Cannot connect via SSH after gitlab server migration

Hi all,

We migrated our Omnibus Gitlab server to a new VM and then updated it from version 14.4.2 to 14.9.1.

Since then, I can no longer make commits or pulls by SSH:

Permission denied (publickey) fatal : Could not read from remote repository

I deleted then re-added my SSH key with no results. The connection via HTTPS is functional.

I specify that it worked correctly on the old server.

Thank you in advance for your help.

Hi @binibitobi

What is the key type (rsa/ecdsa/ed/other)?
IP or domain changed? If you had it configured in .ssh/config have you updated it as well?

Hi @balonik,

This is an ed_25519 SSH key. I tried to remove it and add it again but it still doesn’t work.

The new server has the same FQDN and IP address.

does ssh works?

It doesn’t work:

ssh Permission denied (publickey).

At this point I would look at OpenSSH daemon logs on the GitLab server as well as in gitlab-rails logs to see why it fails.

It was indeed a problem with the SSH server.

The logs said “User git not allowed because account is locked”. I was able to unlock it via “sudo passwd -u git”.

Then the logs said “User git from XXX.XXX.XXX.XXX not allowed because none of user’s groups are listed in AllowGroups”. I added the “git” group in the AllowGroups parameter of the /etc/ssh/sshd_config file.

Do you have, please, an idea of why I had to do these manipulations on a fresh installation?

That depends on the distro used and what hardening is applied on it. AFAIK that is not related to Gitlab install itself.

Hi @balonik,

By default, gitlab configuration allows SSH login on git user ?

I will look to see if our server post-installation procedures may have altered the configuration of the git user and SSH server.

Hi @binibitobi

I am not familiar with all Linux distros/versions default SSH config, but Gitlab does not change SSH daemon configuration during instalation. It just creates standard user git and expects SSH is already setup and working.

We use ansible to harden the SSH server. It modifies the sshd_config configuration file. This probably explains why the “git” user was not authorized by default.

However, I don’t understand why the git user got “locked”:

User git not allowed because account is locked

Do you use some autolocking like pam_tally2 or pam_faillock?

Hi @balonik,

We don’t use either.