Git clone asking for passphrase instead of using ssh key

Hi,

I’ve created a new phabricator instance and set up a repo (and activated it). I added an ssh public key to my profile. When attempting to clone from or push to the repo, git requests a password. On windows, it just kinda poops the bed:

PS C:\Users\rhaley\starfish> git clone ssh://git@phabricator.spe.local/source/bunpoc.git
Cloning into 'bunpoc'...
Kfatal: protocol error: bad line length character: | Pa
eyboard-interactive authentication prompts from server: 

On linux, I get a slightly less poopy result:

starfish@linux-dev-2:~/starfish$ git clone ssh://git@phabricator/source/bunpoc.git
Cloning into 'bunpoc'...
Password for git@Phabricator:
Password for git@Phabricator:
Password for git@Phabricator:
git@phabricator: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

What is interesting here is that the host name is “Phabricator” and I haven’t used that anywhere in a config file or on the command line. Some searching indicates that this is a known problem:

https://confluence.atlassian.com/bitbucketserverkb/git-clone-using-ssh-always-require-password-794498380.html

“The address the user is trying to clone is different to what the application expects.”

I think this link points to the problem being on the server and not on my client. So now for questions:

  1. Does anyone know the answer to this problem? (Am I on the correct track?)
  2. If it is a problem with the server? How do I change the hostname/expected name? e.g. how do I fix “what the application expects”?

Thanks!
Russell

The hostname in git@hostname is determined by the client, AFAIK:

$ ssh 127.0.0.1
avivey@127.0.0.1's password:

$ ssh localhost
avivey@localhost's password:

so this should handle the “Phabricator” mystery.

As for asking for password, that shouldn’t happen if following the SSH guide correctly - we add PasswordAuthentication no, so you should get the Permission denied if it doesn’t load any keys.
Make sure you’re connecting to the right port (calling the right daemon), and the right host (look at your .ssh/config file on the client).

Well I have progressed a little further. I had to disable PAM and Challenge authentication to fully turn off the passwords authentication.

PasswordAuthentication no
UsePAM no
ChallengeResponseAuthentication no
PubkeyAuthentication yes

The issue has moved a little further. Now ssh/git is ignoring my private key:

starfish@linux-dev-2 ~/starfish> cat ~/.ssh/config
<snip>
Host phabricator.spe.local
	HostName phabricator.spe.local
	User git
	IdentityFile ~/.ssh/rhaley-phabricator-spe-local.key

But when I try to clone a repo, it fails:

starfish@linux-dev-2:~/starfish$ git clone ssh://git@phabricator.spe.local/source/bunpoc.git
Cloning into 'bunpoc'...
git@phabricator.spe.local: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I’ve tried two keys: One generated in phabricator and one generated in Ubuntu 20 (RSA 4096 with no password). I added the phabricator generated key to a unix user on the same phabricator system and it works without issue connecting from Ubuntu and Windows with putty/plink.

I’m at a loss. Any suggestions?

I would try to get more verbose output from the SSH commands that are being run to help determine what’s going on.

From this SO it looks like you can either add a LogLevel line to your ssh config or set the GIT_SSH_COMMAND environment variable:

starfish@linux-dev-2:~/starfish$ GIT_SSH_COMMAND="ssh -v" git clone ssh://git@phabricator.spe.local/source/bunpoc.git
Cloning into 'bunpoc'...
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/starfish/.ssh/config
debug1: /home/starfish/.ssh/config line 26: Applying options for phabricator.spe.local
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to phabricator.spe.local [192.168.17.59] port 22.
debug1: Connection established.
debug1: identity file /home/starfish/.ssh/rhaley-phabricator-spe-local.key type -1
debug1: identity file /home/starfish/.ssh/rhaley-phabricator-spe-local.key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9 FreeBSD-20200214
debug1: match: OpenSSH_7.9 FreeBSD-20200214 pat OpenSSH* compat 0x04000000
debug1: Authenticating to phabricator.spe.local:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:L3n//aztz9zESB1bYCHcrEWn7/FU/nUe/FyzRUykaHY
debug1: Host 'phabricator.spe.local' is known and matches the ECDSA host key.
debug1: Found key in /home/starfish/.ssh/known_hosts:17
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: www@Phabricator RSA SHA256:LghEEhhWfSnOq7PTa9xn7YZ9FR7XSH0s5Krs1Tx2I44 agent
debug1: Will attempt key: rhaley@starfishmedical.com RSA SHA256:Z3UwK9iqOTOmAytbU7DMQ1Uq0DPC5wt+IUBaFXV1ed0 agent
debug1: Will attempt key: /home/starfish/.ssh/rhaley-phabricator-spe-local.key  explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: www@Phabricator RSA SHA256:LghEEhhWfSnOq7PTa9xn7YZ9FR7XSH0s5Krs1Tx2I44 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rhaley@starfishmedical.com RSA SHA256:Z3UwK9iqOTOmAytbU7DMQ1Uq0DPC5wt+IUBaFXV1ed0 agent
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/starfish/.ssh/rhaley-phabricator-spe-local.key
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
git@phabricator.spe.local: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Hm that looks mostly okay, though comparing with some of your previous output it looks like there might be a /home/starfish/starfish/ path which might be a little confusing.

Since this is a new instance, is it possible things might not be configured properly such that port 22 is running the special-authentication configuration for phabricator but is running a standard sshd?

Hm that looks mostly okay, though comparing with some of your previous output it looks like there might be a /home/starfish/starfish/ path which might be a little confusing.

Lolz. Ya, I set up a generic user for a shared Ubuntu VM image at work (Starfish) and then had to create a folder to keep all our $work git repositories separate. I should probably rename that folder work or something.

Since this is a new instance, is it possible things might not be configured properly such that port 22 is running the special-authentication configuration for phabricator but is running a standard sshd?

I am not sure I understand this? I installed phabricator from the freebsd pkg system into a RELEASE-12.2 jail. I don’t know anything about special configuration for ssh? Non-standard sshd?

starfish@phabricator:/usr/local/lib/php/phabricator $ sshd --version
sshd: illegal option -- -
OpenSSH_7.9p1, OpenSSL 1.1.1h-freebsd  22 Sep 2020
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]
starfish@phabricator:/usr/local/lib/php/phabricator $ uname -a
FreeBSD phabricator.spe.local 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 df578562304(HEAD) TRUENAS  amd64

See ◉ Diffusion User Guide: Repository Hosting

I’m not familiar with the freebsd pkg but when running phabricator to host repositories over ssh the system will run two SSH daemons, one to allow typical administrative access which is typically moved to a non-standard port (like 222 instead of the standard 22), then the SSH daemon which is used by phabricator repositories is run on standard port 22 and only permits SSH access based on users’ SSH keys configured in phabricator.

1 Like