I am trying to connect to private gitlab self hosted service with ssh key.
Following is the yaml config
spring:
cloud:
config:
server:
git:
uri: git#gitlab.devops.mhealth.tech:shivhg/config_src.git
ignoreLocalSshSettings: true
host-key: shiva.kumar#mhealth.tech
strictHostKeyChecking: false
hostKey: someHostKey
hostKeyAlgorithm: ssh-rsa
privateKey: |
Also tried .ssh/config update
StrictHostKeyChecking no
PreferredAuthentications publickey
IdentitiesOnly yes
IdentityFile ~/.ssh/***private
ServerAliveInterval 60
ServerAliveCountMax 5
Receiving exact same error as #1447 tried the suggestions provided there as well.
Tried in intellij also in iterm console.
Some pointers to fixing this would be helpful, thanks in advance
Related
I am trying to set up the JHipster Registry with a local git config server.
--spring.cloud.config.server.composite.0.type=git
--spring.cloud.config.server.composite.0.uri=http://mygit/abc.git
those 2 config works but my git need permission to login.
now I got the error: Authentication is required but no CredentialsProvider has been registered
Does anyone know where can I set up the username and password?
I tried:
--spring.cloud.config.server.git.uri=
--spring.cloud.config.server.git.password=
--spring.cloud.config.server.git.username=
not working
Try
--spring.cloud.config.server.composite.0.username=
--spring.cloud.config.server.composite.0.password=
Add the following in the bootstrap-*.yml
cloud:
config:
server:
bootstrap: true
composite:
- type: git
uri: https://github.com/awnali/configuration
username: ${spring.cloud.config.server.git.username}
password: ${spring.cloud.config.server.git.password}
default-label: main
and then run the application with the following command:
java -jar target/jhipster-registry-6.8.0.jar --spring.profiles.active=prod --spring.cloud.config.server.git.username=***** --spring.cloud.config.server.git.password=*****
When trying to run Elixir (Phoenix) Web Application using PostgreSQL Database hosted 3rd party "Database-as-a-Service" (Azure Database for PostgreSQL).
We attempt to start the app with mix phoenix.server we see the following error:
[info] Running Pxblog.Endpoint with Cowboy using http://localhost:4000
[error] GenServer #PID<0.247.0> terminating
** (FunctionClauseError) no function clause matching in Postgrex.Messages.decode_fields/1
(postgrex) lib/postgrex/messages.ex:339: Postgrex.Messages.decode_fields("")
(postgrex) lib/postgrex/messages.ex:344: Postgrex.Messages.decode_fields/1
(postgrex) lib/postgrex/messages.ex:344: Postgrex.Messages.decode_fields/1
(postgrex) lib/postgrex/messages.ex:131: Postgrex.Messages.parse/3
(postgrex) lib/postgrex/protocol.ex:1842: Postgrex.Protocol.msg_decode/1
(postgrex) lib/postgrex/protocol.ex:1816: Postgrex.Protocol.msg_recv/3
(postgrex) lib/postgrex/protocol.ex:560: Postgrex.Protocol.auth_recv/3
(postgrex) lib/postgrex/protocol.ex:475: Postgrex.Protocol.handshake/2
(db_connection) lib/db_connection/connection.ex:134: DBConnection.Connection.connect/2
(connection) lib/connection.ex:622: Connection.enter_connect/5
(stdlib) proc_lib.erl:247: :proc_lib.init_p_do_apply/3
Last message: nil
State: Postgrex.Protocol
Insight: "Enforce SSL" was Enabled on the Azure DB ...
Through investigation we realised that the error is cause because the Azure PostgreSQL Service had Enforce SSL Connection set to Enabled (by default):
We think having "Enforce SSL" to Enabled is good for Security, but we aren't able to get it working with Phoenix ...
(Temporary) Solution: Disable "Enforce SSL"
So, we have (temporarily) disabled SSL for now:
But we would much prefer a "permanent" solution to this issue.
