flaix
commented
2 years ago Do you push via SSH? What does your git remote -v show?
Closed iysheng closed 1 year ago
flaix
commented
2 years ago Do you push via SSH? What does your git remote -v show?
flaix
commented
2 years ago Have you tried if you can use SSH against the server?
ssh -l username -i .ssh/id_rsa -p 29418 servername.com
iysheng
commented
2 years ago Do you push via SSH? What does your
git remote -vshow? When I do , just as show▸ git remote -v origin ssh://yangyongsheng@10.20.52.50:12390/led3000.git (fetch) origin ssh://yangyongsheng@10.20.52.50:12390/led3000.git (push)
iysheng
commented
2 years ago Have you tried if you can use SSH against the server?
ssh -l username -i .ssh/id_rsa -p 29418 servername.com
when I do command as below
▸ ssh -l yangyongsheng -i ~/.ssh/id_rsa -p 29418 10.20.52.50
It just stoke. When i changed the port 2948 to 12390 as i configed, still let me input password.
▸ ssh -l yangyongsheng -i ~/.ssh/id_rsa -p 12390 10.20.52.50
Password authentication
(yangyongsheng@10.20.52.50) Password:Thank you for looking into this. But you see your key under SSH keys in your profile? Or is it the same as in #1415.
flaix
commented
2 years ago I tested this with Gitblit running on Linux. A ssh-rsa public key could be added to the user profile and also showed up under the list of keys. Pulling and pushing with SSH immediately worked with the key where before the password was requested.
If this problem persists for you, we will need more detailed information, like server logs, SSH key type, SSH debug logs, etc.
flaix
commented
1 year ago What SSH Client are you using? Does it still support RSA keys? I just tried this from a Fedora 36 which uses OpenSSH 8.8 which has RSA keys disabled. The same Giblit server can be accessed with a RSA key for the user from a different client which has an OpenSSH 7.9 which still supports RSA keys.
iysheng
commented
1 year ago I use sshd version as:
▸ sshd --version
unknown option -- -
OpenSSH_8.7p1, OpenSSL 1.1.1q FIPS 5 Jul 2022
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]I always use sshd RSA keys with github server. Could it be the Windows server firewall?
flaix
commented
1 year ago But this is from a SSH server. The question is if your SSH client that you use on you machine on which you pull with git supports ssh-rsa keys.
flaix
commented
1 year ago This is a SSH exchange when the client does not support RSA keys anymore and your only key on the Gitblit server is a RSA key:
[florian@fedora ~]$ ssh -v -p 29418 florian@10.211.55.2 keys ls
OpenSSH_8.8p1, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
[...]
debug1: Connecting to 10.211.55.2 [10.211.55.2] port 29418.
debug1: Connection established.
debug1: identity file /home/florian/.ssh/id_rsa type 0
debug1: identity file /home/florian/.ssh/id_rsa-cert type -1
debug1: identity file /home/florian/.ssh/id_dsa type -1
debug1: identity file /home/florian/.ssh/id_dsa-cert type -1
debug1: identity file /home/florian/.ssh/id_ecdsa type 2
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/florian/.ssh/id_ed25519 ED25519 SHA256:d0QrJKEUfhhhm4RALhf22nFSrsaVov+lYN6vRbkofig agent
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Offering public key: /home/florian/.ssh/id_ecdsa ECDSA SHA256:GTOdKlxE4tLS7+ssdxX8hi0JpuEFk2wgLC44u+zYJ5M agent
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Offering public key: /home/florian/.ssh/id_rsa RSA SHA256:0orGyVup/Mzpawt8vl4QBe80jNaJrReL4LeOcT2QoKs agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/florian/.ssh/id_dsa
debug1: Trying private key: /home/florian/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/florian/.ssh/id_ed25519_sk
debug1: Trying private key: /home/florian/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Password authentication
(florian@10.211.55.2) Password: If the client still accepts RSA keys, then it would work, as seen here:
florian@iMac:.ssh $ ssh -v -p 29418 florian@localhost keys which
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/florian/.ssh/config
[...]
debug1: Connecting to 10.211.55.2 [10.211.55.2] port 29418.
debug1: Connection established.
debug1: identity file /Users/florian/.ssh/id_rsa type 0
debug1: identity file /Users/florian/.ssh/id_rsa-cert type -1
debug1: identity file /Users/florian/.ssh/id_dsa type -1
debug1: identity file /Users/florian/.ssh/id_dsa-cert type -1
debug1: identity file /Users/florian/.ssh/id_ecdsa type 2
debug1: identity file /Users/florian/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/florian/.ssh/id_ed25519 type 3
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/florian/.ssh/id_ecdsa ECDSA SHA256:rmmGPKCg8sx4X1HLUfY9yzQN6kj8ex/HPTbB77ak9go agent
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Offering public key: /Users/florian/.ssh/id_rsa RSA SHA256:2edmZqh8ci88hWF9NWxgD/+uGxC3318th07xC+Zrauw
debug1: Server accepts key: /Users/florian/.ssh/id_rsa RSA SHA256:2edmZqh8ci88hWF9NWxgD/+uGxC3318th07xC+Zrauw
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:29418).
