Permission denied (keyboard-interactive)

Hi everyone,

Infos:
self-managed
[GitLab]13.2.2-ee (618883a1f9d)
GitLab Shell13.3.0
GitLab Workhorsev8.37.0
GitLab APIv4
Ruby2.6.6p146
Rails6.0.3.1
PostgreSQL
Using SSH with googleauth PAM + openssh_key for the regular ssh login.

i have set-up a private gitlab server on my own domain. Everything seems fine but i have a difficult problem with the option to push and pull over ssh.

I created a id_ed25519 key like in the documentation. Added the public part into my Account on the gitlab.
But when i want to test the connection i got the following error: Permission denied (keyboard-interactive).

The “ssh -vT git@git.neosdarkweb.de” throws:
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\Users\shado/.ssh/config
debug1: C:\Users\shado/.ssh/config line 15: Applying options for git.neosdarkweb.de
debug1: Connecting to git.neosdarkweb.de [159.69.148.80] port 22.
debug1: Connection established.
debug1: identity file C:\Users\shado/.ssh/id_ed25519 type 3
debug1: key_load_public: No such file or directory
debug1: identity file C:\Users\shado/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u7 pat OpenSSH* compat 0x04000000
debug1: Authenticating to git.neosdarkweb.de:22 as ‘git’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Gc+9JdAS+pUixbRDd4mOrfbXLFQTZdLnqEZWduUm1oc
debug1: Host ‘git.neosdarkweb.de’ is known and matches the ECDSA host key.
debug1: Found key in C:\Users\shado/.ssh/known_hosts:4
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:CzQgYggrpw5KAHG6jjFQVef3PYSSszus8oh55WfpVos C:\Users\shado/.ssh/id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: No more authentication methods to try.
git@git.neosdarkweb.de: Permission denied (keyboard-interactive).

So what i can see is that the ED25519 key is loaded and accapted. But that it closes… But why?

tail -f /var/log/auth.log
Aug 5 14:05:45 mail sshd[6805]: Connection closed by 188.x.x.x port 64291 [preauth]
Aug 5 14:05:45 mail sshd[6804]: Connection reset by 188.x.x.x port 64292 [preauth]

Did i missed something or will gitlab doesnt work with ssh + keyfile + pam for git actions?

Thank you all for helping me.

Greeting
NEo-Shadow02

I disabled/changed following lines in my /etc/ssh/sshd_config

ChallengeResponseAuthentication no
# ChallengeResponseAuthentication yes
# from yes to no

# AuthenticationMethods publickey,keyboard-interactive
# outcommented

# PasswordAuthentication yes
PasswordAuthentication no
# from yes to no

than
sudo systemctl restart sshd.service

and i can connect with my git@git.neosdarkweb.de.

So what do i need to change to stay with my 2fa login in ssh and still use the simply auth with keyfile at git@git.neosdarkweb.de?

So after a lot of researching for the handling of the sshd_config i found a solution.

In the end of the config file you only need to add this:

Match User git
AuthenticationMethods publickey

With that you further dont need more changes in your sshd_config.

Thank you for your help.

1 Like