Connecting to gitosis server through an SSH tunnel

Matt Mencel picture Matt Mencel · Aug 12, 2009 · Viewed 9.1k times · Source

I've got an SSH tunnel setup on my macbook, like this...

$ ssh -o ServerAliveInterval=3 -N -L 22222:gitosis-server:22 [email protected]

So I can ssh to localhost:22222 and will end up on the gitosis-server behind the firewall.

I've created a local id_rsa.pub file, copied it into the gitosis server(running Centos5), and imported it into gitosis using...

# sudo -H -u gitosis gitosis-init 

It was successful as I can see the public key in /var/lib/gitosis/.ssh/authorized_keys.

Back on my macbook I setup a ~/.ssh/config file with the following...

Host gitosis-server
Hostname localhost
HostKeyAlias gitosis-server.domain.com
  Port 22222

So...I'm thinking this command should work...

$ git clone gitosis@gitosis-server:gitosis-admin.git

It does not however as it comes up asking for a password....when the public keys should be working.

Initialized empty Git repository in /Users/USER/Development/gitrepo/gitosis-admin/.git/
gitosis@localhost's password: 

Any ideas on getting git working through to a gitosis server behind a firewall?

Thanks,
Matt


EDIT - Adding Debug From SSH Attempt

I did this command, 'ssh -vvv gitosis@gitosis-server'. I get some debugging back and it doesn't seem to like my Identity.

debug2: key: /Users/USER/.ssh/id_rsa.gitosis (0x1019b0)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/USER/.ssh/id_rsa.gitosis
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
gitosis@localhost's password: 

EDIT 2

OK...Definately a bad key. I double checked all my keys again and of course found the gitosis-server was holding a bad key in the authorized_keys file.

debug1: userauth-request for user gitosis service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "gitosis" debug1: PAM: setting PAM_RHOST to "firewall.domain.com" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user gitosis service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 102/103 (e=0/0) debug1: trying public key file /var/lib/gitosis/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 102/103 (e=0/0) debug1: trying public key file /var/lib/gitosis/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for gitosis from FIRE.WALL.IP.ADDRESS port 52453 ssh2

I took a closer look at the authorized_keys file on the gitosis server....and it was incorrect. I double checked the public key file I had copied into /tmp from my workstation and it was the correct one, but different from what was in authorized_keys. I deleted the authorized_keys file on the server and reran the 'sudo -H -u gitosis gitosis-init < /tmp/id_rsa.gitosis.pub'. Checked the authorized_keys file again.....and it was still wrong.

I updated it manually by editing authorized_keys and adding the correct key, and then I got it to work from my workstation through the tunnel for one or two tries. Then it stopped working as before. I went back in to the authorized_keys file on the gitosis server, and sure enough....gitosis had reverted it back to the old key that does not work.

Why is it doing this....reverting back to a bad public key....even after I tried adding it with the above command...which failed to change it....then changed it manually....which worked but git then reverted back to the bad one again.

It's like gitosis keeps remembering the first key I put in there....and won't let me change it to the corrected key.

Frustrating...

Matt

Answer

Matt Mencel picture Matt Mencel · Aug 15, 2009

Followup:

I'm not sure why gitosis insisted on reusing a bad public key. Trying to force it to take the correct key did not work.

So today I just removed and reinstalled the gitosis package on my CentOS5 box.

yum remove gitosis
rm -rf /var/lib/gitosis
yum install gitosis
sudo -H -u gitosis gitosis-init < /tmp/id_rsa.gitosis.pub  #the correct key

On my Mac, I SSH tunnel localhost:22222 through the firewall to gitosis-server:22.

$ ssh -o ServerAliveInterval=3 -N -L 22222:gitosis-server:22 [email protected]

On my Mac, I created ~/.ssh/config that looks like this...

Host gitosis-server
Hostname localhost
IdentityFile ~/.ssh/id_rsa.gitosis
HostKeyAlias gitosis-server.domain.com
  Port 22222

Then...following the instructions on this site...

http://scie.nti.st/2007/11/14/hosting-git-repositories-the-easy-and-secure-way

...everything after... "Here some cool magic happens. Run this on your local machine:"... just works... except remember to replace the username "git" with "gitosis".

Hope all that nonsense helps somebody. Thanks also for the suggestions I got here....it helped narrow down the problem.

Matt