Cannot connect via SSH after gitlab server migration

binibitobi · April 4, 2022, 12:02pm

Hi all,

We migrated our Omnibus Gitlab server to a new VM and then updated it from version 14.4.2 to 14.9.1.

Since then, I can no longer make commits or pulls by SSH:

Permission denied (publickey) fatal : Could not read from remote repository

I deleted then re-added my SSH key with no results. The connection via HTTPS is functional.

I specify that it worked correctly on the old server.

Thank you in advance for your help.

balonik · April 4, 2022, 12:37pm

Hi @binibitobi

What is the key type (rsa/ecdsa/ed/other)?
IP or domain changed? If you had it configured in .ssh/config have you updated it as well?

binibitobi · April 4, 2022, 2:01pm

Hi @balonik,

This is an ed_25519 SSH key. I tried to remove it and add it again but it still doesn’t work.

The new server has the same FQDN and IP address.

balonik · April 4, 2022, 2:03pm

does ssh git@yourgitlab.example.com works?

binibitobi · April 4, 2022, 2:12pm

It doesn’t work:

ssh git@git.xxx.xx
git@git.xxx.xx: Permission denied (publickey).

balonik · April 4, 2022, 2:17pm

At this point I would look at OpenSSH daemon logs on the GitLab server as well as in gitlab-rails logs to see why it fails.

binibitobi · April 4, 2022, 3:44pm

It was indeed a problem with the SSH server.

The logs said “User git not allowed because account is locked”. I was able to unlock it via “sudo passwd -u git”.

Then the logs said “User git from XXX.XXX.XXX.XXX not allowed because none of user’s groups are listed in AllowGroups”. I added the “git” group in the AllowGroups parameter of the /etc/ssh/sshd_config file.

Do you have, please, an idea of why I had to do these manipulations on a fresh installation?

balonik · April 5, 2022, 4:10pm

That depends on the distro used and what hardening is applied on it. AFAIK that is not related to Gitlab install itself.

binibitobi · April 7, 2022, 7:59am

Hi @balonik,

By default, gitlab configuration allows SSH login on git user ?

I will look to see if our server post-installation procedures may have altered the configuration of the git user and SSH server.

balonik · April 7, 2022, 8:15am

Hi @binibitobi

I am not familiar with all Linux distros/versions default SSH config, but Gitlab does not change SSH daemon configuration during instalation. It just creates standard user git and expects SSH is already setup and working.

binibitobi · April 7, 2022, 8:41am

We use ansible to harden the SSH server. It modifies the sshd_config configuration file. This probably explains why the “git” user was not authorized by default.

However, I don’t understand why the git user got “locked”:

User git not allowed because account is locked

balonik · April 7, 2022, 9:05am

Do you use some autolocking like pam_tally2 or pam_faillock?

binibitobi · April 8, 2022, 7:08am

Hi @balonik,

We don’t use either.