after add id_rsa.pub to server, but still need input password.

[iysheng]

After I add id_rsa.pub to my profile from web ui,

then when I push to repos, I still get the prompt to let me input password as below:

▸ git push origin master
Password authentication
([email protected]) Password:

[flaix]

Do you push via SSH? What does your git remote -v show?

[flaix]

Have you tried if you can use SSH against the server?
ssh -l username -i .ssh/id_rsa -p 29418 servername.com

[iysheng]

Do you push via SSH? What does your git remote -v show?
When I do , just as show

▸ git remote -v
origin  ssh://[email protected]:12390/led3000.git (fetch)
origin  ssh://[email protected]:12390/led3000.git (push)

[iysheng]

Have you tried if you can use SSH against the server? ssh -l username -i .ssh/id_rsa -p 29418 servername.com

when I do command as below

▸ ssh -l yangyongsheng -i ~/.ssh/id_rsa -p 29418 10.20.52.50

It just stoke. When i changed the port 2948 to 12390 as i configed, still let me input password.

▸ ssh -l yangyongsheng -i ~/.ssh/id_rsa -p 12390 10.20.52.50
Password authentication
([email protected]) Password:

[flaix]

Thank you for looking into this.
But you see your key under SSH keys in your profile? Or is it the same as in #1415.

[flaix]

I tested this with Gitblit running on Linux. A ssh-rsa public key could be added to the user profile and also showed up under the list of keys. Pulling and pushing with SSH immediately worked with the key where before the password was requested.

If this problem persists for you, we will need more detailed information, like server logs, SSH key type, SSH debug logs, etc.

[flaix]

What SSH Client are you using? Does it still support RSA keys?
I just tried this from a Fedora 36 which uses OpenSSH 8.8 which has RSA keys disabled. The same Giblit server can be accessed with a RSA key for the user from a different client which has an OpenSSH 7.9 which still supports RSA keys.

[iysheng]

I use sshd version as:

▸ sshd --version
unknown option -- -
OpenSSH_8.7p1, OpenSSL 1.1.1q  FIPS 5 Jul 2022
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

I always use sshd RSA keys with github server. Could it be the Windows server firewall?

[flaix]

But this is from a SSH server. The question is if your SSH client that you use on you machine on which you pull with git supports ssh-rsa keys.

[flaix]

This is a SSH exchange when the client does not support RSA keys anymore and your only key on the Gitblit server is a RSA key:

[florian@fedora ~]$ ssh -v -p 29418  [email protected] keys ls
OpenSSH_8.8p1, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
[...]
debug1: Connecting to 10.211.55.2 [10.211.55.2] port 29418.
debug1: Connection established.
debug1: identity file /home/florian/.ssh/id_rsa type 0
debug1: identity file /home/florian/.ssh/id_rsa-cert type -1
debug1: identity file /home/florian/.ssh/id_dsa type -1
debug1: identity file /home/florian/.ssh/id_dsa-cert type -1
debug1: identity file /home/florian/.ssh/id_ecdsa type 2
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/florian/.ssh/id_ed25519 ED25519 SHA256:d0QrJKEUfhhhm4RALhf22nFSrsaVov+lYN6vRbkofig agent
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Offering public key: /home/florian/.ssh/id_ecdsa ECDSA SHA256:GTOdKlxE4tLS7+ssdxX8hi0JpuEFk2wgLC44u+zYJ5M agent
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Offering public key: /home/florian/.ssh/id_rsa RSA SHA256:0orGyVup/Mzpawt8vl4QBe80jNaJrReL4LeOcT2QoKs agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/florian/.ssh/id_dsa
debug1: Trying private key: /home/florian/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/florian/.ssh/id_ed25519_sk
debug1: Trying private key: /home/florian/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Password authentication
([email protected]) Password: 

If the client still accepts RSA keys, then it would work, as seen here:

florian@iMac:.ssh $ ssh -v -p 29418 florian@localhost keys which
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/florian/.ssh/config
[...]
debug1: Connecting to 10.211.55.2 [10.211.55.2] port 29418.
debug1: Connection established.
debug1: identity file /Users/florian/.ssh/id_rsa type 0
debug1: identity file /Users/florian/.ssh/id_rsa-cert type -1
debug1: identity file /Users/florian/.ssh/id_dsa type -1
debug1: identity file /Users/florian/.ssh/id_dsa-cert type -1
debug1: identity file /Users/florian/.ssh/id_ecdsa type 2
debug1: identity file /Users/florian/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/florian/.ssh/id_ed25519 type 3
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/florian/.ssh/id_ecdsa ECDSA SHA256:rmmGPKCg8sx4X1HLUfY9yzQN6kj8ex/HPTbB77ak9go agent
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Offering public key: /Users/florian/.ssh/id_rsa RSA SHA256:2edmZqh8ci88hWF9NWxgD/+uGxC3318th07xC+Zrauw
debug1: Server accepts key: /Users/florian/.ssh/id_rsa RSA SHA256:2edmZqh8ci88hWF9NWxgD/+uGxC3318th07xC+Zrauw
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:29418).
[...]
debug1: Sending command: keys which

Maybe running your ssh command with ssh -v can give you more information why it doesn't accept your key.