[...]
debug1: Sending command: keys whichMaybe running your ssh command with ssh -v can give you more information why it doesn't accept your key.
iysheng
commented
1 year ago I'm sorry for that use the sshd command, I test with your guide as:
OpenSSH_8.7p1, OpenSSL 1.1.1q FIPS 5 Jul 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.20.52.50 [10.20.52.50] port 12390.
debug1: Connection established.
debug1: identity file /home/red/.ssh/id_rsa type 0
debug1: identity file /home/red/.ssh/id_rsa-cert type -1
debug1: identity file /home/red/.ssh/id_dsa type -1
debug1: identity file /home/red/.ssh/id_dsa-cert type -1
debug1: identity file /home/red/.ssh/id_ecdsa type -1
debug1: identity file /home/red/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/red/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/red/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/red/.ssh/id_ed25519 type -1
debug1: identity file /home/red/.ssh/id_ed25519-cert type -1
debug1: identity file /home/red/.ssh/id_ed25519_sk type -1
debug1: identity file /home/red/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/red/.ssh/id_xmss type -1
debug1: identity file /home/red/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: compat_banner: no match: Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: Authenticating to 10.20.52.50:12390 as 'yangyongsheng'
debug1: load_hostkeys: fopen /home/red/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:rLvO1f05ENwMvz5xMTbIns8R0PbxDGuvsh4b51kJ/ng
debug1: load_hostkeys: fopen /home/red/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[10.20.52.50]:12390' is known and matches the RSA host key.
debug1: Found key in /home/red/.ssh/known_hosts:23
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: Will attempt key: /home/red/.ssh/id_dsa
debug1: Will attempt key: /home/red/.ssh/id_ecdsa
debug1: Will attempt key: /home/red/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/red/.ssh/id_ed25519
debug1: Will attempt key: /home/red/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/red/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/red/.ssh/id_dsa
debug1: Trying private key: /home/red/.ssh/id_ecdsa
debug1: Trying private key: /home/red/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/red/.ssh/id_ed25519
debug1: Trying private key: /home/red/.ssh/id_ed25519_sk
debug1: Trying private key: /home/red/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Password authentication
Authenticated to 10.20.52.50 ([10.20.52.50]:12390) using "keyboard-interactive".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_GB.UTF-8"
debug1: channel 0: setting env XMODIFIERS = "@im=fcitx"
debug1: Sending command: keys ls
.....
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2008, received 2952 bytes, in 0.1 seconds
Bytes per second: sent 23676.7, received 34807.6
debug1: Exit status 0
So the server does not accept your key.
What output do you get with the following?
ssh -l yangyongsheng -i ~/.ssh/id_rsa -p 12390 10.20.52.50 keys ls
And does it match your key?
ssh-keygen -l -f ~/.ssh/id_rsa -E md5
ssh-keygen -l -f ~/.ssh/id_rsa -E sha256
flaix
commented
1 year ago I just noticed these lines in your output:
debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: send_pubkey_test: no mutual signature algorithmGoogling this, it turns out that this is often because the client does not support the SHA-1 algorithm for RSA anymore. A temporary work around would be to enable it again with the following line in your client configuration:
PubkeyAcceptedKeyTypes +ssh-rsa
Gitblit 1.10.0 will add support for ecdsa and ed25519 key types. Only later versions will add support for RSA keys with SHA-256 algorithms.
iysheng
commented
1 year ago I just noticed these lines in your output:
debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4 debug1: send_pubkey_test: no mutual signature algorithmGoogling this, it turns out that this is often because the client does not support the SHA-1 algorithm for RSA anymore. A temporary work around would be to enable it again with the following line in your client configuration:
PubkeyAcceptedKeyTypes +ssh-rsaGitblit 1.10.0 will add support for ends and ed25519 key types. Only later versions will add support for RSA keys with SHA-256 algorithms.
thanks,i will test this later。
iysheng
commented
1 year ago debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4 debug1: send_pubkey_test: no mutual signature algorithmGoogling this, it turns out that this is often because the client does not support the SHA-1 algorithm for RSA anymore. A temporary work around would be to enable it again with the following line in your client configuration:
PubkeyAcceptedKeyTypes +ssh-rsaGitblit 1.10.0 will add support for ecdsa and ed25519 key types. Only later versions will add support for RSA keys with SHA-256 algorithms.
I'm sorry to reply you so late, I upgrade the laotop linux fedora 32 to fedora 36,now the ssh version is
▸ ssh -V
OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022
▸ cat /etc/ssssh -Q key
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
And I add line in file /etc/ssh/ssh_config as
PubkeyAcceptedKeyTypes +ssh-rsaBut I still couldn't connect the gitblit server.
OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.20.52.50 [10.20.52.50] port 12390.
debug1: Connection established.
debug1: identity file /home/red/.ssh/id_rsa type 0
debug1: identity file /home/red/.ssh/id_rsa-cert type -1
debug1: identity file /home/red/.ssh/id_rsa type 0
debug1: identity file /home/red/.ssh/id_rsa-cert type -1
debug1: identity file /home/red/.ssh/id_dsa type -1
debug1: identity file /home/red/.ssh/id_dsa-cert type -1
debug1: identity file /home/red/.ssh/id_ecdsa type -1
debug1: identity file /home/red/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/red/.ssh/id_ed25519 type -1
debug1: identity file /home/red/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: compat_banner: no match: Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: Authenticating to 10.20.52.50:12390 as 'yangyongsheng'
debug1: load_hostkeys: fopen /home/red/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 10.20.52.50 port 12390: no matching host key type found. Their offer: ssh-rsa,ssh-dss
andrm
commented
1 year ago You also need: HostKeyAlgorithms +ssh-rsa
andrm
commented
1 year ago @flaix When will gitblit 1.10.0 be released?
flaix
commented
1 year ago @flaix When will gitblit 1.10.0 be released?
This is a good question without a good answer. While I sure would like to see that this year, my guess is more like February or March.
andrm
commented
1 year ago Do you need help? Anything I can do?
flaix
commented
1 year ago I have moved this to discussion #1440
iysheng
commented
1 year ago You also need: HostKeyAlgorithms +ssh-rsa
thanks,after I add both these lines in file /etc/ssh/ssh_config
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsaIt's ok now.
After I add id_rsa.pub to my profile from web ui,
then when I push to repos, I still get the prompt to let me input password as below: