Documentation/error-permission-denied.txt - gerrit - Git at Google

 :linkattrs:
 = Permission denied (publickey)

 With this error message an SSH command to Gerrit is rejected if the
 SSH authentication is not successful.

 The link:http://en.wikipedia.org/wiki/Secure_Shell[SSH,role=external,window=_blank] protocol can use
 link:http://en.wikipedia.org/wiki/Public-key_cryptography[Public-key Cryptography,role=external,window=_blank]
 for authentication.
 In general configurations, Gerrit will authenticate you by the public keys
 known to you. Optionally, it can be configured by the administrator to allow
 for link:config-gerrit.html#sshd.kerberosKeytab[kerberos] authentication
 instead.

 In any case, verify that you are using the correct username for the SSH command
 and that it is typed correctly (case sensitive). You can look up your username
 in the Gerrit Web UI under 'Settings' -> 'Profile'.

 If you are facing this problem and using an SSH keypair, do the following:

 . Verify that you have uploaded your public SSH key for your Gerrit
   account. To do this go in the Gerrit Web UI to 'Settings' ->
   'SSH Public Keys' and check that your public SSH key is there. If
   your public SSH key is not there you have to upload it.
 . Verify that you are using the correct private SSH key. To find out
   which private SSH key is used test the SSH authentication as
   described below. From the trace you should see which private SSH
   key is used.

 Debugging kerberos issues can be quite hard given the complexity of the
 protocol. In case you are using kerberos authentication, do the following:

 . Verify that you have acquired a valid initial ticket. On a Linux machine, you
   can acquire one using the `kinit` command. List all your tickets using the
   `klist` command. It should list all principals for which you have acquired a
   ticket and include a principal name corresponding to your Gerrit server, for
   example `HOST/gerrit.mydomain.tld@MYDOMAIN.TLD`.
   Note that tickets can expire and require you to re-run `kinit` periodically.
 . Verify that your SSH client is using kerberos authentication. For OpenSSH
   clients this can be controlled using the `GSSAPIAuthentication` setting.
   For more information see
   link:user-upload.html#configure_ssh_kerberos[SSH kerberos configuration].

 == Test SSH authentication

 To test the SSH authentication you can run the following SSH command.
 This command will print out a detailed trace which is helpful to
 analyze problems with the SSH authentication:

 ----
   $ ssh -vv -p 29418 john.doe@git.example.com
 ----

 If the SSH authentication is successful you should find the following
 lines in the output:

 ----
   ...

   debug1: Authentication succeeded (publickey).

   ...

   ****    Welcome to Gerrit Code Review    ****

   Hi John Doe, you have successfully connected over SSH.

   Unfortunately, interactive shells are disabled.
   To clone a hosted Git repository, use:

   git clone ssh://john.doe@git.example.com:29418/REPOSITORY_NAME.git

   ...
 ----


 GERRIT
 ------
 Part of link:error-messages.html[Gerrit Error Messages]

 SEARCHBOX
 ---------
	:linkattrs:
	= Permission denied (publickey)

	With this error message an SSH command to Gerrit is rejected if the
	SSH authentication is not successful.

	The link:http://en.wikipedia.org/wiki/Secure_Shell[SSH,role=external,window=_blank] protocol can use
	link:http://en.wikipedia.org/wiki/Public-key_cryptography[Public-key Cryptography,role=external,window=_blank]
	for authentication.
	In general configurations, Gerrit will authenticate you by the public keys
	known to you. Optionally, it can be configured by the administrator to allow
	for link:config-gerrit.html#sshd.kerberosKeytab[kerberos] authentication
	instead.

	In any case, verify that you are using the correct username for the SSH command
	and that it is typed correctly (case sensitive). You can look up your username
	in the Gerrit Web UI under 'Settings' -> 'Profile'.

	If you are facing this problem and using an SSH keypair, do the following:

	. Verify that you have uploaded your public SSH key for your Gerrit
	account. To do this go in the Gerrit Web UI to 'Settings' ->
	'SSH Public Keys' and check that your public SSH key is there. If
	your public SSH key is not there you have to upload it.
	. Verify that you are using the correct private SSH key. To find out
	which private SSH key is used test the SSH authentication as
	described below. From the trace you should see which private SSH
	key is used.

	Debugging kerberos issues can be quite hard given the complexity of the
	protocol. In case you are using kerberos authentication, do the following:

	. Verify that you have acquired a valid initial ticket. On a Linux machine, you
	can acquire one using the `kinit` command. List all your tickets using the
	`klist` command. It should list all principals for which you have acquired a
	ticket and include a principal name corresponding to your Gerrit server, for
	example `HOST/gerrit.mydomain.tld@MYDOMAIN.TLD`.
	Note that tickets can expire and require you to re-run `kinit` periodically.
	. Verify that your SSH client is using kerberos authentication. For OpenSSH
	clients this can be controlled using the `GSSAPIAuthentication` setting.
	For more information see
	link:user-upload.html#configure_ssh_kerberos[SSH kerberos configuration].

	== Test SSH authentication

	To test the SSH authentication you can run the following SSH command.
	This command will print out a detailed trace which is helpful to
	analyze problems with the SSH authentication:

	----
	$ ssh -vv -p 29418 john.doe@git.example.com
	----

	If the SSH authentication is successful you should find the following
	lines in the output:

	----
	...

	debug1: Authentication succeeded (publickey).

	...

	** Welcome to Gerrit Code Review **

	Hi John Doe, you have successfully connected over SSH.

	Unfortunately, interactive shells are disabled.
	To clone a hosted Git repository, use:

	git clone ssh://john.doe@git.example.com:29418/REPOSITORY_NAME.git

	...
	----


	GERRIT
	------
	Part of link:error-messages.html[Gerrit Error Messages]

	SEARCHBOX
	---------