[iysheng]

I'm sorry for that use the sshd command, I test with your guide as:

OpenSSH_8.7p1, OpenSSL 1.1.1q  FIPS 5 Jul 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.20.52.50 [10.20.52.50] port 12390.
debug1: Connection established.
debug1: identity file /home/red/.ssh/id_rsa type 0
debug1: identity file /home/red/.ssh/id_rsa-cert type -1
debug1: identity file /home/red/.ssh/id_dsa type -1
debug1: identity file /home/red/.ssh/id_dsa-cert type -1
debug1: identity file /home/red/.ssh/id_ecdsa type -1
debug1: identity file /home/red/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/red/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/red/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/red/.ssh/id_ed25519 type -1
debug1: identity file /home/red/.ssh/id_ed25519-cert type -1
debug1: identity file /home/red/.ssh/id_ed25519_sk type -1
debug1: identity file /home/red/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/red/.ssh/id_xmss type -1
debug1: identity file /home/red/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: compat_banner: no match: Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: Authenticating to 10.20.52.50:12390 as 'yangyongsheng'
debug1: load_hostkeys: fopen /home/red/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:rLvO1f05ENwMvz5xMTbIns8R0PbxDGuvsh4b51kJ/ng
debug1: load_hostkeys: fopen /home/red/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[10.20.52.50]:12390' is known and matches the RSA host key.
debug1: Found key in /home/red/.ssh/known_hosts:23
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: Will attempt key: /home/red/.ssh/id_dsa 
debug1: Will attempt key: /home/red/.ssh/id_ecdsa 
debug1: Will attempt key: /home/red/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/red/.ssh/id_ed25519 
debug1: Will attempt key: /home/red/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/red/.ssh/id_xmss 
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/red/.ssh/id_dsa
debug1: Trying private key: /home/red/.ssh/id_ecdsa
debug1: Trying private key: /home/red/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/red/.ssh/id_ed25519
debug1: Trying private key: /home/red/.ssh/id_ed25519_sk
debug1: Trying private key: /home/red/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Password authentication
Authenticated to 10.20.52.50 ([10.20.52.50]:12390) using "keyboard-interactive".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_GB.UTF-8"
debug1: channel 0: setting env XMODIFIERS = "@im=fcitx"
debug1: Sending command: keys ls
.....
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2008, received 2952 bytes, in 0.1 seconds
Bytes per second: sent 23676.7, received 34807.6
debug1: Exit status 0

[flaix]

So the server does not accept your key.
What output do you get with the following?
ssh -l yangyongsheng -i ~/.ssh/id_rsa -p 12390 10.20.52.50 keys ls

And does it match your key?
ssh-keygen -l -f ~/.ssh/id_rsa -E md5
ssh-keygen -l -f ~/.ssh/id_rsa -E sha256

[flaix]

I just noticed these lines in your output:

debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: send_pubkey_test: no mutual signature algorithm

Googling this, it turns out that this is often because the client does not support the SHA-1 algorithm for RSA anymore. A temporary work around would be to enable it again with the following line in your client configuration:
PubkeyAcceptedKeyTypes +ssh-rsa

Gitblit 1.10.0 will add support for ecdsa and ed25519 key types. Only later versions will add support for RSA keys with SHA-256 algorithms.

[iysheng]

I just noticed these lines in your output:

debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: send_pubkey_test: no mutual signature algorithm

Googling this, it turns out that this is often because the client does not support the SHA-1 algorithm for RSA anymore. A temporary work around would be to enable it again with the following line in your client configuration:
PubkeyAcceptedKeyTypes +ssh-rsa

Gitblit 1.10.0 will add support for ends and ed25519 key types. Only later versions will add support for RSA keys with SHA-256 algorithms.

thanks，i will test this later。

[iysheng]

debug1: Offering public key: /home/red/.ssh/id_rsa RSA SHA256:JBRN+h1D0t2TNAVnrF/odMbcLC5LbGLcZe7ttaINrp4
debug1: send_pubkey_test: no mutual signature algorithm

Googling this, it turns out that this is often because the client does not support the SHA-1 algorithm for RSA anymore. A temporary work around would be to enable it again with the following line in your client configuration: PubkeyAcceptedKeyTypes +ssh-rsa

Gitblit 1.10.0 will add support for ecdsa and ed25519 key types. Only later versions will add support for RSA keys with SHA-256 algorithms.

I'm sorry to reply you so late, I upgrade the laotop linux fedora 32 to fedora 36,now the ssh version is

▸ ssh -V
OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022

▸ cat /etc/ssssh -Q key
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

And I add line in file /etc/ssh/ssh_config as

PubkeyAcceptedKeyTypes +ssh-rsa

But I still couldn't connect the gitblit server.

OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.20.52.50 [10.20.52.50] port 12390.
debug1: Connection established.
debug1: identity file /home/red/.ssh/id_rsa type 0
debug1: identity file /home/red/.ssh/id_rsa-cert type -1
debug1: identity file /home/red/.ssh/id_rsa type 0
debug1: identity file /home/red/.ssh/id_rsa-cert type -1
debug1: identity file /home/red/.ssh/id_dsa type -1
debug1: identity file /home/red/.ssh/id_dsa-cert type -1
debug1: identity file /home/red/.ssh/id_ecdsa type -1
debug1: identity file /home/red/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/red/.ssh/id_ed25519 type -1
debug1: identity file /home/red/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: compat_banner: no match: Gitblit_v1.9.3 (SSHD-CORE-1.2.0-NIO2)
debug1: Authenticating to 10.20.52.50:12390 as 'yangyongsheng'
debug1: load_hostkeys: fopen /home/red/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 10.20.52.50 port 12390: no matching host key type found. Their offer: ssh-rsa,ssh-dss

[andrm]

You also need:
HostKeyAlgorithms +ssh-rsa

[andrm]

@flaix When will gitblit 1.10.0 be released?

[flaix]

@flaix When will gitblit 1.10.0 be released?

This is a good question without a good answer. While I sure would like to see that this year, my guess is more like February or March.

[andrm]

Do you need help? Anything I can do?

[flaix]

I have moved this to discussion #1440

[iysheng]

You also need:
HostKeyAlgorithms +ssh-rsa

thanks，after I add both these lines in file /etc/ssh/ssh_config

PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsa

It's ok now.