SSh key authentication not working in fresh install

patrickb · September 17, 2021, 9:57am

Hi
this question is frequently asked on this forum but I was not able to find a solution in any of these threads.

OS is Alma Linux (RHEL8) with all updates.
Gitlab is gitlab-ee-14.2.3-ee.0.el8.x86_64 (fresh install 14.1.3, update path: 14.1.4/14.1.5/14.2.1/14.2.3)
Only one gitlab user (me for testing) with only one project and only one local unix user on the server.
ssh publickey authentication is working from my laptop to the local user of the server (using ssh-copyid first)
I’ve checked my public key with the one registred in gitlab using: ssh-keygen -l -E md5 -f id_ed25519.pub and it’s OK.
I’ve tried to remove my .ssh folder and start with a fresh setup with ssh-keygen -t ed25519 to be sure the access rights are valid on .ssh folder and set $HOME with 700 mode.
gitlab-rake gitlab:check says Git user has default SSH configuration? ... yes
but ssh -T git@mostgitlab.legi.grenoble-inp.fr still ends with:

debug1: Trying private key: /home/begou/.ssh/id_ecdsa
debug1: Offering ED25519 public key: /home/begou/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
git@mostgit.legi.grenoble-inp.fr's password:

Any idea where it goes wrong ?
Thanks
Patrick

iwalker · September 17, 2021, 11:20am

Try doing:

ssh -vvv git@mostgitlab.legi.grenoble-inp.fr

that way we can see the full chat with ssh and see if there are any errors that we aren’t seeing. Your debug output doesn’t show enough.

patrickb · September 17, 2021, 1:22pm

Hi iwalker
I had tested this too…
I’ve found a solution now but I would like to have Gitlab users/developpers advices about it and its possible side effects.
The problem was nor in gitlab application nor in ssh, it was a SELinux problem. It looks like the rpm based install does not take account of SELinux and SELinux does not like when home directories are located in /var (git home directory is /var/opt/gitlab).
So instead of disabling SELinux (wich is a security tool) I’ve run:

semanage fcontext -a -t user_home_dir_t /var/opt/gitlab
semanage fcontext -C -l
restorecon -vR /var/opt/gitlab

But I would like to have your opinion on the possible side effects in gitlab.

Thanks
Patrick

iwalker · September 17, 2021, 1:48pm

Hi, usually selinux isn’t an issue, sometimes they do occur, if for example some of the selinux dependencies/packages were missing before installing Gitlab. There were some posts on the forum about it already, I remember these for example with RHEL7, so perhaps that explains it for the RHEL8 equivalent. Upgrade to 13.5.1 failed - #3 by iwalker

Is policycoreutils installed? I have installed on Rocky Linux before without any issues, so providing the dependencies as per the Gitlab docs are met, there shouldn’t usually be an issue.

patrickb · September 17, 2021, 3:26pm

Hi,
yes these packages are deployed:

policycoreutils-2.9-14.el8.x86_64
libsemanage-2.9-6.el8.x86_64

When updating I only saw a missing pregequisite not checked: tar
it is used for the database backup but the package was not in the minimal install as rpm use cpio.

Patrick

warronf · September 27, 2021, 10:23pm

Hi @patrickb , I ran into precisely the same problem last year.

I set the SELINUX context properly, just like you did and rebooted my server. Never looked back.

There is only one exception to my implementation I put users’ accounts into /home where they traditionally reside.