blob: fba1d44e45fabc9f07bef5323cff3483b18ecdb5 [file] [log] [blame]
Marian Harbachebeb1542019-12-13 10:42:46 +01001:linkattrs:
Yuxuan 'fishy' Wang61698b12013-12-20 12:55:51 -08002= Permission denied (publickey)
Edwin Kempin014de302011-01-11 13:42:44 +01003
David Pursehouse221d4f62012-06-08 17:38:08 +09004With this error message an SSH command to Gerrit is rejected if the
Edwin Kempin014de302011-01-11 13:42:44 +01005SSH authentication is not successful.
6
Marian Harbach34253372019-12-10 18:01:31 +01007The link:http://en.wikipedia.org/wiki/Secure_Shell[SSH,role=external,window=_blank] protocol can use
8link:http://en.wikipedia.org/wiki/Public-key_cryptography[Public-key Cryptography,role=external,window=_blank]
Gert van Dijkdc4f8d12017-08-27 21:14:23 +02009for authentication.
10In general configurations, Gerrit will authenticate you by the public keys
11known to you. Optionally, it can be configured by the administrator to allow
12for link:config-gerrit.html#sshd.kerberosKeytab[kerberos] authentication
13instead.
Edwin Kempin014de302011-01-11 13:42:44 +010014
Gert van Dijkdc4f8d12017-08-27 21:14:23 +020015In any case, verify that you are using the correct username for the SSH command
16and that it is typed correctly (case sensitive). You can look up your username
17in the Gerrit Web UI under 'Settings' -> 'Profile'.
Edwin Kempinddfc41a2011-05-06 10:32:05 +020018
Gert van Dijkdc4f8d12017-08-27 21:14:23 +020019If you are facing this problem and using an SSH keypair, do the following:
20
Edwin Kempinddfc41a2011-05-06 10:32:05 +020021. Verify that you have uploaded your public SSH key for your Gerrit
David Pursehousea1d633b2014-05-02 17:21:02 +090022 account. To do this go in the Gerrit Web UI to 'Settings' ->
Edwin Kempinddfc41a2011-05-06 10:32:05 +020023 'SSH Public Keys' and check that your public SSH key is there. If
24 your public SSH key is not there you have to upload it.
25. Verify that you are using the correct private SSH key. To find out
26 which private SSH key is used test the SSH authentication as
27 described below. From the trace you should see which private SSH
28 key is used.
Edwin Kempin014de302011-01-11 13:42:44 +010029
Gert van Dijkdc4f8d12017-08-27 21:14:23 +020030Debugging kerberos issues can be quite hard given the complexity of the
31protocol. In case you are using kerberos authentication, do the following:
32
33. Verify that you have acquired a valid initial ticket. On a Linux machine, you
34 can acquire one using the `kinit` command. List all your tickets using the
35 `klist` command. It should list all principals for which you have acquired a
36 ticket and include a principal name corresponding to your Gerrit server, for
37 example `HOST/gerrit.mydomain.tld@MYDOMAIN.TLD`.
38 Note that tickets can expire and require you to re-run `kinit` periodically.
39. Verify that your SSH client is using kerberos authentication. For OpenSSH
40 clients this can be controlled using the `GSSAPIAuthentication` setting.
41 For more information see
42 link:user-upload.html#configure_ssh_kerberos[SSH kerberos configuration].
Edwin Kempin014de302011-01-11 13:42:44 +010043
Yuxuan 'fishy' Wang61698b12013-12-20 12:55:51 -080044== Test SSH authentication
Edwin Kempin014de302011-01-11 13:42:44 +010045
46To test the SSH authentication you can run the following SSH command.
47This command will print out a detailed trace which is helpful to
48analyze problems with the SSH authentication:
49
50----
Hugo Arès93ef4272016-03-01 21:50:41 -050051 $ ssh -vv -p 29418 john.doe@git.example.com
Edwin Kempin014de302011-01-11 13:42:44 +010052----
53
54If the SSH authentication is successful you should find the following
55lines in the output:
56
57----
58 ...
59
60 debug1: Authentication succeeded (publickey).
61
62 ...
63
64 **** Welcome to Gerrit Code Review ****
65
66 Hi John Doe, you have successfully connected over SSH.
67
68 Unfortunately, interactive shells are disabled.
69 To clone a hosted Git repository, use:
70
71 git clone ssh://john.doe@git.example.com:29418/REPOSITORY_NAME.git
72
73 ...
74----
75
76
77GERRIT
78------
79Part of link:error-messages.html[Gerrit Error Messages]
Yuxuan 'fishy' Wang99cb68d2013-10-31 17:26:00 -070080
81SEARCHBOX
82---------