Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission denied (publickey). #57

Open
xplosionmind opened this issue Oct 15, 2023 · 13 comments
Open

Permission denied (publickey). #57

xplosionmind opened this issue Oct 15, 2023 · 13 comments

Comments

@xplosionmind
Copy link

Hello, I am getting crazy with this issue, and I cannot seem to be able to fix in any way.

I would like to manage all of my repositories via SSH. My configuration works perfectly both with GitHub and Codeberg.

Nevertheless, when I try to push to my self-hosted Forgejo instance, I get this error:

➜  test git:(main) git push --set-upstream origin main -vvv              
Pushing to gitmi.dev:tommi/test.git
#=================================#
#                                 #
#         XPLOSION SERVER         #
#                                 #
#=================================#
git@gitmi.dev: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The SSH key is successfully added and verified in Forgejo’s GUI.

The fact that the banner of my remote YunoHost server appears means that the connection with the server itself works fine. Apparently, the problem is with Forgejo.

Information
@grosmanal
Copy link
Collaborator

Hello @xplosionmind Thank you for using forgejo through yunohost.

Could you explain why you add the AuthorizedKeysFile config in sshd_config? By overriding this configuration the ssh server doesn't check /var/www/forgejo/.ssh/authorized_keys which is in charge to retreive the public key you added with the forgejo GUI.

@xplosionmind
Copy link
Author

Thank you for using forgejo through yunohost.

Hi @grosmanal! It is truly my pleasure!

Could you explain why you add the AuthorizedKeysFile config in sshd_config?

I was erroneously following gitea_ynh SSH configuration guide. Still, I get the same error even after deleting this line! (I also restarted sshd service, of course)

By overriding this configuration the ssh server doesn't check /var/www/forgejo/.ssh/authorized_keys which is in charge to retreive the public key you added with the forgejo GUI.

Content of my /var/www/forgejo/.ssh/authorized_keys:

# gitea public key
command="/var/www/forgejo/forgejo --config=/var/www/forgejo/custom/conf/app.ini serv key-2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5oALqMhGnj8keoTU/+KJ5cNEPP1lRPGzzZ7eXYBn4Y tommi@tommi.space

Is it correct?

In the GUI:

Screenshot from 2023-10-15 14-24-35

@grosmanal
Copy link
Collaborator

Content of my /var/www/forgejo/.ssh/authorized_keys:

# gitea public key
command="/var/www/forgejo/forgejo --config=/var/www/forgejo/custom/conf/app.ini serv key-2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5oALqMhGnj8keoTU/+KJ5cNEPP1lRPGzzZ7eXYBn4Y tommi@tommi.space

Is it correct?

Yes it seems correct.

When you've submitted this issue, you've joined the result of ssh -vvv git@gitmi.dev. In order to test correctly ssh connection, you should instead try : ssh -vvv forgejo@gitmi.dev.
Could you please post the output of this command.

Without the -vvv, you should have :

PTY allocation request failed on channel 0
Hi there, <my user name>! You've successfully authenticated with the key named <my user name>@<my client host>, but Forgejo does not provide shell access.
If this is unexpected, please log in with password and setup Forgejo under another user.
Connection to <my yunohost server> closed.

@xplosionmind
Copy link
Author

In order to test correctly ssh connection, you should instead try : ssh -vvv forgejo@gitmi.dev. Could you please post the output of this command.

Output of ssh -vvv forgejo@gitmi.dev

@grosmanal
Copy link
Collaborator

I'm sorry but I don't really know what to do…
Check if

  • the forgejo user has the correct home path : echo ~forgejo should print : /var/www/forgejo
  • the access right of /var/www/forgejo/.ssh : it should be drwx------ 2 forgejo forgejo 4096 … /var/www/forgejo/.ssh
  • the access right of /var/www/forgejo/.ssh/authorized_keys : it should be : -rw------- 1 forgejo forgejo 764 … /var/www/forgejo/.ssh/authorized_keys

@xplosionmind
Copy link
Author

  • echo ~forgejo: /var/www/forgejo
  • sudo ls -al /var/www/forgejo/.ssh:
    total 12
    
drwx------ 2 forgejo forgejo 4096 Oct 15 14:27 .
    
drwxr-x--- 4 forgejo forgejo 4096 Oct 15 16:07 ..
    
-rw------- 1 forgejo forgejo  294 Oct 15 09:19 authorized_keys

@xplosionmind
Copy link
Author

Maybe we could ask for somebody else’s help 😢

@grosmanal
Copy link
Collaborator

Maybe we could ask for somebody else’s help 😢

I think so because imho it is not a problem about forgejo but about your ssh config.
Perhaps, you can try to log with ssh to a normal user account, first.

@xplosionmind
Copy link
Author

Perhaps, you can try to log with ssh to a normal user account, first.

I am using my ssh remote access and management perfectly. Everything is working. Since it works also with Codeberg and GitHub, the potential ssh config problem is server-side, not in the local device.

@grosmanal
Copy link
Collaborator

grosmanal commented Oct 18, 2023
edited
Loading

I can see in your sshd_config that you added a AllowUsers and that you commented line :
AllowGroups … ssh.app …

That's probably why you cannot connect to your server with forgejo user.

@xplosionmind
Copy link
Author

Damn, this error is driving us mad. I changed all the parameters as you told me, and I still cannot access.

Here is the updated /etc/ssh/sshd_config file

@grosmanal
Copy link
Collaborator

I don't have idea anymore.
I can just suggest to restore default yunohost ssh configuration with : yunohost tools regen-conf ssh

@Salamandar
Copy link
Member

Salamandar commented Jun 14, 2024
edited
Loading

I got a lead, here is the sshd logs:

Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: trying public key file /home/forgejo/.ssh/authorized_keys
Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: Could not open authorized keys '/home/forgejo/.ssh/authorized_keys': No such file or directory

Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: trying public key file /home/yunohost.app/forgejo/.ssh/authorized_keys
Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: Could not open authorized keys '/home/yunohost.app/forgejo/.ssh/authorized_keys': No such file or directory

Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: trying public key file /home/forgejo/.ssh/authorized_keys
Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: Could not open authorized keys '/home/forgejo/.ssh/authorized_keys': No such file or directory

Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: trying public key file /home/yunohost.app/forgejo/.ssh/authorized_keys
Jun 14 15:23:22 salamandar.fr sshd[2737916]: debug1: Could not open authorized keys '/home/yunohost.app/forgejo/.ssh/authorized_keys': No such file or directory

sshd is not trying to read the right authorized_keys.

Indeed AuthorizedKeysFile /home/%u/.ssh/authorized_keys /home/yunohost.app/%u/.ssh/authorized_keys /var/www/%u/.ssh/authorized_keys fixes the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Salamandar @grosmanal @xplosionmind