As already mentioned in T5463 i had some problems providing git-access over ssh. I am new to Phabricator and its community so i'm not sure wether my findings are correct and if this is the preferred way to propagate them:
When trying to invoke ssh -T firstname.lastname@example.org -vv i received the auth.log-entry
AuthorizedKeysCommand /usr/share/phabricator-ssh-hook.sh returned status 126
That was caused by the fact that the permissions of /srv/phacility were (with 750 root:phacility) too restrictive: the solutions was to widen the permissions to 755.
After that was solved i was able to pull and push repos, but after pushing i got the following error displayed in Diffusion:
Unable to Retrieve Paths: Command failed with error #128! COMMAND git ls-tree -z -l '37853835a8f96384dc0f7908e9d6ecae944f3dec':'' STDOUT (empty) STDERR fatal: failed to read object 37853835a8f96384dc0f7908e9d6ecae944f3dec: Permission denied
It turned out that the git-user (aka vcs-user) created files as phd:phd. In order to fix that i had to modify the sudoers-directive of git from git ALL=(phd) ... to git ALL=(phd:phacility) ..., adding the group explicitly.
- Even if i really do not understand why All need to have rx-access to the phacility-folders, this might be worth a hint (it took me ~5 hours to assume that).
- The statement "We'll call this www-user. If you do not plan to make repositories available over HTTP, you do not need to perform any special configuration for this user." probably leaves out that this user must have access to the repos as well (and is invoking git-commands).
- The debug-command ssh -T email@example.com is confusing. If connecting with anything else then the vcs-user the ssh-hook should deny the connection immediately.
If there's anything else i could do - let me know!
My Road To Hell
- Provide the users git, www-data and phd, pool them in the phacility group.
- Pull Phabricator into /srv/phacility/phabricator, .../arcanist, .../libphutil.
- Prepare /var/files to be owned by the phacility-group granting rw-access.
- Apply the git/ssh-guide and do not activate repo-serving via Http.