Self-hosted GitLab asking for SSH password but gitlab.com isn't

gregorip · April 22, 2019, 7:54pm

I was following GitLab’s official guide on connecting via SSH so that I don’t have to put in my password every time I access the remote server.

While I was following the guide, I made sure to add the same public key to our self-hosted instance and to gitlab.com.

When I tried to test the connection on gitlab.com:

$ ssh -T git@gitlab.com
Welcome to GitLab, @myusername!

However when I tried to test the connection on our instance:

$ ssh -T git@gitlab.ourdomain.com
Password:

I can’t figure out why it doesn’t work on our self-hosted instance of GitLab - setting up SSH is usually pretty straightforward for me but not this one.

Logs for gitlab.ourdomain.com

I tried to log what was happening and I got this at the end:

debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:CG1uQXxg/P8Zz+PcIjV90aXUw8Y1GsxtvELRtGSk+kM /h/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /h/.ssh/id_dsa
debug3: no such identity: /h/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /h/.ssh/id_ecdsa
debug3: no such identity: /h/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /h/.ssh/id_ed25519
debug3: no such identity: /h/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /h/.ssh/id_xmss
debug3: no such identity: /h/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

Logs for gitlab.com

debug1: Offering public key: RSA SHA256:CG1uQXxg/P8Zz+PcIjV90aXUw8Y1GsxtvELRtGSk+kM /h/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:CG1uQXxg/P8Zz+PcIjV90aXUw8Y1GsxtvELRtGSk+kM
debug3: sign_and_send_pubkey: RSA SHA256:CG1uQXxg/P8Zz+PcIjV90aXUw8Y1GsxtvELRtGSk+kM
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

Vertex · April 26, 2019, 7:31pm

It seems you have forgotten to disable password authentication on your Server, I would recommend you this guide: How to Set Up SSH Keys on Debian 9

And do not forget to edit ~/.ssh/config if you have different keys

gregorip · April 29, 2019, 1:51pm

Thanks for the guide however this completely disables the ability to SSH into the server by using your account name and password right? I don’t want to do that. I’d like to keep that functionality available for any users in the server.

Vertex · April 29, 2019, 3:37pm

@gregorip

Yes, it does.

For a personal LAN that may be ok, but if offer remote access over the internet, that’s is big security risk, you shouldn’t do that. Always take in mind, that even one lazy user, who choose a weak password, can cause the entire network/server to be compromised.

gregorip · April 29, 2019, 3:51pm

This server is on a private IP address so no it would not be available externally. My goal here is to be able to use GitLab via public/private key pairs but not force it to all of the users - I’d like the users to be able to use GitLab using the HTTP approach if they prefer.

Vertex · April 30, 2019, 11:53am

In your case, this should work:

ssh -T -i ~/.ssh/yourprivatekey git@gitlab.ourdomain.com

You have to replace yourprivatekey with the name of your private key.

gregorip · June 5, 2019, 4:24pm

I was able to solve this with help from our IT department who created the server for us.

It appears that Gitlab requires a “git” account to be locally created on the server, defining the appropriate home directory. This may not have occurred on our servers, as we have a centrally-defined “git” user.

I’m not really sure about the details but I thought the GitLab installation creates the local git user automatically?