We've been encountering an issue with phabricator's ssh
daemon being very unreliable on our install. I've been trying to debug
it for a good part of the last week now and finally solved it. The fix
was to update the sshd config to use the new ssh-auth argument syntax.
The issue was that 9 times out of 10 the server didn't accept the
users's keys, responding with:
Permission denied (publickey).
After setting the sshd log level to VERBOSE I could see the following:
debug1: matching key found: file /usr/libexec/phabricator-ssh-hook.sh, line 2 ED25519 SHA256:LiWLC/0gIcl8yt1QlD97MwdZiDO7N5x1+by9QvQ3ttQ
error: AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 255
debug1: restore_uid: 0/0
After reading the source of `scripts/ssh/ssh-auth.php`, I realized
that when given a key as an argument, the script returns only the
matching key instead of all the keys in the database. But the default
sshd config templates mentioned in [this
do not take advantage of that feature.
After changing the sshd config so it passes the user key to the php script, the problems went away.