So, a couple months back, I tried to setup a git repository on repo.or.cz. No dice; it didn’t seem to like my ssh key and I was never able to push. Never got a response to my email either.
I figured I’d try again with gitorious.org. So I go over there and create an account, upload my public ssh key, create a project, try to push…and am prompted for a password (yes I remembered to run ssh-add first). While I’m no ssh expert, I have used ssh keys before to connect between systems without having to enter a password for each connection, so I’m a bit perplexed at what’s wrong.
Since gitorious.org allows me to remove or add additional keys myself (unlike repo.or.cz), I tried playing around with adding others (and selectively adding or removing keys from my ssh keyagent with ssh-add). Here’s what I’m doing:
$ ssh-keygen -t dsa -f gitorious -C "newren@gitorious.org"
$ cp gitorious* ~/.ssh
$ ssh-add ~/.ssh/gitorious
<Enter appropriate password>
<Copy & paste contents of ~/.ssh/gitorious.pub into the add ssh key thing at the gitorious.org site>
<Periodically reload http://gitorious.org/account until my new public ssh key is shown>
$ git push newren@gitorious.org:eg/mainline.git
newren@gitorious.org's password:
<Hit Ctrl-C>
$ ssh -v newren@gitorious.org echo hi
<I snipped a lot of output here>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/newren/.ssh/gitorious
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/newren/.ssh/id_rsa
debug1: Trying private key: /home/newren/.ssh/id_dsa
debug1: Next authentication method: password
newren@gitorious.org's password:
<Hit Ctrl-C>
I know lots of other people are using these sites without problems. Which step or steps am I doing wrong?
UPDATE: Many thanks for the different suggestions. Adam G spotted the problem; my push command should have been
$ git push git@gitorious.org:eg/mainline.git
instead of
$ git push newren@gitorious.org:eg/mainline.git
I suspect my problem with repo.or.cz was the same thing.
You aren’t using a debian/openssl compromised ssh key, are you?
What is your SSH fingerprint, key type (DSA or RSA) and key length? Some sites don’t like DSA anymore.
You might want to do “ssh-add ~/.ssh/gitorious” (you’ll need ssh-agent running) before your first pull/push to gitorious.
That should help
Maybe their sshd does not accept DSA keys anymore (since the Debian openssl debacle), while their frontend still happily accepts them.
It is recommended to use RSA keys these days anyways (although a lot of default code/command snippets still use id_dsa etc. as examples)
Maybe your homedir permissions on gitorious are not 0755 ?
Since your gitorious key pair is apparently not your normal key pair, you need to add the private key to an IdentityFile line in ~/.ssh/config, otherwise ssh won’t know to look at it. See ‘man ssh_config’ for details.
Some sites (notably Debian and freedesktop.org) don’t accept DSA keys, because of the Debian OpenSSL PRNG vulnerability (an RSA key is vulnerable if it was *generated* on a vulnerable system, which can be detected; a DSA key is vulnerable if it was ever *used* on a vulnerable system, which can’t).
You’ve probably checked, but perhaps those keys are DSA keys — many servers silently reject DSA keys these days, as they are less secure than RSA, compounded with the Debian OpenSSH debacle.
Remi and ajax:
debug1: Offering public key: /home/newren/.ssh/gitorious
it already is configured.
You need to ssh to git@gitorious.org, not @gitorious.org
First, I had no problems with repo.or.cz, and author and maintainer (Petr Baudis) is usually responsive. I can push to repo.or.cz without problems; alternatively you can set repository on repo.or.cz to mirror your repository instead, by polling periodically (but I haven’t used this setup personally).
I used ssh-keygen to generate key, copied to ~/.ssh, pasted public key on repo.or.cz (the *.pub file; I don’t know, perhaps now it can be simply uploaded). Then I use ssh-add to add a key (using absolute pathname), enter passphrase, check that key is in the ring using “ssh-add -l”… and “gut push repo” works. BTW. I have keychain installed and in .profile, and it starts ssh-agent for me…
Thanks everyone for the suggestions. My dsa key was generated on rhel4 (yeah, yeah, I don’t like it either–corporate redtape prevents an upgrade to something recent), so not affected by the debian/ubuntu openssh debacle.
Jakub: Yeah, I suspect I just emailed Petr when he was gone on vacation. Probably just bad timing on my part. I should have sent another email, but anyway, Adam G has solved the issue for me.