Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to init my "admin" account #497

Open
3sky opened this issue Mar 20, 2024 · 13 comments
Open

Unable to init my "admin" account #497

3sky opened this issue Mar 20, 2024 · 13 comments

Comments

@3sky
Copy link

3sky commented Mar 20, 2024

Describe the bug
I just unable to use ssh-keypair for my installation.

To Reproduce
Steps to reproduce the behavior:

  1. I'm using docker-compose on my NAS.
---
version: "3.1"
services:
  soft-serve:
     environment:
        - SOFT_SERVE_INITIAL_ADMIN_KEYS='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxYZEBNRLXmuign6ZgNbmaSK7cnQAgFpx8cCscoqseA local'
    image: charmcli/soft-serve:v0.7.4
    container_name: soft-serve
    volumes:
      - /path/to/data:/soft-serve
    ports:
      - 23231:23231
      - 23232:23232
      - 23233:23233
      - 9418:9418
    restart: unless-stopped
  1. Adding SOFT_SERVE_INITIAL_ADMIN_KEYS as env as above, or I'm trying to use in config.yaml:
initial_admin_keys:
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxYZEBNRLXmuign6ZgNbmaSK7cnQAgFpx8cCscoqseA local"
  1. Then after container restart i'm trying to ssh my instance:
$ ssh 192.168.0.33 -p 23231 -i ~/.ssh/id_ed25519_local info
Error: user not found
  1. With regular ssh:
$ ssh 192.168.0.33 -p 23231 -i ~/.ssh/id_ed25519_local
Permission denied (publickey,keyboard-interactive).

Expected behavior

Ability to operate with my instance as admin user, not sure if documentation if out-dated, or I missing something important here.

Environment (please complete the following information):

  • OS: Linux(Synology NAS)
  • Version v0.7.4
@srngh
Copy link

srngh commented Mar 24, 2024

Have you tried adding the admin pub key without quotation marks to config.yaml ?
That's what eventually worked for me.

Like so:

initial_admin_keys:
  - ssh-ed25519 AAAAC....

@3sky
Copy link
Author

3sky commented Mar 25, 2024

initial_admin_keys:
  - ssh-ed25519 AAAAC....

Still the same,

$ ssh 192.168.0.33 -p 23231 -i ~/.ssh/id_ed25519_local info
Error: user not found

Can you please share your config.yml?

@srngh
Copy link

srngh commented Mar 25, 2024

I left pretty much everything default:

# Soft Serve Server configurations

# The name of the server.
# This is the name that will be displayed in the UI.
name: "Soft Serve"

# Logging configuration.
log:
  # Log format to use. Valid values are "json", "logfmt", and "text".
  format: "text"
  # Time format for the log "timestamp" field.
  # Should be described in Golang's time format.
  time_format: "2006-01-02 15:04:05"
  # Path to the log file. Leave empty to write to stderr.
  #path: ""

# The SSH server configuration.
ssh:
  # The address on which the SSH server will listen.
  listen_addr: ":23231"

  # The public URL of the SSH server.
  # This is the address that will be used to clone repositories.
  public_url: "ssh://localhost:23231"

  # The path to the SSH server's private key.
  key_path: ssh/soft_serve_host_ed25519

  # The path to the server's client private key. This key will be used to
  # authenticate the server to make git requests to ssh remotes.
  client_key_path: ssh/soft_serve_client_ed25519

  # The maximum number of seconds a connection can take.
  # A value of 0 means no timeout.
  max_timeout: 0

  # The number of seconds a connection can be idle before it is closed.
  # A value of 0 means no timeout.
  idle_timeout: 600

# The Git daemon configuration.
git:
  # The address on which the Git daemon will listen.
  listen_addr: ":9418"

  # The public URL of the Git daemon server.
  # This is the address that will be used to clone repositories.
  public_url: "git://localhost"

  # The maximum number of seconds a connection can take.
  # A value of 0 means no timeout.
  max_timeout: 0

  # The number of seconds a connection can be idle before it is closed.
  idle_timeout: 3

  # The maximum number of concurrent connections.
  max_connections: 32

# The HTTP server configuration.
http:
  # The address on which the HTTP server will listen.
  listen_addr: ":23232"

  # The path to the TLS private key.
  tls_key_path:

  # The path to the TLS certificate.
  tls_cert_path:

  # The public URL of the HTTP server.
  # This is the address that will be used to clone repositories.
  # Make sure to use https:// if you are using TLS.
  public_url: "http://localhost:23232"

