故障现象:

[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git
Cloning into 'core'...
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

本地已经创建密钥并把私钥传至用户 SSH Keys中,操作过程没问题,但是只能通过http方式输入用户名密码登录。

提示中Permission denied已表明是权限问题,因为ssh登录时不能用密码登录,无论输入的密码是不是正确,都会提示Permission denied。debug模式下查看登录过程:

[root@web-m .ssh]# ssh -vT git@gitlab.lixinkuan.com -p 22022
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to gitlab.lixinkuan.com:22022 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8
debug1: checking without port identifier
The authenticity of host '[gitlab.lixinkuan.com]:22022 ([X.X.X.X]:22022)' can't be established.
RSA key fingerprint is SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8.
RSA key fingerprint is MD5:14:8c:87:8f:b5:15:75:e1:8a:31:a5:61:ce:9d:68:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[gitlab.lixinkuan.com]:22022,[X.X.X.X]:22022' (RSA) to the list of known hosts.        #这里拒绝一次
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex        #下一种认证方法:gssapi-keyex
debug1: No valid Key exchange context           #没有有效密码上下文
debug1: Next authentication method: gssapi-with-mic     #下一种认证方法:gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
#下面可看到一次次尝试读取认证的文件都是/root/.ssh目录下的文件。而我们是登录的gitlab,剧本不对,不应该是从这儿读认证文件的!!!
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
git@gitlab.lixinkuan.com's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

因只是SSH方式登录有问题,故应该为gitlab的ssh功能模块文件权限的问题。

查看密钥文件的权限,只有属主有权限,属组及other均无任何权限,.ssh目录没问题。

[root@gitlab gitlab]# ll -d .ssh/
drwx------ 2 git git 4096 Jul 18 09:29 .ssh/
[root@gitlab gitlab]# ll .ssh/
total 32
-rw------- 1 git git 28332 Oct 16 20:50 authorized_keys
-rw------- 1 git git     0 Oct 16 20:50 authorized_keys.lock

查看gitlab-shell权限

[root@gitlab gitlab]# ll -d gitlab-shell/
drwx------ 2 git root 4096 Oct 16 20:46 gitlab-shell/
[root@gitlab gitlab]# ll  gitlab-shell/
total 4
-rw-r--r-- 1 root root 1105 Jul 17 12:52 config.yml
[root@gitlab gitlab-shell]# stat config.yml
  File: `config.yml'
  Size: 1105        Blocks: 8          IO Block: 4096   regular file
Device: fc01h/64513d    Inode: 132041      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-10-16 18:38:47.356925223 +0800
Modify: 2018-07-17 12:52:10.845000022 +0800
Change: 2018-07-17 12:52:10.847000022 +0800

config.yml的属主、属组均为root,更改为root git并重启git服务,故障依旧。

[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git
Cloning into 'core'...
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

后把config.yml权限改为如下:

[root@gitlab gitlab-shell]# ll
total 4
-rw-r----- 1 root git 1105 Jul 17 12:52 config.yml

重启服务后,恢复正常:

[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git
Cloning into 'core'...
remote: Counting objects: 5943, done.
remote: Compressing objects: 100% (3822/3822), done.
remote: Total 5943 (delta 2054), reused 5916 (delta 2042)
Receiving objects: 100% (5943/5943), 430.32 MiB | 1.28 MiB/s, done.
Resolving deltas: 100% (2054/2054), done.
Checking out files: 100% (8849/8849), done.

问题的原因是文件权限问题,不知道哪个大神把gitlab-shell配置文件的权限改掉了,或者是使用root用户复制了一份配置文件到gitlab服务器。

此处git使用other的权限读config.yml理论上是可行的。但是ssh对文件权限要求极为严格,所以完全读不了。

附正常ssh调试模式登录gitlab服务器结果:

[root@web-m core]# ssh -vT git@gitlab.lixinkuan.com -p 22022
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to gitlab.lixinkuan.com:22022 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8
debug1: Host '[gitlab.lixinkuan.com]:22022' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to gitlab.lixinkuan.com ([X.X.X.X]:22022).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to GitLab, 李心宽!
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3328, received 3664 bytes, in 0.1 seconds
Bytes per second: sent 27166.7, received 29909.5
debug1: Exit status 0