Preferred Solution: Use SSL when Connecting to PostgreSQL
If anyone can clarify (or point us to) how to connect to PostgreSQL over SSL from Phoenix/Ecto
we would be super grateful! :-)
Does the Application (Phoenix) Server need to have an SSL Certificated configured in order to connect from the App server to the DB Server...?
e.g: http://www.phoenixframework.org/docs/configuration-for-ssl ?
Microsoft has the following help guide:
https://learn.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
It seems to suggest we need OpenSSL on the App Server ... can anyone confirm?
Background
I was experiencing the same problem connecting Phoenix/Ecto/Postgrex to Azure Database for PostgreSQL server. Even after setting ssl: true in my Repo configuration, I was still not able to connect to the database with Postgrex even though connecting using psql "postgresql://...?sslmode=require" -U ... on the same machine succeeded. The error returned with ssl: true was:
[error] Postgrex.Protocol (#PID<0.1853.0>) failed to connect: **(DBConnection.ConnectionError) ssl connect: closed
** (DBConnection.ConnectionError) connection not available because of disconnection
(db_connection) lib/db_connection.ex:926: DBConnection.checkout/2
...
After digging through the source code, I discovered that the failing call was actually the ssl.connect/3 call from the Erlang ssl module:
# deps/postgrex/lib/postgrex/protocol.ex:535
defp ssl_connect(%{sock: {:gen_tcp, sock}, timeout: timeout} = s, status) do
case :ssl.connect(sock, status.opts[:ssl_opts] || [], timeout) do
{:ok, ssl_sock} ->
startup(%{s | sock: {:ssl, ssl_sock}}, status)
{:error, reason} ->
disconnect(s, :ssl, "connect", reason)
end
end
Doing some snooping with Wireshark, I was able to see that when connecting successfully with psql, I could see packets with TLSV1.2 as the protocol, but when postgrex was connecting with ssl: true I was seeing packets with SSL as the protocol before failing to connect.
Looking at the Ecto.Adapters.Postgres options docs, you'll see there's an ssl_opts configuration option which ends up getting passed to :ssl.connect/3 in which you can set versions to override the TLS version(s) used to connect.
Solution
I was able to connect to the database by adding the following to my Repo configuration:
ssl_opts: [
versions: [:"tlsv1.2"]
]
My full configuration ended up looking like this:
config :myapp, Myapp.Repo,
adapter: Ecto.Adapters.Postgres,
username: "myapp#dev-db",
password: "...",
database: "myapp_dev",
port: 5432,
hostname: "dev-db.postgres.database.azure.com",
pool_size: 10,
ssl: true,
ssl_opts: [
versions: [:"tlsv1.2"]
]
I'm not really sure why the TLS version needs to be set explicitly, perhaps someone with more expertise in this area can shed some light on this.
You might also need to add your ip (or ip range) to the postgres firewall in azure. It's right under the SSL settings.
Erlang is usually built with OpenSSL, and does require it for several libraries. You haven't posted the error you get with ssl: true, but if your erlang was built without OpenSSL it might be the cause. From the build/install guide:
OpenSSL -- The opensource toolkit for Secure Socket Layer and
Transport Layer Security. Required for building the application
crypto. Further, ssl and ssh require a working crypto application and
will also be skipped if OpenSSL is missing. The public_key application
is available without crypto, but the functionality will be very
limited.
What output do you get if you run :ssl.versions() in an iex shell?
Here is my Database init() connection code using ssl and certificates. Check your ssl_opts settings, maybe.
def init() do
case Postgrex.start_link(
hostname: App.Endpoint.config(:dbhost),
username: App.Endpoint.config(:username),
database: App.Endpoint.config(:dbname),
port: App.Endpoint.config(:dbport),
ssl: true,
ssl_opts: [
keyfile: "priv/cert.key",
certfile: "priv/cert.crt"
]) do
{:ok, postgrex} ->
postgrex
_ ->
:error
end
end
To add to the above answers, here is my ssl_opts block when using self-signed certificates and auth-options set to clientcert=verify_full in your pg_hba.conf. My connection is using TLSv1.3.
