Change Details

We've been encountering an issue with phabricator's ssh daemon being very unreliable on our install. I've been trying to debug it for a good part of the last week now and finally solved it. The fix was to update the sshd config to use the new ssh-auth argument syntax. The issue was that 9 times out of 10 the server didn't accept the users's keys, responding with: ``` Permission denied (publickey). ``` After setting the sshd log level to VERBOSE I could see the following: ``` ... debug1: matching key found: file /usr/libexec/phabricator-ssh-hook.sh, line 2 ED25519 SHA256:LiWLC/0gIcl8yt1QlD97MwdZiDO7N5x1+by9QvQ3ttQ error: AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 255 debug1: restore_uid: 0/0 ... ``` After reading the source of `scripts/ssh/ssh-auth.php`, I realized that when given a key as an argument, the script returns only the matching key instead of all the keys in the database. But the default sshd config templates mentioned in [this article](https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#sshd-setup) do not take advantage of that feature. After changing the sshd config so it passes the user key to the php script, the problems went away.

We've been encountering an issue with phabricator's ssh daemon being very unreliable on our install. I've been trying to debug it for a good part of the last week now and finally solved it. The fix was to update the sshd config to use the new ssh-auth argument syntax. The issue was that 9 times out of 10 the server didn't accept the users's keys, responding with: ``` Permission denied (publickey). ``` After setting the sshd log level on the server to VERBOSE I could see the following: ``` ... debug1: matching key found: file /usr/libexec/phabricator-ssh-hook.sh, line 2 <redacted> error: AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 255 debug1: restore_uid: 0/0 ... ``` After reading the source of `scripts/ssh/ssh-auth.php`, I realized that when given a key as an argument, the script returns only the matching key instead of all the keys in the database. But the default sshd config templates mentioned in [this article](https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#sshd-setup) do not take advantage of that feature. After changing the sshd config so it passes the user key to the php script, the problems went away.

We've been encountering an issue with phabricator's ssh daemon being very unreliable on our install. I've been trying to debug it for a good part of the last week now and finally solved it. The fix was to update the sshd config to use the new ssh-auth argument syntax. The issue was that 9 times out of 10 the server didn't accept the users's keys, responding with: ``` Permission denied (publickey). ``` After setting the sshd log level on the server to VERBOSE I could see the following: ``` ... debug1: matching key found: file /usr/libexec/phabricator-ssh-hook.sh, line 2 ED25519 SHA256:LiWLC/0gIcl8yt1QlD97MwdZiDO7N5x1+by9QvQ3ttQ<redacted> error: AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 255 debug1: restore_uid: 0/0 ... ``` After reading the source of `scripts/ssh/ssh-auth.php`, I realized that when given a key as an argument, the script returns only the matching key instead of all the keys in the database. But the default sshd config templates mentioned in [this article](https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#sshd-setup) do not take advantage of that feature. After changing the sshd config so it passes the user key to the php script, the problems went away.