Diffusion user guide: for sshd to work
Closed, WontfixPublic


Following the article Diffusion User Guide: Repository Hosting, I had some issues setting up sshd to work.

I'm using FreeBSD 10.2 but I suspect that this could be relevant on some other systems too.

The thing is with authentication. After calling /usr/sbin/sshd -f /etc/ssh/sshd_config, I could login through ssh. However, any persistent setup starts sshd (implicitly) with service sshd start and… this cunningly doesn't work: it ignores my keys and asks for password.

I've tracked down the issue: rc.d scripts gets minimal PATH=/sbin:/bin:/usr/sbin:/usr/bin. That propagates through sshd's AuthorizedKeysCommand into phabricator-ssh-hook.sh which apparently doesn't work well in such environment. However, with PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin everything's fine.

I made a change in phabricator-ssh-hook.sh, adding export just before final invocation:

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
exec "$ROOT/bin/ssh-auth" $@

Please consider making a note of that in the tutorial, this took more time that I would like to admit.

kgadek created this task.Oct 19 2015, 12:19 AM
kgadek updated the task description. (Show Details)
kgadek added a project: Guides.
kgadek added a subscriber: kgadek.
chad edited projects, added Documentation; removed Guides.Oct 19 2015, 12:21 AM

Is /usr/games actually required in the path? That seems quite strange.

What would be better is finding out what was missing from the path that caused the ssh-auth script to fail for you - presumably some binary/command was failing to execute as it couldn't be found in the path. If we know what, then we can update the documentation to state:

The authentication script requires `<cmd>` to be accessible from the environment path

Rather than handing out a list of paths that might need to be in the environment as you suggest. These paths are entirely dependent on the OS/distribution and instructing users/sysadmins to add these to their paths is not a good setup guide/instruction.

chad added a subscriber: chad.Oct 19 2015, 4:25 AM

We also cover this in Level Requirements a bit:


Mostly, we're not likely here to just randomly update the documentation. We'd need to first try to reproduce the issues you encountered and find an upstream solution if it does reproduce. Unless others are running into this problem, it may be some time.

epriestley closed this task as Wontfix.Oct 20 2015, 1:15 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

We explicitly do not cover setting up init scripts. See T4181.

Init configuration varies greatly from system to system: at time of writing, that task and this one discuss 6 totally separate ways to configure it. We don't have the resources or expertise to create and maintain so many scripts.

If you want to publish your script somewhere, you could add it to Community Resources.

For what it's worth, I don't use phabricator-ssh-hook.sh at all, I find it to be much simpler. Instead o use the following SSH configuration (which also allows me to run both administrative and VCS SSH over pirt 22):

1​Match User vcs
2​ AuthorizedKeysCommand /usr/src/phabricator/bin/ssh-auth
3​ AuthorizedKeysCommandUser vcs
4​ AllowUsers vcs

I don't think that would impact the outcome here. ssh-auth would still fail: I believe the problem is that php is in /usr/local/bin (or maybe /usr/games), so ssh-auth can't execute without that in path.