ssl_opts: [
verify: :verify_peer,
versions: [:"tlsv1.3"],
ciphers: :ssl.cipher_suites(:all, {3,4}),
cacertfile: Path.expand("priv/certs/ca-cert.pem"),
certfile: Path.expand("priv/certs/client-cert.pem"),
keyfile: Path.expand("priv/certs/client-key.pem")
],
I am trying to configure mongodb for ssl. I have the two certs within a directory on Ubuntu, but when I try to restart the service with the mongodb.conf set up correctly, the service will not start. If I comment out the lines in the mongodb.conf file that I added, I can then start mongodb. I think the syntax is wrong, and not the certs them self.
#SSL options
sslMode = requireSSL
#Enable SSL on normal ports
#sslOnNormalPorts = true
# SSL Key file and password
sslPEMKeyFile = /path/to/cert
sslPEMKeyPassword = password
sslCAFile = /path/to/cert
I get this error when I try to start the server with these lines not commented out
stop: Unknown instance:
mongodb start/running, process 7725
If i try to get into mongo shell i get this(assuming this is because I could not restart the service properly)
Thu Jul 21 14:32:07.660 Error: couldn't connect to server 127.0.0.1:27017 at src/mongo/shell/mongo.js:145
exception: connect failed
The mongodb.conf file is a YAML file so you need to format it as such. Meaning you can't use tabs. Also it does look like the syntax you're using isn't correct.
Try this:
net:
#SSL options
ssl:
mode: requireSSL
# SSL Key file and password
PEMKeyFile: /path/to/cert
PEMKeyPassword: password
CAFile: /path/to/cert
Also, I know it's commented out but just wanted to mention, the sslOnNormal ports option is deprecated. See here: https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.sslOnNormalPorts
I'm trying to run a container that will expose a golang service from a package that I have on a private GitHub repo.
Since I am working with GCE, my starter image is google/debian:wheezy.
After installing all the required dependancies and tools, I am running
RUN go get github.com/<my_org>/<my_package>
where the package is a private repo.
I have added my GitHub SSH keys to allow the cloning from the private repo to the docker file:
ADD priv/id_rsa /root/.ssh/id_rsa
ADD priv/id_rsa.pub /root/.ssh/id_rsa.pub
Still, I am getting an error during the go get process when go tried to clone the repo:
# cd .; git clone https://github.com/<my_org>/<my_package> /gopath/src/github.com/<my_org>/<my_package>
Cloning into '/gopath/src/github.com/<my_org>/<my_package>'...
fatal: could not read Username for 'https://github.com': No such device or address
package github.com/<my_org>/<my_package>: exit status 128
To debug the problem, from the Dockerfile, I am running:
RUN ssh-keyscan -t rsa github.com 2>&1 >> /root/.ssh/known_hosts
And this tells me there are some problems. It looks like validating the private key is OK but something weird is going on the the public key. This is the complete ssh-keyscan result:
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.252.129] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version libssh-0.6.0
debug1: no match: libssh-0.6.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
Warning: Permanently added the RSA host key for IP address '192.30.252.129' to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
I have tried chmod 600 and chmod 700 on the priv/public keys, this did not help.
Any clues? Has anyone succeeding in running go get that fetches from private repos on debian from docker?
I figured this out after a bit of hacking around. Not an ideal solution as it involves installing SSH, plus building a private key into the container. This example is based on the official Docker golang image (Debian Wheezy):
The main difference to your example is that you need a git config command to force ssh instead of the default https.
FROM golang
RUN apt-get update && apt-get install -y ca-certificates git-core ssh
ADD keys/my_key_rsa /root/.ssh/id_rsa
RUN chmod 700 /root/.ssh/id_rsa
RUN echo "Host github.com\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config
RUN git config --global url.ssh://git#github.com/.insteadOf https://github.com/
ADD . /go/src/github.com/myaccount/myprivaterepo
RUN go get github.com/myaccount/myprivaterepo
RUN go install github.com/myaccount/myprivaterepo
go get is trying to use https, completely ignoring ssh.
