Page MenuHomePhabricator
New Question
Ponder Q236 History

Unable to push to hosted repository

Event Timeline

awalGarg updated the question from to Unable to push to hosted repository.Dec 6 2015, 4:41 PM
awalGarg updated the question details. (Show Details)
awalGarg updated the answer wiki. (Show Details)
awalGarg added a project: Diffusion.
tycho.tatitscheff added a subscriber: tycho.tatitscheff.EditedDec 6 2015, 5:14 PM

because we have tooling which relies on the regular SSHD daemon being available on port 22. And thus, I have to add the remote like above.

I also have in repo not in 22, this time for proxy, firewall routing and it works like a charm.

Here is my sshd_config_phab

# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
# was added in this version.

# NOTE: Edit these to the correct values for your setup.

AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh                                                                                                                               
AuthorizedKeysCommandUser vcs
AllowUsers vcs

# You may need to tweak these options, but mostly they just turn off everything
# dangerous.

Port 15115
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PasswordAuthentication no
AuthorizedKeysFile none 

PidFile /var/run/sshd-phabricator.pid

A lot of things are important in the config like AuthorizedKeysCommand, AuthorizedKeysCommandUser and all the stuff @epriestley desactivated like TCPForwarding that can be potential vulnerability or that are disturbing git workflow (like printing motd).

This being said, you still can probably use both normal ssh and git on 22 with P1809.
It is not supported however and probably not as secure as what https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ says (since for instance you cannot deactivate all the stuff in MatchUser) so you better stick with git on a special port.

git remote add origin awal@<my-host>:/var/repo/<CALLNAME>

first i think you mean git remote add origin awal@<my-host>:<my-port>/var/repo/<CALLNAME> you forget the port so you are connecting with 22 ssh.

it can't be something like this.
It must be :
git clone ssh://user@example.com/diffusion/P/whateveryouwant.git

the pattern diffusion/CALLSIGN is the importtant one.

I can access <user>@<host> via ssh, so this is definitely (and apparently, anyways) not a permission error.

Normally if you do thinks correctly ssh {{vcs_user_name}}@{{domain_name}} -p {{port}} should throw :

PTY allocation request failed on channel 0
phabricator-ssh-exec: Welcome to Phabricator.

You are logged in as {{the_user_that_match-your_public_key}}

You haven't specified a command to run. This means you're requesting an interactive shell, but Phabricator does not provide an interactive shell over SSH.

Usually, you should run a command like `git clone` or `hg push` rather than connecting directly with SSH.

Supported commands are: conduit, git-receive-pack, git-upload-pack, hg, svnserve.
Connection to {{domain_name}} closed.

if you have already added your key to phabricator in your profile config.

Or

Permission denied (publickey,keyboard-interactive).

if you don't.

Does it throw something like this ?
please add a comment, i will edit an answer once we find your issue.

tycho.tatitscheff added a subscriber: epriestley.Dec 6 2015, 5:31 PM
awalGarg added a comment.Dec 6 2015, 5:38 PM

Thanks a lot for the elaborate reply! No, it doesn't throw any such error. I get straight shell access to my server.

I think I can now see the issue. Diffusion expects me to have Phabricator's sshd setup at a particular port, but I didn't set it up on *any* port. What I am not sure is, how can I setup Phabricator's sshd on a different port from 22.

I should look more into it (and also just saw that you edited the post, so reading once more). Thanks again!

tycho.tatitscheff added a comment.Dec 6 2015, 5:57 PM

On http://phabricator.example.com/config/group/diffusion/ theire is all stuff you wanna configure ! In peculiar the ssh-port, the ssh-user ect.

In order to explain you how phab hosting works :

(1) ----connect to---> (2) ----redirect_to---> (3) ----redirect_to---> (4)

(1) you, from outside
(2) a custom sshd server that don't let you execute anything but
(3) a bash file that check if the user in git clone ssh://user@example.com:port/... is the vcs-user else do nothing
(4) a php file that check if your key is in phabricator : if so it allow conduit, git-receive-pack, git-upload-pack, hg, svnserve else it return an auth error

After (4) when you git clone xxx, you call git-upload-pack as vcs-user that will upload you git content but for that it as to get the content from /var/repo that is own by phabricator user so vcs-user should be able to sudo to phab-user without password.

It is normally the steps (I may be little wrong to some details thought).

As you see, all steps are crucial. you just can't point to :/var/repo/xxx

tycho.tatitscheff added a comment.Dec 6 2015, 6:01 PM

So please follow the guide from start again, then i or someone lese will helps debugging the "normal" stuff failing like permission in sudo, or git-executables not in path.

awalGarg added a comment.Dec 6 2015, 6:03 PM

Ok thanks a lot and sorry for the confusion! I shall start again from scratch, and post my findings here if I manage to run the phabricator's sshd on a custom port.

Thanks!

awalGarg added a comment.Dec 6 2015, 8:02 PM

Ok, I got it working. I'll add a tutorial style answer on another more suitable thread, and I am closing this for now.

Thanks a ton to @tycho.tatitscheff for his support!

awalGarg added an answer.Dec 6 2015, 8:22 PM
awalGarg closed this question as obsolete.
tycho.tatitscheff added a comment.Dec 6 2015, 8:44 PM

Your welcome.

Phabricator · Built by Phacility