Updating repository Git - Ask password

[Neneow]

While running task, when Updating repository, the task don't progress. On shell, i can see process wait for password. Private key register in Key Store don't contain passphrase.

I run ssh -T -i access_key_4 git@git.xxxx.com and i am authentificated without password.

I've tried an other private key and problem is similar.

Thank you.

[matejkramny]

What is the log output?

[Neneow]

I have this on shell :

semaphore -config /etc/ansible/Playbooks/semaphore_config.json
Semaphore 2.3.0
Port :3000
MySQL root@127.0.0.1:3306 semaphore
Tmp Path (projects home) /etc/ansible/Playbooks
&{{28 2 waiting true false 0xc420467880 {63631236571 677447093 0xe76d80} } {0 0 0 0 0 false} {0 false} {0 0 {0 false} {0 false} false} {0 0 0 false {0 false}} {0 0 false} [] 3 false}
[3]
201 17:29:31 97.76857ms | POST /api/project/3/tasks
200 17:29:31 21.498974ms | GET /api/users/3
200 17:29:32 297.215589ms | GET /api/project/3/tasks/28/output
git@git.xxx.com's password:

And on task log

17:29:31: Started: 28
17:29:31: Run task with template: UpdateLinux.

17:29:31: access key Ansible-Key installed
17:29:31: Updating repository git@git.xxx.com:Git/Semaphore.git
17:29:31: Updating repository git@git.xxx.com:Git/Semaphore.git

If on shell i try to enter password, i have an access denied in task log

[matejkramny]

Sure the identity of the inventory is set correctly in semaphore?

You can look in the database. access_key table

[Neneow]

Thank you for your replie.

Yes, secret field in access_key table match with private key and project_id is the good project.

I have deleted database and all config files et run new setup, but same problem.

[matejkramny]

Hmm it should be working..

When you run ssh -T -i access_key_4 git@git.xxxx.com I believe it still uses your identity in ~/.ssh. Can you run with -v (-vvvv) flags to be sure?

Is the access_key_4 file content correct?

[Neneow]

Result of -v (since i reinstall semaphore, key is acc_key_1) :

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to git.xxx.com [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load "access_key_1" as a RSA1 public key
debug1: identity file access_key_1 type -1
debug1: identity file access_key_1-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "git.xxx.com" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA bf:e0:c3:8a:49:67:b3:3d:81:d5:c7:3f:86:dc:ae:1b
debug3: load_hostkeys: loading entries for host "git.xxx.com" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "xxx.xxx.xxx.xxx" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'git.xxx.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: access_key_1 ((nil)), explicit
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: access_key_1
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA ce:ad:49:92:6e:58:6a:25:81:a9:d0:76:76:96:a8:e1
debug2: we sent a publickey packet, wait for reply
debug1: Authentication succeeded (publickey).
Authenticated to git.xxx.com ([xxx.xxx.xxx.xxx]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x08
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env ara_location
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env ARA_DATABASE
debug3: Ignored env OLDPWD
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env SUDO_USER
debug3: Ignored env SUDO_UID
debug3: Ignored env ANSIBLE_CALLBACK_PLUGINS
debug3: Ignored env USERNAME
debug3: Ignored env ANSIBLE_LIBRARY
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env PWD
debug1: Sending env LANG = fr_FR.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env SHLVL
debug3: Ignored env SUDO_COMMAND
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env LESSOPEN
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env SUDO_GID
debug3: Ignored env ANSIBLE_ACTION_PLUGINS
debug3: Ignored env LESSCLOSE
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to GitLab, Ansible!
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

[Neneow]

Content of file seems to be ok, but its begin by : -----BEGIN RSA PRIVATE KEY----- and ending by
-----END RSA PRIVATE KEY-----

[matejkramny]

That's ok. SSH seems to be using the correct key.

Would you try using the same or new key with another host?

It is very weird the connection doesn't work!

Another problem could be the username ansible uses to log into the server. Do you set this in the playbook or inventory?

If the user other than git does not accept the key it falls back to password authentication.

[Neneow]

Thank you.

I don't understand, i have put this key on my ssh folder (windows - powershell) and i can clone project where we have pull ours playbooks @ git@git.xxx.com without passphrase.

User ansible is set on playbook for connections to server we manage with ansible.

I have created an specific user for acces to git and same problem !

[matejkramny]

Ok but then test with the same user. Try ssh -i access_key_4 ansible@git.xxx.com

This is what semaphore (ansible) is trying to do and is failing.

