Page MenuHomePhabricator
Create Task
Maniphest T393092

Confusion over which interface sets ssh keys for use with Gerrit (hint: not IDM)
Closed, InvalidPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:

douginamug@gerrit.wikimedia.org: Permission denied (publickey).

What should have happened instead?:

Hi douginamug, you have successfully connected over SSH.

Other information (browser name/version, screenshots, etc.):

I have working SSH authentication to other gitforges with my standard public key. I also tried with a new RSA key. I read through https://www.mediawiki.org/wiki/Gerrit/Troubleshooting and was not able to solve the issue. @Pintoch who has a working set-up also created a new user & key and experienced the same issue.

Event Timeline

Douginamug created this task.May 1 2025, 11:14 AM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptMay 1 2025, 11:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Pintoch added a comment.May 1 2025, 11:16 AM

I have replicated this issue by creating a new Wikitech account "PintochTestDeleteMe", associated it with a fresh SSH key as instructed in the tutorial and attempted the login with that test account, unsuccessfully.
I am still able to log in via my normal account ("Pintoch").

I wonder if this problem could be related to the recent downtime of Gerrit?

RhinosF1 added projects: collaboration-services, Release-Engineering-Team.May 1 2025, 11:17 AM
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptMay 1 2025, 11:17 AM
matmarex subscribed.May 1 2025, 11:20 AM
thcipriani subscribed.May 1 2025, 3:19 PM

hrm.

Here's what I see in the ssh logs on gerrit:

[2025-05-01T09:39:20.636Z] c5c5d6b3 [SSHD] douginamug - AUTH FAILURE FROM <IP> - - - user-not-found - - - -

But I see the user in ldap.

thcipriani added a comment.May 1 2025, 3:22 PM

Confirming Gerrit can connect to ldap

thcipriani@gerrit1003:/srv$ nc -vz ldap-ro.eqiad.wikimedia.org -w 1 636
Connection to ldap-ro.eqiad.wikimedia.org (208.80.154.252) 636 port [tcp/ldaps] succeeded!
thcipriani renamed this task from Gerrit SSH authentication fails with new Wikimedia developer account to Gerrit authentication fails with new Wikimedia developer account.May 1 2025, 3:40 PM
thcipriani added a comment.May 1 2025, 3:46 PM

Not just ssh auth. Another hint, the last new account to successfully authenticate was at Thu May 1 12:08:22 2025 +0000

LSobanski subscribed.May 1 2025, 3:51 PM
thcipriani renamed this task from Gerrit authentication fails with new Wikimedia developer account to Gerrit SSH authentication fails with new Wikimedia developer account.May 1 2025, 3:59 PM
thcipriani added a comment.May 1 2025, 4:01 PM

Nevermind. I thought it was not just ssh, then remembered creating an account on wikitech was not the way to get a new developer account anymore :)

I created thciprianit393092 developer account and I was able to authenticate via web and ssh.

@Douginamug want to try again? I'm unclear why it would work for me just now and not find you. Maybe there was a hiccup in ldap connection.

taavi removed a project: wikitech.wikimedia.org.May 1 2025, 4:12 PM
thcipriani added a comment.May 1 2025, 4:37 PM

@Douginamug I note that I don't see your account as ever having logged in to the web UI. Are you able to login to https://gerrit.wikimedia.org ? I'm unsure if gerrit will even attempt to create your account if you only login via ssh. Login through web ui, if that works, try ssh.

thcipriani edited projects, added Release-Engineering-Team (Doing 😎); removed Release-Engineering-Team.May 1 2025, 4:38 PM
Douginamug closed this task as Resolved.EditedMay 1 2025, 7:03 PM
Douginamug claimed this task.

@thcipriani thank you for looking into this. However it seems I am at fault here and that there is no bug 🙈 I had not logged into gerrit, and had rather added my SSH key to IDM. Logging into gerrit and adding my key worked as documented. Sorry for any inconvenience.

thcipriani added a comment.May 1 2025, 7:05 PM
In T393092#10784258, @Douginamug wrote:

@thcipriani thank you for looking into this. However it seems I am at fault here and that there is no bug 🙈 I had not logged into gerrit, and had rather added my SSH key to IDM. Logging into gerrit and adding my key worked as documented. Sorry for any inconvenience.

Glad to hear you got it resolved! Thanks for the note.

thcipriani added a project: Essential-Work.May 1 2025, 7:07 PM
Pintoch unsubscribed.May 1 2025, 7:10 PM
bd808 renamed this task from Gerrit SSH authentication fails with new Wikimedia developer account to Confusion over which interface sets ssh keys for use with Gerrit (hint: not IDM).May 2 2025, 6:46 AM
bd808 changed the task status from Resolved to Invalid.
bd808 added a subscriber: Pintoch.
matmarex added a comment.May 2 2025, 8:43 AM

I added a note to the help page to clarify that the Gerrit and IDM SSH keys are separate, for anyone who runs into this in the future: https://www.mediawiki.org/w/index.php?title=Gerrit/Tutorial&diff=prev&oldid=7601957

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits