Page MenuHomePhabricator
Create Task
Maniphest T7090

Permission Denied when following User-guide to setup access to repo via SSH
Closed, InvalidPublic
Actions

Description

The steps advised, in documentation, for setting up access to repositories via SSH seems to not be working for CentOS 7.

According to the steps in the guide, vcs-user should be used in both sshd_config and the ssh-hook script.
On CentOS 7 this appears to cause Permission denied errors (status code 126).

Working solution, so far, is to set AuthorizedKeysCommandUser to the daemon-user.

I have taken the following, other, steps in an attempt to fix it:
Adding the daemon-user group to the groups vcs-user are in
Using sudo/su to change to the daemon-user in the SSH-hook script
In sudoers, giving the vcs-user access to the ssh-auth and ssh-exec scripts

Environment (the ones i could think of that could matter, maybe):
CentOS Linux release 7.0.1406 (Core)
nginx/1.7.9
PHP 5.4.16 (fpm-fcgi)
5.5.40-MariaDB
OpenSSH_6.4p1
OpenSSL 1.0.1e-fips

Related Objects

Event Timeline

rag3rac3r created this task.Jan 30 2015, 2:26 AM
rag3rac3r raised the priority of this task from to Low.
rag3rac3r updated the task description. (Show Details)
rag3rac3r added a project: Diffusion.
rag3rac3r added a subscriber: rag3rac3r.
chad raised the priority of this task from Low to Needs Triage.Jan 30 2015, 2:51 AM
avivey added a subscriber: avivey.Jan 30 2015, 6:49 AM

Do you have SELinux installed? It's hard to get ssh working if so - see T4947.

Otherwise, where and when exactly do you get permission denied?

rag3rac3r added a comment.Jan 30 2015, 11:11 AM

SELinux is currently disabled (until everything else works, then it's that project).

The Permission Denied is the result from when the SSHd tries to execute the 'phabricator-ssh-hook.sh'.

The log output is the following:

Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:21:36 sshd[20143]: Disconnecting: Too many authentication failures for vcs-user [preauth]

Some trial and error showed that it occurred when the script attempted to run ./bin/ssh-auth

OT: Sorry, was a bit tired when i wrote the initial report, or i would've included this already then.

avivey closed this task as Invalid.Sep 8 2015, 5:28 AM
avivey claimed this task.
ilendir added a subscriber: ilendir.EditedMay 19 2016, 8:58 AM
In T7090#93682, @rag3rac3r wrote:

SELinux is currently disabled (until everything else works, then it's that project).

The Permission Denied is the result from when the SSHd tries to execute the 'phabricator-ssh-hook.sh'.

The log output is the following:

Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:16:44 sshd[19506]: error: AuthorizedKeysCommand /path/to/phabricator-ssh-hook.sh returned status 126
Jan 29 00:21:36 sshd[20143]: Disconnecting: Too many authentication failures for vcs-user [preauth]

Some trial and error showed that it occurred when the script attempted to run ./bin/ssh-auth

are you 100% sure you have/had disabled SELinux? I run almost the same system and I've run into the same problems (return status 126 for the hook) and they were caused by SELinux.
check with

getenforce

and if "Enforcing" is what it says:
use

setenforce 0

and check again.

A very helpful comment how to resolve these issues was recently added in T4957

james.ellis added a subscriber: james.ellis.Oct 21 2016, 6:22 AM

Hi

I have pretty much the same "Status 126" issue on an Ubuntu 16.04 box with the latest openssh packages installed, following the instructions provided and modiying them for naming requirements. I'm running Phabricator on Nginx with PHP-FPM.

The only way I could get SSH connections into Phabricator to work was to modify the hook script from

exec "$ROOT/bin/ssh-auth" $@

to

su -s /bin/bash -c "$ROOT/bin/ssh-auth" $VCSUSER

and set

AuthorizedKeysCommandUser root

in the sshd_config for Phabricator. As I see it, this way the hook script is run as root but su's to VCSUSER to run Phabricator scripts, so any bugs in ssh-auth and whatever it executes are run under 'git' user.

Otherwise.... I had this setup with default settings

The below results in "Status 126" as a response, logged in /var/log/auth.log

Three users:
  • nginx runs as a user - let's call it 'nginx'
  • git user for Phabricator, has a bash shell, no password
  • 'web' - owning the website files and is also the phd user
Groups:
  • nginx and 'git' are in "web" group, so they can interact with files
Sudoers:
git ALL=(web) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack

After setup and restarting of daemons with the published configuration settings, I see this on SSH connect with a valid key:

error: AuthorizedKeysCommand /etc/phabricator/phabricator-ssh-hook.sh git failed, status 126

File permissions
$ ls -la /etc/phabricator/
total 16
drwxr-xr-x  2 root root 4096 .
drwxr-xr-x 97 root root 4096 ..
-rw-r--r--  1 root root 1246 sshd_config
-rwxr-xr-x  1 root root  498 phabricator-ssh-hook.sh
Phabricator sshd_config
AuthorizedKeysCommand /etc/phabricator/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser git
AllowUsers git

# You may need to tweak these options, but mostly they just turn off everything
# dangerous.

## XXX  is replaced in the config file
Port XXX
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PasswordAuthentication no
AuthorizedKeysFile none

PidFile /var/run/sshd-phabricator.pid

Exit Status 126 seems to be "Permission problem or command is not an executable" while other Googling suggests "Command invoked cannot execute". The script is 0755 as is the parent directory.

When I run the hook script as 'git' in a shell:

sudo -u git /etc/phabricator/phabricator-ssh-hook.sh git

... it executes correctly (it can execute bin/ssh-auth as well), so I'm thinking this is an SSH constraint - there is something about the user "git" that it (sshd) just doesn't like. Probably would help looking at the source maybe to see what it actually does when it invokes an AuthorizedKeysCommand

Ray added a subscriber: Ray.Jun 29 2018, 7:39 PM
Phabricator · Built by Phacility