Having this issue?

See the Drupal.org Git authentication troubleshooting documentation

Original issue summary

I'm having trouble pushing to the seckit repository as a maintainer.

I believe my remote is set up as per the latest guidelines at https://www.drupal.org/gitauth 

seckit$ git remote -v
origin  git@git.drupal.org:project/seckit.git (fetch)
origin  git@git.drupal.org:project/seckit.git (push)

However, I get this error when I try to push:

seckit$ git push
fatal: remote error: You do not have write permissions for the 'seckit' repository.

I was able to work around this by changing the remote url to use my username rather than 'git':

seckit$ git remote set-url origin mcdruid@git.drupal.org:project/seckit.git
seckit$ git remote -v
origin  mcdruid@git.drupal.org:project/seckit.git (fetch)
origin  mcdruid@git.drupal.org:project/seckit.git (push)

seckit$ git push
Counting objects: 6, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (6/6), 1.40 KiB | 0 bytes/s, done.
Total 6 (delta 4), reused 0 (delta 0)
remote:
remote:
remote:   Git authentication methods for Drupal.org hosted projects are changing.
remote:
remote:
remote:   Your current git remote mcdruid@git.drupal.org:project/seckit.git must change by executing the following command:
remote:
remote:     git remote set-url origin git@git.drupal.org:project/seckit.git
remote:
remote:
remote:   Password authentication is being DEPRECATED.
remote:
remote:   Review this page for additional information: https://www.drupal.org/gitauth
remote:
remote:
To mcdruid@git.drupal.org:project/seckit.git
   19843dc..24c47b9  7.x-1.x -> 7.x-1.x

Doing a direct copy-paste of those instructions to change my remote back to the way it was has taken me back to the start again:

seckit$ git remote set-url origin git@git.drupal.org:project/seckit.git
seckit$ git push
fatal: remote error: You do not have write permissions for the 'seckit' repository.

I do have an SSH key associated with my account (which I've not changed recently); I'm not using a password.

I can change the remote back and restore my push access, but I'm not sure why following the docs seems to be breaking things!

Comments

mcdruid created an issue. See original summary.

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Active » Postponed (maintainer needs more info)

Please try GIT_SSH_COMMAND="ssh -v" git push with the git@git.drupal.org:project/seckit.git

The verbose output with show what key(s) are being offered by your SSH client. We’ve seen in some cases a username change can affect this.

nikunjkotecha’s picture

nikunjkotecha
he/him
Primary language Gujarati
Location India, Gujarat, Rajkot
commented
Status: Postponed (maintainer needs more info) » Needs work

I'm facing same issue

$ GIT_SSH_COMMAND="ssh -v" git push
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Connecting to git.drupal.org port 22.
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version Twisted
debug1: no match: Twisted
debug1: Authenticating to git.drupal.org:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: ssh-rsa SHA256:Fbjx4sCN5lCL9NvqsQ6MA1SMGZmJrYxYeSblSFRIXi4
debug1: Host 'git.drupal.org' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:15
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:xAiyQZSDQM9+AS/rKhRvHH0IWf7Bu0YTpHJJMv03imM <key file>
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Authentication succeeded (publickey).
Authenticated to git.drupal.org ([140.211.10.43]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LC_CTYPE = UTF-8
debug1: Sending command: git-receive-pack 'project/clientside_validation.git'
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 3712, received 2168 bytes, in 1.1 seconds
Bytes per second: sent 3243.4, received 1894.3
debug1: Exit status 0
fatal: remote error: You do not have write permissions for the 'clientside_validation' repository.

Can see:
debug1: Authentication succeeded (publickey).

I was also able to push tag but not able to push commits. You can check, I pushed the tag rc4 on 15th Aug (yesterday)

mcdruid’s picture

mcdruid commented

Thanks, it looks like the problem I'm having is caused by SSH agent forwarding.

If I use ssh-add -D to remove the key that my SSH agent has loaded, the correct key is offered for authentication by git and everything works as expected.

I'll try to work out how to make git use the correct key without removing the other key from the SSH agent, and I can document any successful recipes I come up with here... but I don't think it's an issue for the d.o infrastructure team.

Thanks again for looking; I'm happy for this to be closed, but not sure if @nikunjkotecha still needs it?

nikunjkotecha’s picture

nikunjkotecha
he/him
Primary language Gujarati
Location India, Gujarat, Rajkot
commented

For me it says Authentication succeeded (publickey) but still doesn't let me push. With same ssh config I was able to push a tag and that's where I feel it is some issue outside my system.

One thing to note, I'm just a maintainer and not owner of clientside_validation module, not sure if that would make any difference though.

nikunjkotecha’s picture

nikunjkotecha
he/him
Primary language Gujarati
Location India, Gujarat, Rajkot
commented
Status: Needs work » Closed (works as designed)

@mcdruid I tried again with what you suggested and it worked. So yes, not an issue with infrastructure but something with GIT? BTW, I never faced this issue before repo urls were changed.

