Permission denied accessing config, while documentation states it is open by default.

[Temporalin]

The documentation states the following:

The config repo is publicly writable by default, so be sure to setup your access as desired. You can also set the SOFT_SERVE_INITIAL_ADMIN_KEY environment variable before first run and it will restrict access to that initial public key until you configure things otherwise.

I can run the server, but when I try to connect, either with ssh localhost -p 23231 or clonning the config repo with git clone ssh://localhost:23231/config, it prompts me for a password, and no matter what I input, it says Permission denied.

I've been able to connect to the server after editing the configuration using a direct folder clone (git clone /home/myuser/.repos/config) and setting allow-keyless to True and restarting the server.

I'm not sure if the solution should be updating the documentation or changing the default behaviour, but in any case something should be changed.

I hope this report helps, thanks for the nice program!

[caarlos0]

hey @Temporalin did you maybe pass the key path?

It seems that SOFT_SERVE_INITIAL_ADMIN_KEY wants the actual contents of the key instead of the filepath...

[Temporalin]

No, I did not set any environment variables

[toby]

@Temporalin do you have any ssh keys generated on your machine? By default we allow access to any public key, but no password only. I agree the docs should be clearer and specify that you need to at least have an ssh key generated.

[Temporalin]

Yes, I have keys in $HOME/.ssh. How does it choose which one to use? I tried loading one of them but I still couldn't connect to the server

Edit: sorry, just when I sent this answer I remembered that I should be able to clone the config repo, I have to try that first

[toby]

I should try multiple keys until it finds one that works (which should be the first one in the default config). Can you try ssh -vv localhost -p 23231? That might give some useful info. Also can you ssh git.charm.sh successfully?

[Temporalin]

I just tried again and it looks like soft creates a new SSH public/private pair in my $HOME/.ssh folder, and if I add it with ssh-add I can access the server no problem (both via ssh and git clone ssh://localhost:port/repo.

It doesn't accept any of my previously generated SSH keys. I have two, none of them are the default id_rsa or whatever.

I can ssh git.charm.sh without problems, yes.

I've edited the log so it doesn't show any identifying information

ssh -vv debuguser@localhost -p 2323

OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /home/MyLaptopUser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "localhost" port 23231
debug1: Connecting to localhost [::1] port 23231.
debug1: Connection established.
debug1: identity file /home/MyLaptopUser/.ssh/id_rsa type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_rsa-cert type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_dsa type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_dsa-cert type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ecdsa type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ed25519 type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ed25519-cert type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ed25519_sk type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_xmss type -1
debug1: identity file /home/MyLaptopUser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1
debug1: compat_banner: match: OpenSSH_7.6p1 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:23231 as 'debuguser'
debug1: load_hostkeys: fopen /home/MyLaptopUser/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-ed25519
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:RandomSHA
debug1: load_hostkeys: fopen /home/MyLaptopUser/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[localhost]:23231' is known and matches the ED25519 host key.
debug1: Found key in /home/MyLaptopUser/.ssh/known_hosts:12
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: KeyNumberOne RSA SHA256:OneSHA agent
debug1: Will attempt key: KeyNumberTwo RSA SHA256:AnotherSHA agent
debug1: Will attempt key: /home/MyLaptopUser/.ssh/id_rsa 
debug1: Will attempt key: /home/MyLaptopUser/.ssh/id_dsa 
debug1: Will attempt key: /home/MyLaptopUser/.ssh/id_ecdsa 
debug1: Will attempt key: /home/MyLaptopUser/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/MyLaptopUser/.ssh/id_ed25519 
debug1: Will attempt key: /home/MyLaptopUser/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/MyLaptopUser/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: KeyNumberOne RSA SHA256:OneSHA agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: KeyNumberTwo RSA SHA256:AnotherSHA agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/MyLaptopUser/.ssh/id_rsa
debug1: Trying private key: /home/MyLaptopUser/.ssh/id_dsa
debug1: Trying private key: /home/MyLaptopUser/.ssh/id_ecdsa
debug1: Trying private key: /home/MyLaptopUser/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/MyLaptopUser/.ssh/id_ed25519
debug1: Trying private key: /home/MyLaptopUser/.ssh/id_ed25519_sk
debug1: Trying private key: /home/MyLaptopUser/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
debuguser@localhost's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: password,publickey
Permission denied, please try again.
debuguser@localhost's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: password,publickey
Permission denied, please try again.
debuguser@localhost's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: password,publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
debuguser@localhost: Permission denied (password,publickey).

[chilledtonic]

I faced this issue as well. soft-serve appears to not accept RSA ssh keys AT ALL, which isn't specified in the documentation.

Generating a Ed25519 key and adding that to the config repo allowed normal usage.

I'm going to assume it's unintentional since the documentation shows RSA keys as being valid inside the config, and the issue likely lies in an underlying cryptography library.

[caarlos0]

Likely its the same issue as #48

We should in fact improve the readme until the fix on x/crypto lands...

[nixbytes]

Hi
I use SOFT_SERVE_INITIAL_ADMIN_KEY=/home/username/.ssh/id_rsa.pub
work for me using an absolute path to the public key

[aymanbagabas]

This should be fixed in v0.3.2 ece7523, closing.