opendev/gerrit
Code Issues Proposed changes
a6afd0fc4e
gerrit/Documentation/error-permission-denied.txt
Gert van Dijk dc4f8d1723 Documentation: Also consider the use of kerberos authentication over SSH 
Most documentation assumed the use of SSH public key authentication. This
change removes that assumption and adds some hints on client configuration
with OpenSSH and kerberos.

Change-Id: I4d5654a088a68afd740d3e4e91eaf15d0bbf58b1
2017-08-28 01:44:52 +02:00

82 lines
2.9 KiB
Plaintext
Raw Blame History

= Permission denied (publickey)
With this error message an SSH command to Gerrit is rejected if the
SSH authentication is not successful.
The link:http://en.wikipedia.org/wiki/Secure_Shell[SSH] protocol can use
link:http://en.wikipedia.org/wiki/Public-key_cryptography[Public-key Cryptography]
for authentication.
In general configurations, Gerrit will authenticate you by the public keys
known to you. Optionally, it can be configured by the administrator to allow
for link:config-gerrit.html#sshd.kerberosKeytab[kerberos] authentication
instead.
In any case, verify that you are using the correct username for the SSH command
and that it is typed correctly (case sensitive). You can look up your username
in the Gerrit Web UI under 'Settings' -> 'Profile'.
If you are facing this problem and using an SSH keypair, do the following:
. Verify that you have uploaded your public SSH key for your Gerrit
account. To do this go in the Gerrit Web UI to 'Settings' ->
'SSH Public Keys' and check that your public SSH key is there. If
your public SSH key is not there you have to upload it.
. Verify that you are using the correct private SSH key. To find out
which private SSH key is used test the SSH authentication as
described below. From the trace you should see which private SSH
key is used.
Debugging kerberos issues can be quite hard given the complexity of the
protocol. In case you are using kerberos authentication, do the following:
. Verify that you have acquired a valid initial ticket. On a Linux machine, you
can acquire one using the `kinit` command. List all your tickets using the
`klist` command. It should list all principals for which you have acquired a
ticket and include a principal name corresponding to your Gerrit server, for
example `HOST/gerrit.mydomain.tld@MYDOMAIN.TLD`.
Note that tickets can expire and require you to re-run `kinit` periodically.
. Verify that your SSH client is using kerberos authentication. For OpenSSH
clients this can be controlled using the `GSSAPIAuthentication` setting.
For more information see
link:user-upload.html#configure_ssh_kerberos[SSH kerberos configuration].
== Test SSH authentication
To test the SSH authentication you can run the following SSH command.
This command will print out a detailed trace which is helpful to
analyze problems with the SSH authentication:
----
$ ssh -vv -p 29418 john.doe@git.example.com
----
If the SSH authentication is successful you should find the following
lines in the output:
----
...
debug1: Authentication succeeded (publickey).
...
**** Welcome to Gerrit Code Review ****
Hi John Doe, you have successfully connected over SSH.
Unfortunately, interactive shells are disabled.
To clone a hosted Git repository, use:
git clone ssh://john.doe@git.example.com:29418/REPOSITORY_NAME.git
...
----
GERRIT
------
Part of link:error-messages.html[Gerrit Error Messages]
SEARCHBOX
---------
View Git Blame Copy Permalink