# The stats server configuration.
stats:
  # The address on which the stats server will listen.
  listen_addr: "localhost:23233"

# The database configuration.
db:
  # The database driver to use.
  # Valid values are "sqlite" and "postgres".
  driver: "sqlite"
  # The database data source name.
  # This is driver specific and can be a file path or connection string.
  # Make sure foreign key support is enabled when using SQLite.
  data_source: "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)"
  # data_source: "postgres://postgres@localhost:5432/soft_serve?sslmode=disable"

# Git LFS configuration.
lfs:
  # Enable Git LFS.
  enabled: true
  # Enable Git SSH transfer.
  ssh_enabled: false

# Cron job configuration
jobs:
  mirror_pull: "@every 10m"

# Additional admin keys.
initial_admin_keys:
  - ssh-ed25519 AAAAC3N...

My ssh config, for testing the connection

❯ cat .ssh/config
Host soft
        HostName localhost
        Port 23231
        IdentityFile ~/.ssh/id_ed25519
❯ ssh soft info
Username: admin
Admin: true
Public keys:
  ssh-ed25519 AAAAC3N...

I didn't set the SOFT_SERVE_INITIAL_ADMIN_KEYS environment variable, perhaps try unsetting it.
Also, in my config.yaml I didn't set the comment after my public key ("local" in your config).

Hope this helps.

@aymanbagabas
Copy link
Member

Could you try a new fresh install? Backup the data directory and run Soft Serve with your key in the SOFT_SERVE_INITIAL_ADMIN_KEYS environment variable

SOFT_SERVE_INITIAL_ADMIN_KEYS=ssh-ed25519 AAAAC3N... soft serve

@3sky
Copy link
Author

3sky commented Mar 27, 2024

Thanks @srngh and @aymanbagabas. Maybe there is some issue related with fact, that I'm using remote machine. I will try to install it locally.

@betapictoris
Copy link

Just wanted to chip in and say that I was having the same issue, but it seems to be that I initially started the server without providing admin keys. A fresh install solved the issue.

@Quba1
Copy link

Quba1 commented Apr 14, 2024

Just wanted to chip in and say that I was having the same issue, but it seems to be that I initially started the server without providing admin keys. A fresh install solved the issue.

That was the issue for me as well. Fresh install with specifying admin keys before first start solved the problem.

@oznogon
Copy link

oznogon commented May 8, 2024

Any idea why this is? What does the first run with the env variable do that manually setting initial_admin_keys doesn't?

For installs via package managers (in my case yum/dnf), does that mean adding the key to SOFT_SERVE_INITIAL_ADMIN_KEYS in /etc/soft-serve.conf prior to first starting the server via systemd? (If so, this doesn't work for me on Fedora 40.)

EDIT: to expand,

Method Expectation Got admin? Met expectation?
Clean install of the Fedora/RH package via dnf, systemctl start soft-serve, no changes from defaults in /etc/soft-serve.conf or /var/lib/soft-serve/config.yaml no pubkeys set so no admin access no YES
Clean install of the Fedora/RH package via dnf, adding my pubkey to initial_public_keys in /var/lib/soft-serve/config.yaml, then systemctl start soft-serve pubkey set, but it's unclear what initial_public_keys actually does no ❓ unclear
Clean install of the Fedora/RH package via dnf, adding my pubkey to SOFT_SERVE_INITIAL_ADMIN_KEYS in /etc/soft-serve.conf pubkey set as environment variable before first launch, so assuming /etc/soft-serve.conf does what it says it does in its comments: admin access no NO
Clean install of the Fedora/RH package via dnf, running SOFT_SERVE_INITIAL_ADMIN_KEYS=ssh-ed25519... soft serve without manually changing either config file pubkey set as environment variable before first launch, so admin access YES YES
Clean install of the Fedora/RH package via dnf, running SOFT_SERVE_INITIAL_ADMIN_KEYS=ssh-ed25519... systemd start soft-serve without manually changing either config file passing env to the systemctl command is an impenetrable concept to me so either it works, doesn't, or explodes and kills me YES ❓ unclear
Previously installed package; after starting the server with ...INITIAL_ADMIN_KEYS provided on its first launch, I then stop it, start it again, and then try connecting again with the same client and pubkey since it worked with admin access on the first launch, I expect admin access no NO
Previously installed package; after starting the server WITHOUT providing ...INITIAL_ADMIN_KEYS on its first launch, I then stop it, start it again as as SOFT_SERVE_INITIAL_ADMIN_KEYS=ssh-ed25519... soft serve, and then try connecting again with the same client and pubkey since the pubkey wasn't provided on first launch, I don't expect admin access YES NO
Previously installed package; after starting the server WITHOUT providing ...INITIAL_ADMIN_KEYS on its first launch, I then launched it again as SOFT_SERVE_INITIAL_ADMIN_KEYS=ssh-ed25519... systemctl start soft-serve, and then try connecting again with the same client and pubkey consumed by black hole YES NO