Ultimately try to reproduce the same command semaphore is launching:

ansible-playbook -i <semaphore-inventory-file-location> --private-key=<private-key-location> <playbook-file-location>

[matejkramny]

I think there might be some confusion.

Semaphore uses 2 keys (you can reuse one).

1. Log into the git server and download the playbook
2. When running the playbook, using a key to log into the servers ansible accesses

[Neneow]

Ok, thank you for this information.

I try ssh -T -i access_key_1 ansible@git.xxx.com (ansible is the user we have created on git and have right on project) and i must enter phassphrase.

If i understand your comment, despite the fact i configure in playbook repositorie GIT@git.xxx.com semaphore, try to connect with ansible@git.xxx.com (ansible is the user we set up in default user in ansible.cfg)?

[matejkramny]

you can clone the playbook from git@git.xxx.com but then set the playbook user to ansible to connect to ansible@git.xxx.com.

Example playbook:

---
- user: ansible
  tasks:
    ...

[matejkramny]

Maybe the user ansible on the server has the wrong configuration. Semaphore can't give ssh a passphrase.

Check the logs on the server if it says anything about the key.

[Neneow]

Ok i understand. But all users in our company connect to git with git@git.xxx.com . Public key is definied on each git's user account.

Exemple : i'am master of semaphore project, my public key is configured on my git account (ex : neneow) but i can only pull/push with git@git.xxx.com

[Neneow]

I check auth.log on git server

When i make : ssh -T -i access_key_1 git@git.xxx.com from semaphore server on auth.log i have :
Accepted publickey for git from xxx.xxx.xxx.xxx port 44878 ssh2: RSA ce:ad:49:92:6e:58:6a:25:81:a9:d0:76:76:96:a8:e1

And when i ran task from semaphore :

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=git
-Failed password for git from xxx.xxx.xxx.xxx port 44876 ssh2
-Connection closed by xxx.xxx.xxx.xxx [preauth]

[matejkramny]

Hmm there is something wrong with the ssh key or configuration.

Might you try running the playbook manually without semaphore?

[Neneow]

Thank you for spending time and yours responses. So i try this :

Install Semaphore on my W10. Put in key store this famous private key. Ran task et same error, couldn't clone our git :
"access key Key_Ansible installed
Cloning repository git@git.xx.com:project/Semaphore.git
Cloning into 'repository_1'...
Warning: Identity file c:semaphore/access_key_1 not accessible: No such file or directory.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
fatal: Could not read from remote repository.
"
and the repository exists.
Please make sure you have the correct access rights
Failed updating repository: exit status 128

I had copy access_key_1generate in c:\ to id_rsa in c:\users\myuser.ssh and ran git clone (git@git.xxx.com:project/semaphore.git) and project is cloning without ask password ...

So access_key_1 is well-formed and private key is correct.

Really don't understand what's appening.

update
In procmon, think path is incorrect

Correct path is c;\semaphore\access_key_1

[matejkramny]

I see, that could indeed be the issue. Do you put the full C: path into semaphore's UI?

[Neneow]

Ok, i think have found problem, and is describe on your wiki .... I had installed a fresh ubuntu Xenial and git paquet in version 1:2.7.4. With same private key no passphrase needed.

All my test wase made on Ubuntu Trusty with git version 1:1.9.1-1

@matejkramny I had just test on WIndows so its an other problem. In UI-> system information, path for Playbook seems to be ok.

Thank you for your help

[matejkramny]

What was the problem? It should be working on windows

[Neneow]

doesn't know, its possible my git version on windows is too old as on my first linux distribution. I will try to update git on Windows. But all is ok on my fresh install. I try to compile from sources for testing LDAP (#352) and notification who seems not working. 2017-06-06 12:00 GMT+02:00 Matej Kramny <notifications@github.com>:

…

What was the problem? It should be working on windows — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#363 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Abldan1feAehopXIjhgfwFD6aoIETo3Cks5sBSMzgaJpZM4NlROc> .

[Neneow]

I had update git version on windows (2.5.3 -> 2.13.0). Problem always present, semaphore dont find access_key_1
08:22:07: Cloning into 'repository_1'... 08:22:07: Warning: Identity file c:semaphore/access_key_1 not accessible: No such file or directory.

File is present in c:\semaphore

In config file, tmp_path value is : "tmp_path": "c:\semaphore",