一次gitlab沒法使用ssh登陸的問題解決

故障現象：

[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git
Cloning into 'core'...
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

本地已經建立密鑰並把私鑰傳至用戶 SSH Keys中，操做過程沒問題，可是隻能經過http方式輸入用戶名密碼登陸。

提示中Permission denied已代表是權限問題，由於ssh登陸時不能用密碼登陸，不管輸入的密碼是否是正確，都會提示Permission denied。debug模式下查看登陸過程：

[root@web-m .ssh]# ssh -vT git@gitlab.lixinkuan.com -p 22022
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to gitlab.lixinkuan.com:22022 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8
debug1: checking without port identifier
The authenticity of host '[gitlab.lixinkuan.com]:22022 ([X.X.X.X]:22022)' can't be established.
RSA key fingerprint is SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8.
RSA key fingerprint is MD5:14:8c:87:8f:b5:15:75:e1:8a:31:a5:61:ce:9d:68:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[gitlab.lixinkuan.com]:22022,[X.X.X.X]:22022' (RSA) to the list of known hosts.        #這裏拒絕一次
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex        #下一種認證方法：gssapi-keyex
debug1: No valid Key exchange context           #沒有有效密碼上下文
debug1: Next authentication method: gssapi-with-mic     #下一種認證方法：gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
#下面可看到一次次嘗試讀取認證的文件都是/root/.ssh目錄下的文件。而咱們是登陸的gitlab，劇本不對，不該該是從這兒讀認證文件的！！！
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
git@gitlab.lixinkuan.com's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

因只是SSH方式登陸有問題，故應該爲gitlab的ssh功能模塊文件權限的問題。

查看密鑰文件的權限，只有屬主有權限，屬組及other均無任何權限，.ssh目錄沒問題。

[root@gitlab gitlab]# ll -d .ssh/
drwx------ 2 git git 4096 Jul 18 09:29 .ssh/
[root@gitlab gitlab]# ll .ssh/
total 32
-rw------- 1 git git 28332 Oct 16 20:50 authorized_keys
-rw------- 1 git git     0 Oct 16 20:50 authorized_keys.lock

查看gitlab-shell權限

[root@gitlab gitlab]# ll -d gitlab-shell/
drwx------ 2 git root 4096 Oct 16 20:46 gitlab-shell/
[root@gitlab gitlab]# ll  gitlab-shell/
total 4
-rw-r--r-- 1 root root 1105 Jul 17 12:52 config.yml
[root@gitlab gitlab-shell]# stat config.yml
  File: `config.yml'
  Size: 1105        Blocks: 8          IO Block: 4096   regular file
Device: fc01h/64513d    Inode: 132041      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-10-16 18:38:47.356925223 +0800
Modify: 2018-07-17 12:52:10.845000022 +0800
Change: 2018-07-17 12:52:10.847000022 +0800

config.yml的屬主、屬組均爲root，更改成root git並重啓git服務,故障依舊。

[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git
Cloning into 'core'...
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied, please try again.
git@gitlab.lixinkuan.com's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

後把config.yml權限改成以下：

[root@gitlab gitlab-shell]# ll
total 4
-rw-r----- 1 root git 1105 Jul 17 12:52 config.yml

重啓服務後，恢復正常：

[root@web-m data]# git clone ssh://git@gitlab.lixinkuan.com:22022/lxk/core.git
Cloning into 'core'...
remote: Counting objects: 5943, done.
remote: Compressing objects: 100% (3822/3822), done.
remote: Total 5943 (delta 2054), reused 5916 (delta 2042)
Receiving objects: 100% (5943/5943), 430.32 MiB | 1.28 MiB/s, done.
Resolving deltas: 100% (2054/2054), done.
Checking out files: 100% (8849/8849), done.

問題的緣由是文件權限問題，不知道哪一個大神把gitlab-shell配置文件的權限改掉了，或者是使用root用戶複製了一份配置文件到gitlab服務器。

此處git使用other的權限讀config.yml理論上是可行的。可是ssh對文件權限要求極爲嚴格，因此徹底讀不了。

附正常ssh調試模式登陸gitlab服務器結果：

[root@web-m core]# ssh -vT git@gitlab.lixinkuan.com -p 22022
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to gitlab.lixinkuan.com [X.X.X.X] port 22022.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to gitlab.lixinkuan.com:22022 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:YwKrqd2VsjmqoEdWNtCase8ONV5h0uSbGQEWR18lHd8
debug1: Host '[gitlab.lixinkuan.com]:22022' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Remote: Forced command: /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-77
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to gitlab.lixinkuan.com ([X.X.X.X]:22022).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to GitLab, 李心寬!
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3328, received 3664 bytes, in 0.1 seconds
Bytes per second: sent 27166.7, received 29909.5
debug1: Exit status 0