Unable to clone via SSH

I found this topic/thread but my issue is not RC being run by the wrong user. My SSH clone URL looks like this: ssh://root@my.tld/another-test and access is denied.

However, HTTP cloning works just fine.

My public keys are in my RC config file as well. Here is the content from cat /var/log/auth.log:

Jul 21 01:52:05 CODE sshd[21525]: Accepted publickey for root from [REDACTED] port 50481 ssh2: RSA SHA256:qwerty
Jul 21 01:52:05 CODE sshd[21525]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 21 01:52:05 CODE systemd-logind[847]: New session 1607 of user root.
Jul 21 01:52:06 CODE sshd[21525]: Received disconnect from [REDACTED] port 50481:11: disconnected by user
Jul 21 01:52:06 CODE sshd[21525]: Disconnected from user root [REDACTED] port 50481
Jul 21 01:52:06 CODE sshd[21525]: pam_unix(sshd:session): session closed for user root
Jul 21 01:52:06 CODE systemd-logind[847]: Removed session 1607.

Not quite sure what I’m doing wrong.

EDIT: In /root/.rccontrol/community-1/rhodecode.ini I see this in the SSH section:

## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode

Should I be using ssh.authorized_keys_file_path or AuthorizedKeysFile?

EDIT 2: Nvm, rccontrol status doesn’t like that…

Failed to parse /root/.rccontrol/community-1/rhodecode.ini
Invalid line ('AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode') (matched as neither section nor keyword) at line 589.

cat /root/.rccontrol/vcsserver-1/vcsserver.log:

KeyError: 'HEAD'
2019-07-21 02:02:22.883 [1099] INFO  [vcsserver.tweens] IP: Request to path: `/git` time: 0.005s
2019-07-21 02:02:22.887 [<1099>  ] GNCRN       rqt:0.009307 200 51     "POST:/git " usr:- "-" "PycURL/ libcurl/7.59.0 OpenSSL/1.0.2p zlib/1.2.11 libssh2/1.8.0 nghttp2/1.24.0"
2019-07-21 02:02:50.693 [1099] DEBUG [vcsserver.http_main] method called:assert_correct_path with kwargs:{} context_uid: [REDACTED]
2019-07-21 02:02:50.693 [1099] DEBUG [dogpile.lock] NeedRegenerationException
2019-07-21 02:02:50.693 [1099] DEBUG [dogpile.lock] no value, waiting for create lock
2019-07-21 02:02:50.694 [1099] DEBUG [dogpile.lock] value creation lock <dogpile.cache.region._LockWrapper object at 0x7f42aeecd590> acquired
2019-07-21 02:02:50.694 [1099] DEBUG [dogpile.lock] Calling creation function for not-yet-present value
2019-07-21 02:02:50.694 [1099] DEBUG [dogpile.lock] Released creation lock
2019-07-21 02:02:50.695 [1099] INFO  [vcsserver.tweens] IP: Request to path: `/git` time: 0.002s
2019-07-21 02:02:50.695 [<1099>  ] GNCRN       rqt:0.002517 200 51     "POST:/git " usr:- "-" "PycURL/ libcurl/7.59.0 OpenSSL/1.0.2p zlib/1.2.11 libssh2/1.8.0 nghttp2/1.24.0"
2019-07-21 02:02:50.869 [1099] DEBUG [vcsserver.http_main] http-app: handling git stream
2019-07-21 02:02:50.869 [1099] DEBUG [vcsserver.http_main] LFS: Detecting if request `/another-test/info/refs` is LFS server path based on content type:``, is_lfs:False
2019-07-21 02:02:50.869 [1099] DEBUG [vcsserver.http_main] LFS: fallback detection by path of: `/another-test/info/refs`, is_lfs:False
2019-07-21 02:02:50.869 [1099] DEBUG [vcsserver.http_main] http-app: starting app handler with <vcsserver.scm_app.GitHandler object at 0x7f42aeecd590> and process request
2019-07-21 02:02:50.878 [1099] INFO  [vcsserver.tweens] IP: Request to path: `/another-test/info/refs` time: 0.010s
2019-07-21 02:02:50.879 [<1099>  ] GNCRN       rqt:0.010726 200 38     "GET:/another-test/info/refs service=git-upload-pack" usr:- "-" "git/2.20.1 (Apple Git-117)"

For the time being, I am using stored git credentials via git config --global credential.helper store (from my local machine) so I can clone my private repos. This is undesired though, SSH operations should work.


This must be something on your SSHD setup, it seems it never goes into RhodeCode itself it’s blocked at SSH level.

My sshd_config file shows this:

PermitRootLogin yes
AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

My ssh_config:

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

Is it possible that LFS could be the issue? This guy seems to think so: https://stackoverflow.com/a/57139386

Hmm that could be an issue. Can you test with a Non LFS repo ? e.g create one via RhodeCode with few commits and try to clone/push via SSH.

The repo I’m trying to clone is empty and was created via the RC interface. I’ll make a new one with commits though.

EDIT: It didn’t work. I’m gonna try turning LFS off.
EDIT 2: Turning off LFS didn’t work either, even when creating a new repo after disabling it.

I haven’t gotten this nor RhodeCode tokens to work so I’ve resulted to just storing my HTTPS credentials in git (git config --global credential.helper store). If I ever figure out the issue I’ll update here.

Please ping us next week. Maybe we can delegate someone to help you with that issues, we think it might be very much LFS related still.