Workaround: adding export SOFT_SERVE_INITIAL_ADMIN_KEYS=ssh-ed25519... to my shell config "works" in the sense that I can then get admin access when running either as soft serve or systemctl start soft-serve , but I don't know why and it sounds like by design this shouldn't be necessary.

Notably, when launching the server via systemd start soft-serve and via soft serve, ssh client connections report a different host key from the Soft Serve server. No idea why.

@oznogon
Copy link

oznogon commented May 8, 2024

Removed the package, /var/lib/soft-serve, and the soft-serve user, removed the exported envvars, then installed Soft Serve with go install instead of the package manager. Everything now works as expected:

  • Ran soft serve for the first time with SOFT_SERVE_INITIAL_ADMIN_KEYS=ssh-ed25519...
  • Connected via ssh with that pubkey, got admin
  • Quit
  • Ran soft serve without the environment variable
  • Connected via ssh with the same pubkey, got admin

🤷 Not sure what's going on with the packaged version.

@Elerin
Copy link

Elerin commented Aug 24, 2024

I think I found the issue (or an issue), at least as far as running it as a systemd unit goes:
The default packaged /etc/soft-serve.conf lists:
SOFT_SERVE_INITIAL_ADMIN_KEY

instead of the expected:
SOFT_SERVE_INITIAL_ADMIN_KEYS

Most people just uncomment the existing line in /etc/soft-serve.conf and append their pubkey. I know I did.

After making the change and resetting everything soft-serve works as expected.

@Piker98988
Copy link

I can't seem to figure out what's causing me not to be able to login. After this issue is closed, I'll sure open a pull request with clarification on the ssh aspect, because it's not that i'm stupid, it's that I think it's unclear how things should be done to initialize your server...

@robberwick
Copy link

I experienced the same "user not found" issue, and I think this may be related to the behaviour of the ssh client (specifically the agent) rather than soft serve itself, although it may be that there is a code change that can be applied to work around this issue.

Having examined the contents of the public_keys table in the soft_serve.db database, and confirmed that the expected public key was present, i re-ran the ssh <host> -p <port> -i <identity_file> info command with the -vvv option to show verbose output and noticed that despite specifying an identity file, the ssh client was sending multiple public keys:

debug1: Will attempt key: <key_1> agent
debug1: Will attempt key: <key_2> agent
debug1: Will attempt key: <key_3> explicit

Note that:

  • I have multiple public keys configured
  • the key i was using to authenticated is key_3 - hence the "explicit" flag in that log line

Armed with this log output, and this information from the ssh_config man page i was able to issue the following command and successfully authenticate as the admin user:

ssh <host> -p <port> -i <identity_file> -o IdentitiesOnly=yes info

The same thing can be achieved when using an ssh config file by adding the IdentitiesOnly=yes directive to the host config e.g.

Host <host>
  Hostname <hostname>
  Port <port>
  User <user>
  IdentityFile <path_to_identity_file>
  IdentitiesOnly yes

So, it seems like if you have:

  • multiple ssh keys set up
  • ssh agent running
  • you're not using your default key for authentication (this may not be the case, but it seems to be a factor)

Then you must use the IdentitiesOnly=yes directive in order to correctly authenticate.

Ideally if this directive is not set, and multiple keys are provided, the ssh server would not bail before getting to the explicitly provided key. Whether this is possible or not, I don't know. In the meantime, I would suggest that we can at least address the issue by updating the documentation to include a reference to the use of that directive.

I've raised a PR to add those notes to the README

@Piker98988
Copy link

You're a hero, man, you've saved us all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants