1: private host key: #3 type 4 ED25519 debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-f' debug1: rexec_argv[2]='/etc/ssh/sshd_config.phabricator' debug1: rexec_argv[3]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 369 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 172.25.0.1 port 58388 on 172.25.0.4 port 22 debug1: Client protocol version 2.0; client software version OpenSSH_7.4p1 Debian-10+deb9u3 debug1: match: OpenSSH_7.4p1 Debian-10+deb9u3 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 2645 debug3: preauth child monitor started debug3: privsep user:group 100:65534 [preauth] debug1: permanently_set_uid: 100/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 [preauth] debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth] debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth] debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth] debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug1: kex: client->server chacha20-poly1305@openssh.com none [preauth] debug1: kex: server->client chacha20-poly1305@openssh.com none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: mm_key_sign entering [preauth] debug3: mm_request_send entering: type 6 [preauth] debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect entering: type 7 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x55bea6d6c740(100) debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug2: kex_derive_keys [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user git service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: mm_getpwnamallow entering [preauth] debug3: mm_request_send entering: type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect entering: type 9 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow debug3: Trying to reverse map address 172.25.0.1. debug2: parse_server_config: config reprocess config len 369 debug3: auth_shadow_acctexpired: today 17746 sp_expire -1 days left -17747 debug3: account expiration disabled debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for git [preauth] debug3: mm_inform_authserv entering [preauth] debug3: mm_request_send entering: type 4 [preauth] debug2: input_userauth_request: try method none [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, style=, role= debug2: monitor_read: 4 used once, disabling now debug1: userauth-request for user git service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x55bea6d6c4e0 debug1: temporarily_use_uid: 1002/1002 (e=0/0) debug3: Running AuthorizedKeysCommand: "/opt/phabricator-ssh-hook.sh git" as "git" debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1002/1002 (e=0/0) debug2: user_key_allowed: check options: 'command="'/opt/bitnami/phabricator/bin/ssh-exec' '--phabricator-ssh-user' 'amosbird' '--phabricator-ssh-key' '3'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC25AP1w+zLo/sVcf1KD6K5l+MGwB6JtU/0mD5OXfDmQ3uT+prD1KvyQZ0hvuhDQa9cNGVCp8WndR2bgzeXftgT/JOZkkja7QeJyug2MwOFGTC9I173FG9j77NC7ta6J+QO2NzOkHcLjC5Y13SQnhmtGxkm6ydmscnpMVpRkPZypfFxjMMiNsxBWEMROAJU8xGvYW7oDBAkfoZAB0deHB2Y5Mlj8ccpDpCerCcBcUEKd0Uhbul6FXY0ftke95zW5GIK2CXVQQ8DXCJKVxtKeeG5dV/Mmw/vooKyFZKwqYtyxYpPCQ9clW0I5LKYMNDLan2PMQkJsT98FYHs5JxEbj9aVFuzzVC4eyUsE4Ww80CPGP8qFSH52gw9AOsUxRe2uzwxtmR23a/v+4Ir9jM+TAW/FaBdzurJAPedHFHp+4BgAGVKLlIP/2RHlTR33QLIlmR1d6ZlbOPxsVqqzKyfVwFE3qYfn6UbBcWZY8EkW/7NXm5SpSekLb6XWFv8hCFWd0mbUqy+HOV8nvTNIOfqZgVGHxvtiJDxNildLQyER7F0qsOnQDRedBGPcjkAcIVlEOWcThz6MrNf+RHOj9GLwzQHOSsoFLfdJVGM5qrjw14EehcGY0GKZWfEu7W6yPENyp+teeDHZFVgxNclH19DLZ2EK/nJ67XWGWfNBq+x44e7nw== ' debug1: matching key found: file /opt/phabricator-ssh-hook.sh, line 1 RSA 19:f1:50:38:c4:f3:d2:1f:fe:d3:80:31:d4:be:58:ac debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x55bea6d6c4e0 is allowed debug3: mm_request_send entering: type 23 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth] Postponed publickey for git from 172.25.0.1 port 58388 ssh2 [preauth] debug1: userauth-request for user git service ssh-connection method publickey [preauth] debug1: attempt 2 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x55bea6d6dbe0 debug1: temporarily_use_uid: 1002/1002 (e=0/0) debug3: Running AuthorizedKeysCommand: "/opt/phabricator-ssh-hook.sh git" as "git" debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1002/1002 (e=0/0) debug2: user_key_allowed: check options: 'command="'/opt/bitnami/phabricator/bin/ssh-exec' '--phabricator-ssh-user' 'amosbird' '--phabricator-ssh-key' '3'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC25AP1w+zLo/sVcf1KD6K5l+MGwB6JtU/0mD5OXfDmQ3uT+prD1KvyQZ0hvuhDQa9cNGVCp8WndR2bgzeXftgT/JOZkkja7QeJyug2MwOFGTC9I173FG9j77NC7ta6J+QO2NzOkHcLjC5Y13SQnhmtGxkm6ydmscnpMVpRkPZypfFxjMMiNsxBWEMROAJU8xGvYW7oDBAkfoZAB0deHB2Y5Mlj8ccpDpCerCcBcUEKd0Uhbul6FXY0ftke95zW5GIK2CXVQQ8DXCJKVxtKeeG5dV/Mmw/vooKyFZKwqYtyxYpPCQ9clW0I5LKYMNDLan2PMQkJsT98FYHs5JxEbj9aVFuzzVC4eyUsE4Ww80CPGP8qFSH52gw9AOsUxRe2uzwxtmR23a/v+4Ir9jM+TAW/FaBdzurJAPedHFHp+4BgAGVKLlIP/2RHlTR33QLIlmR1d6ZlbOPxsVqqzKyfVwFE3qYfn6UbBcWZY8EkW/7NXm5SpSekLb6XWFv8hCFWd0mbUqy+HOV8nvTNIOfqZgVGHxvtiJDxNildLQyER7F0qsOnQDRedBGPcjkAcIVlEOWcThz6MrNf+RHOj9GLwzQHOSsoFLfdJVGM5qrjw14EehcGY0GKZWfEu7W6yPENyp+teeDHZFVgxNclH19DLZ2EK/nJ67XWGWfNBq+x44e7nw== ' debug1: matching key found: file /opt/phabricator-ssh-hook.sh, line 1 RSA 19:f1:50:38:c4:f3:d2:1f:fe:d3:80:31:d4:be:58:ac debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x55bea6d6dbe0 is allowed debug3: mm_request_send entering: type 23 debug3: mm_key_verify entering [preauth] debug3: mm_request_send entering: type 24 [preauth] debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth] debug3: mm_request_receive_expect entering: type 25 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 24 debug3: mm_answer_keyverify: key 0x55bea6d6dc70 signature verified debug3: mm_request_send entering: type 25 Accepted publickey for git from 172.25.0.1 port 58388 ssh2: RSA 19:f1:50:38:c4:f3:d2:1f:fe:d3:80:31:d4:be:58:ac debug1: monitor_child_preauth: git has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 0x55bea6d6dbe0(137) debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x55bea6d6dbe0(137) debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth] debug3: mm_send_keystate: Sending new keys: 0x55bea6d69200 0x55bea6d69610 [preauth] debug3: mm_newkeys_to_blob: converting 0x55bea6d69200 [preauth] debug3: mm_newkeys_to_blob: converting 0x55bea6d69610 [preauth] debug3: mm_send_keystate: New keys have been sent [preauth] debug3: mm_send_keystate: Sending compression state [preauth] debug3: mm_request_send entering: type 26 [preauth] debug3: mm_send_keystate: Finished sending state [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end User child is on pid 2648 debug1: SELinux support disabled debug1: permanently_set_uid: 1002/1002 debug2: set_newkeys: mode 0 debug2: set_newkeys: mode 1 debug1: packet_set_postauth: called debug1: Entering interactive session for SSH2. debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug2: Ignoring env request LANG: disallowed name debug1: server_input_channel_req: channel 0 request shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell Starting session: forced-command (key-option) ''/opt/bitnami/phabricator/bin/ssh-exec' '--phabricator-ssh-user' 'amosbird' '--phabricator-ssh-key' '3'' for git from 172.25.0.1 port 58388 debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IP_TOS 0x08 debug2: fd 9 setting O_NONBLOCK debug2: fd 8 setting O_NONBLOCK debug2: fd 11 setting O_NONBLOCK debug2: channel 0: read 218 from efd 11 debug2: channel 0: rwin 2097152 elen 218 euse 1 debug2: channel 0: sent ext data 218 debug2: channel 0: read 446 from efd 11 debug2: channel 0: rwin 2096934 elen 446 euse 1 debug2: channel 0: sent ext data 446 debug1: Received SIGCHLD. debug1: session_by_pid: pid 2649 debug1: session_exit_message: session 0 channel 0 pid 2649 debug2: channel 0: request exit-status confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug2: channel 0: read<=0 rfd 9 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: read 0 from efd 11 debug2: channel 0: closing read-efd 11 debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug2: channel 0: send close debug2: notify_done: reading debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from 172.25.0.1: 11: disconnected by user debug1: do_cleanup debug3: mm_request_receive entering debug1: do_cleanup ```

It's been awhile but I think that I had a similar issue and that the PermitUserEnvironment option was important. Though I think this is one of the security hazards present in this image.

root@bfce51e89d1f:/# cat /etc/ssh/sshd_config.phabricator
# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
# was added in this version.

# NOTE: Edit these to the correct values for your setup.

AuthorizedKeysCommand /opt/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser git
AllowUsers git

# You may need to tweak these options, but mostly they just turn off everything
# dangerous.

Port 22
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthorizedKeysFile none

PidFile /var/run/sshd-phabricator.pid
PermitUserEnvironment yes
altendky commented 6 years ago

Also, I would be concerned that manual modifications to /opt/phabricator-ssh-hook.sh would get overwritten. Maybe check that sooner than later to avoid future confusion.

amosbird commented 6 years ago

I used /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator -ddd as well. I've changed the Dockerfile to this.

FROM bitnami/phabricator

RUN install_packages openssh-server acl

WORKDIR /opt/bitnami/phabricator

RUN bin/config set diffusion.ssh-port 22
RUN bin/config set diffusion.ssh-user git
RUN sed -e 's;/path/to/phabricator;/opt/bitnami/phabricator;' -e 's/vcs-user/git/' resources/sshd/phabricator-ssh-hook.sh > /opt/phabricator-ssh-hook.sh
RUN chmod 755 /opt/phabricator-ssh-hook.sh
RUN sed -e 's/2222/22/' -e 's/vcs-user/git/' -e 's;/usr/libexec/;/opt/;' resources/sshd/sshd_config.phabricator.example > /etc/ssh/sshd_config.phabricator
RUN echo 'PermitUserEnvironment yes' >> /etc/ssh/sshd_config.phabricator
RUN sed -i 's/git:!:/git:*:/' /etc/shadow
RUN sed -i 's;SSHD_OPTS=.*;SSHD_OPTS="-f /etc/ssh/sshd_config.phabricator";' /etc/default/ssh
RUN sed -i 's;\(\$root = \)dirname;\1;' /opt/bitnami/phabricator/bin/ssh-auth
RUN mkdir -p /home/phabricator/.ssh
RUN echo 'PATH=/usr/bin:/opt/bitnami/php/bin' >> /home/phabricator/.ssh/environment
RUN echo 'PATH=/opt/bitnami/php/bin:$PATH' >> /home/phabricator/.bashrc
RUN sed -e '3iexport PATH=/opt/bitnami/php/bin:$PATH' -i /opt/phabricator-ssh-hook.sh
RUN sed -i 's;\(exec .*\);usermod --password \\* git\nusermod --unlock git\nchown git:git ~git/.ssh/environment\nservice ssh start\nsetfacl -Rm d:u:phabricator:rwX,u:phabricator:rwX /bitnami/phabricator/data/\n\1;' /app-entrypoint.sh

EXPOSE 22

WORKDIR /
altendky commented 6 years ago

I'll try again with latest bitnami/phabricator. They certainly could have changed something.

amosbird commented 6 years ago

Yeah, I suppose so. I've also encountered another permission issue related to data directory's permission. I have to manually run

chown -R daemon:phabricator /bitnami/phabricator/data
chmod -R 775 /bitnami/phabricator/data

after volume created.

altendky commented 6 years ago

Alrighty, I do see the connection failure with latest. Maybe next time pull a branch and share what you are actually running. :]

amosbird commented 6 years ago

Ah, sorry I didn't even realize I've changed the version...

altendky commented 6 years ago

@amosbird, so what prompted you to change the ownership and permissions? This actually looks a bit familiar but I don't recall where from.

amosbird commented 6 years ago

https://github.com/bitnami/bitnami-docker-phabricator/issues/70

When creating new users, this error occurs img-2018-08-03-205129

altendky commented 6 years ago

With latest, it already works for me.

ls -Rl /bitnami/phabricator ```bash root@7bf4e784cba8:/# ls -Rl /bitnami/phabricator /bitnami/phabricator: total 12 drwxr-xr-x 5 root root 4096 Aug 3 12:40 conf drwxrwxr-x+ 14 daemon daemon 4096 Aug 3 12:57 data drwxr-xr-x 2 phabricator phabricator 4096 Aug 3 12:40 repo /bitnami/phabricator/conf: total 16 -rw-r--r-- 1 root root 2010 Aug 3 12:40 __init_conf__.php drwxr-xr-x 2 root root 4096 Aug 3 12:40 aphlict drwxr-xr-x 2 root root 4096 Aug 3 12:40 keys drwxr-xr-x 2 root root 4096 Aug 3 12:40 local /bitnami/phabricator/conf/aphlict: total 8 -rw-r--r-- 1 root root 713 Aug 3 12:40 README -rw-r--r-- 1 root root 450 Aug 3 12:40 aphlict.default.json /bitnami/phabricator/conf/keys: total 0 /bitnami/phabricator/conf/local: total 8 -rw-r--r-- 1 root root 44 Aug 3 12:40 README -rw-r--r-- 1 root root 1243 Aug 3 12:40 local.json /bitnami/phabricator/data: total 48 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 0e drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 1a drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 46 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 64 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 98 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 a7 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:57 aa drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 e0 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 ec drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 f2 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:40 f7 drwxrwxr-x+ 3 daemon daemon 4096 Aug 3 12:43 fc /bitnami/phabricator/data/0e: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 3b /bitnami/phabricator/data/0e/3b: total 16 -rw-rw-r--+ 1 daemon daemon 16134 Aug 3 12:40 af4a6d4e226de8561f77e6327ee0 /bitnami/phabricator/data/1a: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 28 /bitnami/phabricator/data/1a/28: total 12 -rw-rw-r--+ 1 daemon daemon 9913 Aug 3 12:40 c38256e79e32b51e17376f49781a /bitnami/phabricator/data/46: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 d3 /bitnami/phabricator/data/46/d3: total 12 -rw-rw-r--+ 1 daemon daemon 9928 Aug 3 12:40 7e57be2de6bff5a3c499caf82349 /bitnami/phabricator/data/64: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 c5 /bitnami/phabricator/data/64/c5: total 4 -rw-rw-r--+ 1 daemon daemon 4035 Aug 3 12:40 95e56a667c5f3eae0d3c605c4ca6 /bitnami/phabricator/data/98: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 ae /bitnami/phabricator/data/98/ae: total 4 -rw-rw-r--+ 1 daemon daemon 1468 Aug 3 12:40 6aabe49658cd8676c5232431f38d /bitnami/phabricator/data/a7: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 b6 /bitnami/phabricator/data/a7/b6: total 16 -rw-rw-r--+ 1 daemon daemon 16105 Aug 3 12:40 d6b2b8bb2546a8352da47d42ba3d /bitnami/phabricator/data/aa: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:57 b2 /bitnami/phabricator/data/aa/b2: total 8 -rw-rw-r--+ 1 daemon daemon 4487 Aug 3 12:57 e8b4e87c3b6c7dcae285ab2575fe /bitnami/phabricator/data/e0: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 b9 /bitnami/phabricator/data/e0/b9: total 8 -rw-rw-r--+ 1 daemon daemon 5112 Aug 3 12:40 7236b5c7c78cf54c1eba01c47c2e /bitnami/phabricator/data/ec: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 30 /bitnami/phabricator/data/ec/30: total 8 -rw-rw-r--+ 1 daemon daemon 4831 Aug 3 12:40 c21bfa896f5b8b314372adf12ebd /bitnami/phabricator/data/f2: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 23 /bitnami/phabricator/data/f2/23: total 8 -rw-rw-r--+ 1 daemon daemon 4750 Aug 3 12:40 e6f175c9e02448562c8983dfbd8c /bitnami/phabricator/data/f7: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:40 e8 /bitnami/phabricator/data/f7/e8: total 8 -rw-rw-r--+ 1 daemon daemon 5114 Aug 3 12:40 1dfc429913a28bc2d6eaf115a314 /bitnami/phabricator/data/fc: total 4 drwxrwxr-x+ 2 daemon daemon 4096 Aug 3 12:43 27 /bitnami/phabricator/data/fc/27: total 8 -rw-rw-r--+ 1 daemon daemon 6277 Aug 3 12:43 afee0c4a0fa079da4ed74730c821 /bitnami/phabricator/repo: total 0 ```

But, this may be a place that user ids mix between container and guest, I'm not sure. What do you get for above before you manually change it? What exactly are you running? I was able to create a new user just fine as well.

amosbird commented 6 years ago

I just removed all the related containers and volumes. Then restart it with docker-compose up. Then I registered a new user with name foo, it returns the above error page. The compose file is

version: '2'
services:
  phabricator_mariadb:
    image: 'bitnami/mariadb:latest'
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
    volumes:
      - 'phabricator_mariadb_data:/bitnami'
  phabricator:
    image: 'amosbird/phabricator:latest'
    labels:
      - "traefik.frontend.rule=Host:dell123.phabricator"
      - "traefik.port=80"
    environment:
      - PHABRICATOR_HOST=dell123.phabricator
      - MARIADB_HOST=phabricator_mariadb
    ports:
      - '2222:22'
    volumes:
      - 'phabricator_data:/bitnami'
    depends_on:
      - phabricator_mariadb
volumes:
  phabricator_mariadb_data:
    driver: local
  phabricator_data:
    driver: local

Note the amosbird/phabricator is the Dockerfile I posted here before.

altendky commented 6 years ago

@amosbird could you test with a totally clean checkout? Depending if that works for you or not we will have a better idea where to look.

Side note, why are you changing the name of the mariadb service and why specify MARIADB_HOST at all? Everything will be named based on the compose directory so they will be grouped already. Also, can't you just configure PHABRICATOR_HOST with external env vars? Maybe a .env file?

altendky commented 6 years ago

Since you don't actually want Jenkins, but do seem to want Phabricator git access over ssh, perhaps I need to make a bitnami/phabricator fork with the ssh stuff that you can use. As it is, it seems you really aren't using this repository at all, just copying and pasting some stuff. It would make more sense to handle your issues in a repository that you are using.

amosbird commented 6 years ago

Yeah, I agree. I don't have the access for my servers in the weekend. Feel free to close it then. Thanks for you help!

altendky commented 6 years ago

@amosbird I think this ticket was addressed anyways with the commit I made. :]

To be clear, I'm not saying I won't try to help. I'm just saying we should be clear about what it is that doesn't work. If it's not a committed version of this repo then whatever it is should be concisely available. Checking for the issue in this repo may also help isolate the problem.