You will have to setup ~/.netrc:
ADD priv/.netrc /root/.netrc
Where netrc looks like:
machine github.com login github-username password github-password
ref:
https://stackoverflow.com/a/13724351/145587
In the newest version of golang (v1.11) there are now modules.
To quote the source:
A module is a collection of related Go packages that are versioned together as a single unit. Most often, a single version-control repository corresponds exactly to a single module.
Using the latest version of golang will allow you to have dependencies that are in private repositories. Essentially by running the $ go mod vendor command will create a vendor directory locally for all external dependencies. Now making sure your docker image has Golang v1.11, you will update your Dockerfile with the following:
WORKDIR /<your repostiory>
COPY . ./
Elaborating on OneOfOne's ~/.netrc answer, this is what I am doing with Jenkins on linux:
FROM golang:1.6
ARG GITHUB_USER=$GITHUB_USER
ARG GITHUB_PASS=$GITHUB_PASS
# Copy local package files to the container's workspace.
ADD . /go/src/github.com/my-org/my-project
WORKDIR /go/src/github.com/my-org/my-project/
# Build application inside the container.
RUN echo "machine github.com\n\tlogin $GITHUB_USER\n\tpassword $GITHUB_PASS" >> ~/.netrc && \
go get github.com/tools/godep && \
go get github.com/onsi/ginkgo/ginkgo && \
godep restore && \
ginkgo -r --randomizeAllSpecs --randomizeSuites --failOnPending && \
godep go install && \
rm -f ~/.netrc
ENTRYPOINT /go/bin/my-project
EXPOSE 8080
The docker build command is:
docker build \
--build-arg GITHUB_USER=xxxxx \
--build-arg GITHUB_PASS=yyyyy \
-t my-project .
The two ARG directives map --build-args so docker can use them inside the Dockerfile.
The first and last lines of RUN create and remove the ~/.netrc.
In Jenkins, I use the same creds from git pull in the build command.
In this strategy, the password is not echoed during the docker build process and not saved on any layer of your docker image. Also note that the gingko test results are printed to console during the build.
i had this problem in Github and i fix it using personal access token:
first of all please use ARG for your Dockerfile vars(inputs):
after that configure your git with github personal access token
GITHUB_PAT -> github personal access token
FROM golang:1.17 as builder
ARG GITHUB_PAT
WORKDIR /your-app
COPY go.mod .
COPY go.sum .
RUN git config --global url."https://${GITHUB_PAT}:x-oauth-basic#github.com/".insteadOf "https://github.com/"
RUN go mod download
COPY . .
RUN go build -ldflags '-w -s' -o ./out ./main.go
FROM golang:1.17
WORKDIR /app
COPY --from=builder /your-app/out ./
WORKDIR /app/
ENTRYPOINT [ "./out" ]
Whenever I try to push, GitHub hangs for a while (~a minute) before outputting:
ssh: connect to host gmail.com port 22: Bad file number
fatal: The remote end hung up unexpectedly
I checked my SSH keys a few times. I was able to ssh github.com and when I do it asks me for my passphrase and then says, "Hi Aro! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed"
First of all, why is it trying to gmail.com when I am using git push? Why is it timing out if the ssh keys seem to be working? I don't see any firewall alerts. I don't think my router is blocking anything. I'm on Windows 7.
What do you think is the problem?
.git/config
[core]
repositoryformatversion = 0
filemode = false
bare = false
logallrefupdates = true
symlinks = false
ignorecase = true
hideDotFiles = dotGitOnly
[remote "origin"]
url = my#email.com:MyGithubUsername/Hello.git
fetch = +refs/heads/*:refs/remotes/origin/*
Under [remote "origin"], the url value should be changed:
[remote "origin"]
url = git#github.com:MyGithubUsername/Hello.git
The authentication is purely done on the basis of keys, not the username or email address.