We've been encountering an issue with phabricator's ssh
daemon being very unreliable on our install. I've been trying to debug
it for a good part of the last week now and finally solved it. The fix
was to update the sshd config to use the new ssh-auth argument syntax.
The issue was that 9 times out of 10 the server didn't accept the
users's keys, responding with:
Permission denied (publickey).
After setting the sshd log level on the server to VERBOSE I could see the following:
... debug1: matching key found: file /usr/libexec/phabricator-ssh-hook.sh, line 2 <redacted> error: AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 255 debug1: restore_uid: 0/0 ...
After reading the source of scripts/ssh/ssh-auth.php, I realized
that when given a key as an argument, the script returns only the
matching key instead of all the keys in the database. But the default
sshd config templates mentioned in this article
do not take advantage of that feature.
After changing the sshd config so it passes the user key to the php script, the problems went away.