Skip to content

Unable to git clone (AuthorizedKeysCommand /authorized_keys git ... failed, status 1

Summary

Unable to git clone with fresh kubernetes installation.

Steps to reproduce

  • Create repo by root user
  • Try to git clone it

What is the current bug behavior?

/tmp$ git clone git@hostname.net:sre/vadim.git
Cloning into 'vadim'...
git@hostname.net: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

What is the expected correct behavior?

Clone completed successfully.

Relevant logs

SSH log:

kubectl -n gitlab logs -f gitlab-gitlab-shell-7959d98d79-5j98n
...
AuthorizedKeysCommand /authorized_keys git ... failed, status 1
Failed publickey for git from 10.60.30.5 port 60892 ssh2: RSA SHA256:...
Connection closed by authenticating user git 10.60.30.5 port 60892 [preauth]
...

But:

~/devel/gitlab$ kubectl -n gitlab exec -it gitlab-gitlab-shell-7959d98d79-qsn72 -- /bin/bash
git@gitlab-gitlab-shell-7959d98d79-qsn72:/$ /authorized_keys git ...
command="/srv/gitlab-shell/bin/gitlab-shell key-5",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ... 
git@gitlab-gitlab-shell-7959d98d79-qsn72:/$ echo $?
0
/tmp$ telnet hostname.net 22           
Trying 123.123.123.123...
Connected to hostname.net.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
^]

Environment details

  • Operating System: REPLACE-WITH-DETAILS
  • Installation Target, remove incorrect values:
    • Other: GKE (Helm)
  • Installation Type, remove incorrect values:
    • Fresh install with helm to GKE
    • Version 13.11.3
  • Multiple node installation

Configuration details

openSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019

git@gitlab-gitlab-shell-7959d98d79-qsn72:/$ cat /etc/ssh/sshd_config 
#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:

PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
PidFile /srv/sshd/sshd.pid
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
# Subsystem	sftp	/usr/lib/ssh/sftp-server

# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes

# disable hpn performance boosts
#HPNDisabled no

# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048


# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

AuthorizedKeysCommand /authorized_keys %u %k
AuthorizedKeysCommandUser git

PasswordAuthentication no

AllowUsers git

# Enable the use of Git protcol v2
AcceptEnv GIT_PROTOCOL

# Hard disable all forwarding
DisableForwarding yes

# Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
# See `man sshd_config(5)`

MaxStartups 10:30:100


# Specifies amount of time athat the server will disconnect after if the user has not successfully logged in
LoginGraceTime 120
Edited by Vadim Reyder