问题
I'm attempting to construct an ssh service to allow push/pull to phabricator repos. I've dockerized all the services, and I'm currently running into an odd error that fails to execute the requisite auth script for ssh.
The docker image runs both php-fpm and sshd services, with the idea of uniting ssh with the requisite php scripts.
In particular, I have the following /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser git
AllowUsers git
Port 2222
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
#PrintLastLog no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthorizedKeysFile none
PidFile /var/run/sshd-phabricator.pid
(as a side note, PrintLastLog throws an error when I start sshd, which I don't think is related, but might be??)
When I manually run
su - git -c "/srv/phabricator/scripts/ssh/ssh-auth.php git", I am able to successfully execute the script.
HOWEVER, when I examine the sshd logs when running in debug mode (/usr/sbin/sshd -d -d -d), I receive the following error:
...other stuff...
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x5564c1f473c0
debug3: subprocess: AuthorizedKeysCommand command "/usr/libexec/phabricator-ssh-hook.sh git" running as git
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: restore_uid: 0/0
debug3: subprocess: AuthorizedKeysCommand pid 885
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug2: key not found
AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh git failed, status 127
debug1: restore_uid: 0/0
Failed publickey for git from some.ip.address.here port 58378 ssh2: ED25519 SHA256:GBGS4ag9s8msV3XsuojlIoqATF63tvXU3t5GIUN0eYY
debug3: mm_answer_keyallowed: key 0x5564c1f473c0 is not allowed
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by 24.5.151.66 port 58378 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: Killing privsep child 884
EDIT: It seems like
/usr/libexec/phabricator-ssh-hook.shactually does execute, but the script it executes/srv/phabricator/bin/ssh-auth, presumably fails. That file (the phabricator directory) is actually on a host volume. I wonder if that could be the cause of thesestatus 127issues.
I've read that status 127 is returned by /bin/sh when the given command is is not found from PATH and it is not a builtin shell command (or a library cannot be found that is used by the script).
That being said, I am able to execute the script manually, so it seems unlikely that status 127 refers to this.
Note above, that I can execute as the git user as well.
the docker container version info:
Linux version 4.11.9-1-ARCH (builduser@tobias) (gcc version 7.1.1 20170621 (GCC) ) #1 SMP PREEMPT Wed Jul 5 18:23:08 CEST 2017
Any help in the right direction would be appreciated.
EDIT
docker version
Client:
Version: 17.06.0-ce
API version: 1.30
Go version: go1.8.3
Git commit: 3dfb8343
Built: Wed Jul 26 18:03:33 2017
OS/Arch: linux/amd64
Server:
Version: 17.06.0-ce
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 02c1d87617
Built: Wed Jul 26 20:03:39 2017
OS/Arch: linux/amd64
Experimental: false
docker info
Containers: 10
Running: 10
Paused: 0
Stopped: 0
Images: 147
Server Version: 17.06.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: cfb82a876ecc11b5ca0977d1733adbe58599088a
runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 4.11.9-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.631GiB
Name: <host-name>
ID: KYNR:4YHS:T4C2:URUY:GIB5:KCNF:DCNC:JLUT:DYO3:D5P7:VVOD:C2YV
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
回答1:
I was struggling with this, too. Eventually, I found that php wasn't in the PATH when executing phabricator-ssh-hook.sh. In my case, it's installed in /usr/local/bin (FreeBSD default), so I added:
export PATH="/usr/local/bin:$PATH"
before the last line of phabricator-ssh-hook.sh.
回答2:
I was able to get this working with the following configuration
AuthorizedKeysCommand /bin/sh /etc/ssh/auth.sh %u %f %k
AuthorizedKeysCommandUser root
When running the script directly it was throwing
May 13 17:22:11 ip-10-0-0-100 sshd[5833]: error: AuthorizedKeysCommand /etc/ssh/auth.sh user failed, status 127
After calling /bin/sh directly, it worked!
回答3:
I had a similar problem but not in docker container. This comment from ephemient above, solved it for me: https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ Both the script itself and the parent directory the script resides in must be owned by root, and the script must have 755 permissions. If you don't do this, sshd will refuse to execute the hook." Did you check that?
来源:https://stackoverflow.com/questions/45808340/sshd-authorizedkeyscommand-throws-status-127