要約
known_hostsに権限が足りない。
chcon -R -t ssh_home_t /var/opt/gitlab/.ssh
self-hostedでgitlabをインストールした
別記事にする予定
→ した AlmaLinux9.1にGitLabをインストールする - Qiita
リポジトリを作成してgit cloneするとpermission denied
ssh でログイン試行してみると
$ ssh -vT git@gitlab.server
OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020
debug1: Reading configuration data /c/Users/me/.ssh/config
debug1: /c/Users/me/.ssh/config line 11: Applying options for gitlab.server
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to gitlab.server [192.168.1.14] port 22.
debug1: Connection established.
debug1: identity file /c/Users/me/.ssh/gitlabserver/id_rsa type 0
debug1: identity file /c/Users/me/.ssh/gitlabserver/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
debug1: Authenticating to gitlab.server:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:6pmPSAw94hf3CCr4O7aWgLKpVDUWV8HzaSiz7JgWZFU
debug1: Host 'gitlab.server' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/me/.ssh/known_hosts:12
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /c/Users/me/.ssh/gitlabserver/id_rsa RSA SHA256:3ZkKq5xbX9rFAyk2npWZz900kQmF9XSJqZdFUKoswoE explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nist
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: /c/Users/me/.ssh/gitlabserver/id_rsa RSA SHA256:3ZkKq5xbX9rFAyk2npWZz900kQmF9XSJqZdFUKoswoE explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
-
Offering public keyの後にServer accepts keyが来てないからサーバー側で鍵認証がうまくいってない。 -
/var/log/secureには単純にPREAUTHで拒否られてるとしか出てない。 -
/var/log/messagesにSELinuxのエラーが出ていた。
Jan 13 21:24:47 humpback setroubleshoot[92425]: SELinux により、/usr/sbin/sshd による read アクセスが、ファイル authorized_keys で拒否されました。 完全な SELinux メッセージを見るには、sealert -l 348da63a-87fa-4dea-aef2-b356206
0a7a3 を実行します
Jan 13 21:24:47 humpback setroubleshoot[92425]: SELinux により、/usr/sbin/sshd による read アクセスが、ファイル authorized_keys で拒否されました。#012#012***** プラグイン catchall_labels (83.8 信頼性) による示唆 ***********
*******************#012#012authorized_keys file で、sshd が read アクセスするのを許可する場合#012このようにします: authorized_keys のラベルを変更する必要があります#012そして、以下を実行します: #012# semanage fcontext -a -t FIL
E_TYPE 'authorized_keys'#012この FILE_TYPE は以下のいずれかになります: NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_tmp_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t,
<以下略>
色々探す
When attempting to perform git operations over SSH requests will fail due to new selinux restrictions present in CentOS Stream 8. sshd is blocked from accessing
/var/opt/gitlab/.ssh/authorized_keys, causing the request to fail.
No permission denied message is logged in/var/log/secure, just that the client closed the connection. No events are written to/var/log/gitlab/gitlab-shell/gitlab-shell.logas shell is never executed.
/var/log/audit/audit.logdoes capture the denial.
sshd access to git user's authorized_keys file blocked by selinux on CentOS Stream 8 (#6397) · イシュー · GitLab.org / omnibus-gitlab · GitLab
CentOS 6.xのデフォルトでは「ssh_home_t」に変更してやればよい。
SELinuxが有効な環境で他のユーザーのSSH公開鍵を配置する - Qiita
解決
chcon -R -t ssh_home_t /var/opt/gitlab/.ssh