tickets #139184
closedGit via SSH to code.o.o
0%
Description
Hi,
pagure01.i.o.o was moved and both HTTPS and SSH were configured through a special listener on our HAProxy setup.
HTTPS works fine. SSH to generic users works fine (well, fine as in, it refuses authentication, as expected by the AllowUsers setting). But SSH to the git user does not work.
$ ssh git@code.opensuse.org
kex_exchange_identification: Connection closed by remote host
Connection closed by 2a07:de40:b27e:1204::13 port 22
This also shows wit git operations using a ssh:// remote pointing to code.opensuse.org.
The debug output in the system journal on pagure01 is massive, but not very helpful.
Updated by crameleon about 1 year ago
Currently you can reach a shell on the machine from a VPN client using
$ ssh -4AJ thor1.infra.opensuse.org pagure01.infra.opensuse.org
Note that all hosts are now strictly firewalled, I allowed pagure01 HTTPS access to "itself" through the proxy as well as HTTPS access to GitHub (seems to be required for repository mirroring?), but I couldn't tell what else is legitimate traffic. Hence if any other outside communication is required let me know as well.
Updated by Pharaoh_Atem about 1 year ago
Based on what I can see here with "ssh -vvvvT git@code.opensuse.org", it never makes it to the pagure machine.
ngompa@Belldandy-Slimbook ~> ssh -vvvvT git@code.opensuse.org
OpenSSH_9.3p1, OpenSSL 3.1.1 30 May 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host code.opensuse.org originally code.opensuse.org
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host code.opensuse.org originally code.opensuse.org
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/ngompa/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/ngompa/.ssh/known_hosts2'
debug2: resolving "code.opensuse.org" port 22
debug3: resolve_host: lookup code.opensuse.org:22
debug3: ssh_connect_direct: entering
debug1: Connecting to code.opensuse.org [195.135.223.57] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /home/ngompa/.ssh/id_rsa type 0
debug1: identity file /home/ngompa/.ssh/id_rsa-cert type -1
debug1: identity file /home/ngompa/.ssh/id_ecdsa type -1
debug1: identity file /home/ngompa/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ngompa/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ngompa/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ngompa/.ssh/id_ed25519 type -1
debug1: identity file /home/ngompa/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ngompa/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ngompa/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ngompa/.ssh/id_xmss type -1
debug1: identity file /home/ngompa/.ssh/id_xmss-cert type -1
debug1: identity file /home/ngompa/.ssh/id_dsa type -1
debug1: identity file /home/ngompa/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
kex_exchange_identification: Connection closed by remote host
Connection closed by 195.135.223.57 port 22
On the server side, the sshd log in the journal does not indicate it received the connection request at all.
Updated by crameleon about 1 year ago
So why does it make it to the machine with any other username? Try your command with foobar@code.opensuse.org - it makes it all the way to a passphrase prompt.
Updated by Pharaoh_Atem about 1 year ago
I don't know, but it's outside of my view in the pagure VM.
Updated by crameleon about 1 year ago
Well, it works now without me having changed anything. :)
$ ssh git@code.opensuse.org
PTY allocation request failed
Welcome crameleon. This server does not offer shell access.
Shared connection to code.opensuse.org closed.
Git push works as well.
Updated by Pharaoh_Atem about 1 year ago
- Status changed from New to Closed
I don't know if I like that, but okay...
Updated by crameleon about 1 year ago
- Category changed from Git(lab|hub) to Pagure