Closing ticket for now.

mcdruid’s picture

mcdruid commented

I've been able to fix this by adding something like the following to my ~/.ssh/config

Host *
  IdentitiesOnly yes

...per: https://serverfault.com/a/515214

That seems to prevent the SSH agent from offering the wrong key and messing things up.

Depending on which hosts you do want to use the SSH agent for, you may need to set things up differently, but IdentitiesOnly seems to be what I needed to make my set up work properly.

nikunjkotecha’s picture

nikunjkotecha
he/him
Primary language Gujarati
Location India, Gujarat, Rajkot
commented

Cool, thanks @mcdruid

geerlingguy’s picture

geerlingguy commented
Status: Closed (works as designed) » Active

I'm going to reopen this... it looks like what might be happening is whatever key is first in the list of ssh-agent keys is always accepted by git.drupal.org. But then after that key is accepted, the key doesn't have rights for the particular repository that's in use, therefore the 'you do not have write permissions' error displays.

Here's my verbose output:

debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:REDACTED .ssh/not-my-drupal-org-key
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to git.drupal.org ([140.211.10.43]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: git-receive-pack 'project/honeypot.git'
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2944, received 1896 bytes, in 0.6 seconds
Bytes per second: sent 5190.5, received 3342.8
debug1: Exit status 0
fatal: remote error: You do not have write permissions for the 'honeypot' repository.

The .ssh/not-my-drupal-org-key is the first key loaded in ssh-agent, but it's not a key that I have in my drupal.org account.

I have the same kind of setup with all my GitHub repos, and things work fine there, so maybe there's some issue on the git.drupal.org auth side?

After doing ssh-add -D (to remove all identities), things work fine again until next time I add a key to my SSH agent.

drumm’s picture

drumm
he/him
Location NY, US
commented

Yes, I think that’s exactly right. We accept any key for read access, and the access checking for pushes happens later.

This is in preparation for our upcoming move to GitLab, which does not support specific username SSH authentication, only git@….

Fixing this in our existing Git daemon may be possible, although I expect we might not be able to preserve the accepting any keys for read operations behavior. I’m assuming the SSH protocol won’t tell us if there are more keys are available, we have to accept or deny a key without knowing if there are more available.

We can test what will happen with GitLab, and try aligning our server to that. But we do want to get GitLab launched, and time spent on the old infrastructure will delay that.

geerlingguy’s picture

geerlingguy commented

We can test what will happen with GitLab, and try aligning our server to that. But we do want to get GitLab launched, and time spent on the old infrastructure will delay that.

Sounds good to me. Hopefully GitLab supports the right key checking as well as GitHub (I don't see any reason why it wouldn't).

chris matthews’s picture

chris matthews commented

I am a new contributor (https://www.drupal.org/project/honeypot_registration), but I am running into this same issue and cannot seem to resolve by following any of the suggestions in this thread so any help would be much appreciated.

  • I tried changing the remote url to use my username rather than 'git':
  • I tried using ssh-add -D to remove the key that my SSH agent has loaded
  • I tried adding this snippet to my .config file
chris matthews’s picture

chris matthews commented

I just checked the Git access tab in my profile and it lists my old Drupa.org username as my Git username, which I assume is part of the issue.

drumm’s picture

drumm
he/him
Location NY, US
commented
Issue summary: View changes

I documented troubleshooting this issue as a client at https://www.drupal.org/drupalorg/docs/user-accounts/git-authentication-f...

Remember, Git remotes will stop working once we are able to move on #3002827: [GitLab] Scheduling Phase 1 of our migration to GitLab.

Chris2 - Drupal.org Git usernames can not be changed. If you are using a username in your Git remote, that is the one to use. Be sure to check a Git command with GIT_SSH_COMMAND="ssh -v" to see which key is being sent. Your key on your Drupal.org profile looks like it is properly added and should be working.

robertwb’s picture

robertwb commented

I needed a slightly different per @macdruid advice in #7 -- I had to specify the identity file.

Host *.drupal.org
  IdentityFile /home/myuser/.ssh/drupal_rsa
  IdentitiesOnly yes
florianmuellerch’s picture

florianmuellerch
Primary language German
Location Aarau, Switzerland
commented

In my case (I'm also just submitting my first module) I forgot to add my SSH keys in my profile.

You can check this documentation and follow it with the new git workflow to identify your problem: https://www.drupal.org/drupalorg/docs/user-accounts/git-authentication-f...

tyleryoungblood’s picture

tyleryoungblood commented

In my case I had to visit the "Git access" section (Profile > Git Access) and check the "I agree to these terms" checkbox, along with choosing my Desired Git username.

So if you're new to drupal.org (as I am) check to make sure you have Git access fully setup before trying any of the other troubleshooting steps. :)

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Active » Closed (cannot reproduce)
Related issues: +#3002827: [GitLab] Scheduling Phase 1 of our migration to GitLab

This situation should now be resolved. GitLab only accepts keys that are associated with user accounts. So it won’t accept an unknown key for read-only access, and then deny it for pushes.

Now is a good time to simplify your SSH config, if you’d like to.