Unable to push initial branch - permission denied (publickey)
I'm trying to push my first branch to launchpad, but I'm getting an error.
$ bzr push lp:~jaraco/beautifulsoup/easy-installable
Permission denied (publickey)
It appears I'm able to authenticate - if I run "ssh -v bazaar.
So why am I unable to push to the branch which I created? Does the owner of the beautifulsoup project have to grant me access to push my own branch of that project?
Question information
- Language:
- English Edit question
- Status:
- Solved
- Assignee:
- No assignee Edit question
- Solved by:
- Robert Collins
- Solved:
- Last query:
- Last reply:
Related FAQ:
None Link to a FAQ
Revision history for this message
|
#1 |
Have you done 'bzr launchpad-login' yet? You might need to do `bzr launchpad-login jaraco`
Revision history for this message
|
#2 |
Yes. I had run the login command. It returns my username. Yet still I'm given permission denied.
jaraco@
jaraco
jaraco@
Permission denied (publickey).
bzr: ERROR: Connection closed: Unexpected end of message. Please check connectivity and permissions, and report a bug if problems persist.
Revision history for this message
|
#3 |
Do you have the SSH key that Launchpad knows about on the machine that you are pushing from?
Have you overridden the SSH key for launchpad.net in the ~/.ssh/config?
Revision history for this message
|
#4 |
The SSH key I'm using is a DSA key (it says "ssh-dss" at the beginning of the public key). It's either 1024 bit or 2048 bit. This is a key that I also use on a number of other Linux, BSD, and Windows servers for public-key authentication. I've uploaded the public key into launchpad under the jaraco account.
Also, when I use "ssh -v bazaar.
I have no special configuration for my local ~/.ssh/config for launchpad. In fact, I have no config file at all. Is it possible that OpenSSH knows where to find the identity file (~/.ssh/identity) but bazaar does not?
Revision history for this message
|
#5 |
Indeed, that appears to be the case. I copied ~/.ssh/identity to ~/.ssh/id_dsa, and the push worked.
Is it a bazaar limitation or a launchpad/bazaar limitation that it doesn't recognize ~/.ssh/identity as a private key (while other popular SSH clients do)?
Revision history for this message
|
#6 |
bzr invokes ssh, so I'm pretty sure its not a bazaar issue at all. You could strace bzr and see what precise ssh command line its running.
Revision history for this message
|
#7 |
bzr invokes ssh, so I'm pretty sure its not a bazaar issue at all. You could strace bzr and see what precise ssh command line its running.
Revision history for this message
|
#8 |
I did an strace, and it appears the cause may be that it's not in fact invoking ssh, but is using ssh.py. I don't know if that's a different implementation, but I wouldn't be surprised if it has a somewhat different resolution of identity files.
Here are the lines from the strace
jaraco@
stat("/
open("/
open("/
open("/
open("/
stat("/
open("/
open("/
open("/
open("/
write(3, "1.498 ssh implementation is Ope"..., 37) = 37
Do you agree with my assessment (that openssh is not being used, but ssh.py is)? Unfortunately, this doesn't indicate much more to be about how the SSH connection is being established or which key was being attempted.
Revision history for this message
|
#9 |
Looks like there is something in .bzr.log - can you see what it says there ?
Revision history for this message
|
#10 |
It looks like a generic error message to me:
Sun 2010-04-11 19:15:07 -0400
0.132 bzr arguments: [u'push', u'lp:~jaraco/beautifulsoup/easy-installablex']
0.163 looking for plugins in /home/jaraco/
0.163 looking for plugins in /usr/lib/
0.335 encoding stdout as sys.stdout encoding 'UTF-8'
0.421 opening working tree '/home/
1.498 ssh implementation is OpenSSH
2.397 Traceback (most recent call last):
File "/usr/lib/
return the_callable(*args, **kwargs)
File "/usr/lib/
ret = run(*run_argv)
File "/usr/lib/
return self.run(
File "/usr/lib/
use_
File "/usr/lib/
dir_to = bzrdir.
File "/usr/lib/
return format.
File "/usr/lib/
return self._open(
File "/usr/lib/
return remote.
File "/usr/lib/
response = self._call(
File "/usr/lib/
return self._client.
File "/usr/lib/
result, protocol = self.call_
File "/usr/lib/
method, args, expect_
File "/usr/lib/
expect_
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
"Unexpected end of message. "
ConnectionReset: Connection closed: Unexpected end of message. Please check connectivity and permissions, and report a bug if problems persist.
2.398 return code 3
Revision history for this message
|
#11 |
So, it thinks its using openssh - that log message is output by our ssh.py (which is the code that brokers different ssh implementations and tunnelling to bzr across ssh).
In your strace you should have an 'exec' call somewhere - can you paste that ?
Revision history for this message
|
#12 |
I didn't find it in the strace.
jaraco@
execve(
Should I have supplied more parameters to the strace? I just ran it using only -o to save the output.
Revision history for this message
|
#14 |
I ran strace with -f (Thanks!).
I think I found the relevant lines
jaraco@
3868 execve(
3869 execve(
This led me to the fundamental cause of the trouble.
The call by bazaar to ssh forces the protocol to protocol 2, which apparently then excludes ~/.ssh/identity as a default key file (but still includes ~/.ssh/id_dsa, which is why it works when the private key is copied to that name). In fact, I can now reproduce the bazaar behavior with this simple test:
$ ssh -2 bazaar.
Permission denied (publickey).
So it appears that I should probably just use id_dsa as my private key file name.
It could be proposed that bzr consider not forcing protocol 2 at the client and instead allow the server administrators to force a protocol version as appropriate. This would provide more consistent behavior with the default SSH behavior. However, I would be more of the opinion that if id_dsa is the canonical name for the private key for SSH-2, and if users want to name their SSH-2 keys with the SSH-1 canonical name, 'identity', then it's reasonable for them to expect the key to be required to be referenced explicitly in the .ssh/config file (or otherwise specify the key).
Thanks for all the help.
Revision history for this message
|
#15 |
Thanks Robert Collins, that solved my question.
Revision history for this message
|
#16 |
On Mon, 12 Apr 2010 10:53:55 you wrote:
> Question #107036 on Launchpad Bazaar Integration changed:
> https:/
>
> Jason R. Coombs gave more information on the question:
> Indeed, that appears to be the case. I copied ~/.ssh/identity to
> ~/.ssh/id_dsa, and the push worked.
>
> Is it a bazaar limitation or a launchpad/bazaar limitation that it
> doesn't recognize ~/.ssh/identity as a private key (while other popular
> SSH clients do)?
It is probably the way that bazaar is invoking ssh.
Revision history for this message
|
#17 |
Yes, bzrlib/
There is no comment as to why.
Protocol 1 is pretty old and deprecated now, and has some security
problems. Protocol 2 came out in May 2000. So, generally speaking,
relying on a key that only works with protocol 1 is not a great idea.
However, this is a very confusing way to fail.
The openssh manpage says it defaults to protocol 2 (at least in lucid)
so I'm not sure what we would hope to gain by forcing it on the
command line.
--
Martin <http://
Revision history for this message
|
#18 |
To be clear, my key is a protocol 2 key - it was just named with the default
name for a protocol 1 key. When the connection was established, it was
established using protocol 2.