| Marian Harbach | ebeb154 | 2019-12-13 10:42:46 +0100 | [diff] [blame] | 1 | :linkattrs: |
| Yuxuan 'fishy' Wang | 61698b1 | 2013-12-20 12:55:51 -0800 | [diff] [blame] | 2 | = Permission denied (publickey) |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 3 | |
| David Pursehouse | 221d4f6 | 2012-06-08 17:38:08 +0900 | [diff] [blame] | 4 | With this error message an SSH command to Gerrit is rejected if the |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 5 | SSH authentication is not successful. |
| 6 | |
| Marian Harbach | 3425337 | 2019-12-10 18:01:31 +0100 | [diff] [blame] | 7 | The link:http://en.wikipedia.org/wiki/Secure_Shell[SSH,role=external,window=_blank] protocol can use |
| 8 | link:http://en.wikipedia.org/wiki/Public-key_cryptography[Public-key Cryptography,role=external,window=_blank] |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 9 | for authentication. |
| 10 | In general configurations, Gerrit will authenticate you by the public keys |
| 11 | known to you. Optionally, it can be configured by the administrator to allow |
| 12 | for link:config-gerrit.html#sshd.kerberosKeytab[kerberos] authentication |
| 13 | instead. |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 14 | |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 15 | In any case, verify that you are using the correct username for the SSH command |
| 16 | and that it is typed correctly (case sensitive). You can look up your username |
| 17 | in the Gerrit Web UI under 'Settings' -> 'Profile'. |
| Edwin Kempin | ddfc41a | 2011-05-06 10:32:05 +0200 | [diff] [blame] | 18 | |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 19 | If you are facing this problem and using an SSH keypair, do the following: |
| 20 | |
| Edwin Kempin | ddfc41a | 2011-05-06 10:32:05 +0200 | [diff] [blame] | 21 | . Verify that you have uploaded your public SSH key for your Gerrit |
| David Pursehouse | a1d633b | 2014-05-02 17:21:02 +0900 | [diff] [blame] | 22 | account. To do this go in the Gerrit Web UI to 'Settings' -> |
| Edwin Kempin | ddfc41a | 2011-05-06 10:32:05 +0200 | [diff] [blame] | 23 | 'SSH Public Keys' and check that your public SSH key is there. If |
| 24 | your public SSH key is not there you have to upload it. |
| 25 | . Verify that you are using the correct private SSH key. To find out |
| 26 | which private SSH key is used test the SSH authentication as |
| 27 | described below. From the trace you should see which private SSH |
| 28 | key is used. |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 29 | |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 30 | Debugging kerberos issues can be quite hard given the complexity of the |
| 31 | protocol. In case you are using kerberos authentication, do the following: |
| 32 | |
| 33 | . Verify that you have acquired a valid initial ticket. On a Linux machine, you |
| 34 | can acquire one using the `kinit` command. List all your tickets using the |
| 35 | `klist` command. It should list all principals for which you have acquired a |
| 36 | ticket and include a principal name corresponding to your Gerrit server, for |
| 37 | example `HOST/gerrit.mydomain.tld@MYDOMAIN.TLD`. |
| 38 | Note that tickets can expire and require you to re-run `kinit` periodically. |
| 39 | . Verify that your SSH client is using kerberos authentication. For OpenSSH |
| 40 | clients this can be controlled using the `GSSAPIAuthentication` setting. |
| 41 | For more information see |
| 42 | link:user-upload.html#configure_ssh_kerberos[SSH kerberos configuration]. |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 43 | |
| Yuxuan 'fishy' Wang | 61698b1 | 2013-12-20 12:55:51 -0800 | [diff] [blame] | 44 | == Test SSH authentication |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 45 | |
| 46 | To test the SSH authentication you can run the following SSH command. |
| 47 | This command will print out a detailed trace which is helpful to |
| 48 | analyze problems with the SSH authentication: |
| 49 | |
| 50 | ---- |
| Hugo Arès | 93ef427 | 2016-03-01 21:50:41 -0500 | [diff] [blame] | 51 | $ ssh -vv -p 29418 john.doe@git.example.com |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 52 | ---- |
| 53 | |
| 54 | If the SSH authentication is successful you should find the following |
| 55 | lines in the output: |
| 56 | |
| 57 | ---- |
| 58 | ... |
| 59 | |
| 60 | debug1: Authentication succeeded (publickey). |
| 61 | |
| 62 | ... |
| 63 | |
| 64 | **** Welcome to Gerrit Code Review **** |
| 65 | |
| 66 | Hi John Doe, you have successfully connected over SSH. |
| 67 | |
| 68 | Unfortunately, interactive shells are disabled. |
| 69 | To clone a hosted Git repository, use: |
| 70 | |
| 71 | git clone ssh://john.doe@git.example.com:29418/REPOSITORY_NAME.git |
| 72 | |
| 73 | ... |
| 74 | ---- |
| 75 | |
| 76 | |
| 77 | GERRIT |
| 78 | ------ |
| 79 | Part of link:error-messages.html[Gerrit Error Messages] |
| Yuxuan 'fishy' Wang | 99cb68d | 2013-10-31 17:26:00 -0700 | [diff] [blame] | 80 | |
| 81 | SEARCHBOX |
| 82 | --------- |
