System: Ubuntu 18.04.2 LTS Server
Gitlab: 11.7.5-ee
有一个新的本地服务器(深度学习装备),它也应该容纳Gitlab,因为这台机器可以轻松处理侧面。
服务器当然必须尽可能安全,因此我更改了服务器配置以使登录只能用于ssh-key + google 2FA(根据本教程https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04)
然后安装了gitlab和导入的项目,设置了CI,添加了ssh-keys。在Web界面上,一切都运行得很好,CI也正在运行,并且web-portal-login再次使用2FA正在按预期工作。旁注:Gitlab本身只能通过内部IP(预期)访问。
在本地我切换分支:
git remote set-url origin git@IP:USERNAME/REPOSITORY.git
但是,既不克隆,也不拉,也不推动现在都在工作。我(以及所有其他用户)得到:
git@IP's password:
我当然没有那个密码。
制造
sudo gitlab-rake gitlab:check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
Administrator / salesbeat ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 4
Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
通过sh -Tv [email protected]进行检查
sh -Tv [email protected]
OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.113 [192.168.0.113] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.113:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:TubIbvzKzAsDNbW4WYmmLss4Jo7q089SmJmhdvdyhl8
debug1: Host '192.168.0.113' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:16
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:8Nkt7JyhE9zQKv6EIXfSMRLgzg8dh+eSzuPqvrSgpLw /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
Authenticated with partial success.
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: password
[email protected]'s password:
无法找到解决方案并且缺乏想法。它看起来像是检测到并提供了密钥,但它直接进入下一个身份验证方法:密码我能想到的唯一原因是来自服务器本身的2FA,但由于安全原因,我显然无法禁用该密码。
您的SSH日志表明keyboard-interactive步骤(包括TOTP令牌提示)实际上没有做任何事情,这可能意味着您的TOTP设置不正确或不完整。这部分由libpam-google-authenticator处理;您可以在/var/log/auth.log(或其他地方,取决于您的系统的日志记录设置)中找到其他日志。
我的预感:教程中显示的设置会创建一个.google_authenticator文件,确保它最终位于正确的位置(如果您使用的是标准位置,则为/var/opt/gitlab)。
由于这是一个故障排除操作,我无法提供完整的答案,但这应该给你一些更多的东西来检查。
此外,只是一个抬头,这可能是你想象的方式不可行。
GitLab通过使用单个系统帐户git在内部工作,并将所有SSH密钥与该帐户相关联。通过SSH使用特定公钥进行身份验证允许GitLab查找此密钥所属的GitLab用户,以便在应用程序级别为您应用正确的身份和授权(即,用于Git操作)。
Google身份验证器的PAM模块对此一无所知。它只能为任何系统帐户关联单个TOTP密钥,这意味着所有GitLab用户将共享相同的令牌 - 这大大降低了首先使用TOTP令牌的好处。
旁注,除了SSH密钥身份验证之外,我从未见过需要TOTP的Git服务器。它在实践中也令人难以置信,因为它意味着每个Git操作都会提示一个令牌,而使用正确的SSH密钥设置与密钥代理,每天只会提示一次(给予或接受)。您可能需要考虑降低标准并接受加密的SSH密钥和密钥密码的两个因素(这比安全密码要高得多)。