| Yuxuan 'fishy' Wang | 61698b1 | 2013-12-20 12:55:51 -0800 | [diff] [blame] | 1 | = Permission denied (publickey) |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 2 | |
| David Pursehouse | 221d4f6 | 2012-06-08 17:38:08 +0900 | [diff] [blame] | 3 | With this error message an SSH command to Gerrit is rejected if the |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 4 | SSH authentication is not successful. |
| 5 | |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 6 | The link:http://en.wikipedia.org/wiki/Secure_Shell[SSH] protocol can use |
| 7 | link:http://en.wikipedia.org/wiki/Public-key_cryptography[Public-key Cryptography] |
| 8 | for authentication. |
| 9 | In general configurations, Gerrit will authenticate you by the public keys |
| 10 | known to you. Optionally, it can be configured by the administrator to allow |
| 11 | for link:config-gerrit.html#sshd.kerberosKeytab[kerberos] authentication |
| 12 | instead. |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 13 | |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 14 | In any case, verify that you are using the correct username for the SSH command |
| 15 | and that it is typed correctly (case sensitive). You can look up your username |
| 16 | in the Gerrit Web UI under 'Settings' -> 'Profile'. |
| Edwin Kempin | ddfc41a | 2011-05-06 10:32:05 +0200 | [diff] [blame] | 17 | |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 18 | If you are facing this problem and using an SSH keypair, do the following: |
| 19 | |
| Edwin Kempin | ddfc41a | 2011-05-06 10:32:05 +0200 | [diff] [blame] | 20 | . Verify that you have uploaded your public SSH key for your Gerrit |
| David Pursehouse | a1d633b | 2014-05-02 17:21:02 +0900 | [diff] [blame] | 21 | account. To do this go in the Gerrit Web UI to 'Settings' -> |
| Edwin Kempin | ddfc41a | 2011-05-06 10:32:05 +0200 | [diff] [blame] | 22 | 'SSH Public Keys' and check that your public SSH key is there. If |
| 23 | your public SSH key is not there you have to upload it. |
| 24 | . Verify that you are using the correct private SSH key. To find out |
| 25 | which private SSH key is used test the SSH authentication as |
| 26 | described below. From the trace you should see which private SSH |
| 27 | key is used. |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 28 | |
| Gert van Dijk | dc4f8d1 | 2017-08-27 21:14:23 +0200 | [diff] [blame] | 29 | Debugging kerberos issues can be quite hard given the complexity of the |
| 30 | protocol. In case you are using kerberos authentication, do the following: |
| 31 | |
| 32 | . Verify that you have acquired a valid initial ticket. On a Linux machine, you |
| 33 | can acquire one using the `kinit` command. List all your tickets using the |
| 34 | `klist` command. It should list all principals for which you have acquired a |
| 35 | ticket and include a principal name corresponding to your Gerrit server, for |
| 36 | example `HOST/gerrit.mydomain.tld@MYDOMAIN.TLD`. |
| 37 | Note that tickets can expire and require you to re-run `kinit` periodically. |
| 38 | . Verify that your SSH client is using kerberos authentication. For OpenSSH |
| 39 | clients this can be controlled using the `GSSAPIAuthentication` setting. |
| 40 | For more information see |
| 41 | link:user-upload.html#configure_ssh_kerberos[SSH kerberos configuration]. |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 42 | |
| Yuxuan 'fishy' Wang | 61698b1 | 2013-12-20 12:55:51 -0800 | [diff] [blame] | 43 | == Test SSH authentication |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 44 | |
| 45 | To test the SSH authentication you can run the following SSH command. |
| 46 | This command will print out a detailed trace which is helpful to |
| 47 | analyze problems with the SSH authentication: |
| 48 | |
| 49 | ---- |
| Hugo Arès | 93ef427 | 2016-03-01 21:50:41 -0500 | [diff] [blame] | 50 | $ ssh -vv -p 29418 john.doe@git.example.com |
| Edwin Kempin | 014de30 | 2011-01-11 13:42:44 +0100 | [diff] [blame] | 51 | ---- |
| 52 | |
| 53 | If the SSH authentication is successful you should find the following |
| 54 | lines in the output: |
| 55 | |
| 56 | ---- |
| 57 | ... |
| 58 | |
| 59 | debug1: Authentication succeeded (publickey). |
| 60 | |
| 61 | ... |
| 62 | |
| 63 | **** Welcome to Gerrit Code Review **** |
| 64 | |
| 65 | Hi John Doe, you have successfully connected over SSH. |
| 66 | |
| 67 | Unfortunately, interactive shells are disabled. |
| 68 | To clone a hosted Git repository, use: |
| 69 | |
| 70 | git clone ssh://john.doe@git.example.com:29418/REPOSITORY_NAME.git |
| 71 | |
| 72 | ... |
| 73 | ---- |
| 74 | |
| 75 | |
| 76 | GERRIT |
| 77 | ------ |
| 78 | Part of link:error-messages.html[Gerrit Error Messages] |
| Yuxuan 'fishy' Wang | 99cb68d | 2013-10-31 17:26:00 -0700 | [diff] [blame] | 79 | |
| 80 | SEARCHBOX |
| 81 | --------- |
