SSH Key asks for password
You mention:
Apr 2 10:19:13 venus shd[15693]: User git not allowed because account is locked
Apr 2 10:19:13 venus sshd[15693]: Failed none for illegal user git from ::ffff:127.0.0.1 port 56906 ssh2
This article mentions:
OpenSSH now checks for locked accounts by default.
On Linux systems, locked accounts are defined as those that have!!
in the password field of/etc/shadow
.
This is the default entry for accounts created with the useradd command.
Even if you are using GSI authentication and do not need local passwords,sshd
won't let the user login with this message:
Too many authentication failures for username
In the
sshd
debugging info it will indicate that the account is locked:
User username not allowed because account is locked
Here is some additional information from the sshd Manual:
Regardless of the authentication type, the account is checked to ensure that it is accessible.
An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups.
The definition of a locked account is system dependant.
Some platforms have their own account database (eg AIX) and some modify the passwd field ( "*LK*
" on Solaris and UnixWare, "*
" on HP-UX, containing "Nologin
" on Tru64, a leading "*LOCKED*
" on FreeBSD and a leading "!!
" on Linux).
If there is a requirement to disable password authentication for the account while allowing still public-key, then thepasswd
field should be set to something other than these values (eg "NP
" or "*NP*
" ).Fix: Replace !! with (for example) NP in /etc/shadow.
As mentioned by jszakmeister (comments) and Yongcan-Frank-Lv (comments):
sudo passwd -u git
would be enough to unlock the account.
you should put ~gitlab/.ssh/id_rsa.pub into ~git/.ssh/authorized_keys
-rwx------ 1 git git 557 Mar 27 16:46 authorized_keys
-rw-r--r-- 1 gitlab gitlab 406 Mar 27 16:45 id_rsa.pub
I can see the size not match, did you add some ssh key option there in authorized_keys? Also you should check error log of sshd also (eg: /var/log/auth or /var/log/secure etc)
This exact same issue was killing me in gitlab 5.2 (bitnami).
I finally tracked it down in /var/log/auth.log
which showed:
May 28 11:32:10 ml115 sshd[27779]: User git not allowed because account is locked
May 28 11:32:10 ml115 sshd[27779]: input_userauth_request: invalid user git [preauth]
After that, it didn't take me long to find that the git
entry in /etc/shadow
had a !
that needed to be replaced with a *
.
With *
and all my keys set up, I was able to ssh in from another machine (note that ssh -vvT git@gitserver
also helps with diagnosis).
git push -u origin master
now works.
My system is Ubuntu 13.04.