Tuesday, May 22, 2012

Connecting to Git through SSH on a Mac


Okay, so you have git installed, you have your repository in eclipse, but for some reason you can't push (or perhaps even pull).  Here are a number of debug issues that can help fix that.

This lists debug options for a variety of issues on a Mac

Version of Mac I am using:
Mac 10.7 (Lion)

Back up your old public and private keys:

First back up your old keys.  I made a file called old, and I moved them in there.
Your keys are located in ~/.ssh/id_rsa and ~/.ssh_rsa.pub

Code for this:
$ mkdir ~/.ssh/old
$ mv ~/.ssh/id_rsa ~/.ssh/old/.
$ mv ~/.ssh/id_rsa.pub ~/.ssh/old/.
(mkdir is short for 'make directory')
(mv is short for 'move')
(. is short for 'this directory')


Generate an SSH key using the terminal:
Use the function: $ ssh-keygen -t rsa -b 4096 
to generate a key public and private pair.

(keygen is short for 'generate key')
(rsa is the type of key generation method, dsa is another)
(4096 is the size of your key other sizes include 1024 and 2048 - notice they are powers of 2, larger is more secure)


It is going to ask you to Enter passphrase (empty for no passphrase):
You can have both a private/public key, and then also have your private key password protected.
First getting it working with no passphrase, and then try it with a passphrase, if you so desire.

Note that it defaults to put your file in ~/.ssh/id_rsa (where you got your other one from)
(note that /Users/x ,where x is your account name, is the same as ~)

If you have already backed up (or moved) your keys (as described above), you can automatically just press enter through all the prompts.

The code should look like this (where x is your account name and X-MacBook-Pro is your computer name:
X-MacBook-Pro:.ssh x$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/x/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.

The key fingerprint is:
40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5 x@X-MacBook-Pro.local
The key's randomart image is:
+--[ RSA 4096]----+
|      . +.       |
|     . =         |
|      . =      . |
|       o o  . o  |
|        S oo.E   |
|          .o=*o  |
|           .=+o..|
|            .....|
|             .   |


+-----------------+

Note that the key fingerprint is like the name of the key pair set. This is so that you can match the public and private key to each other later (in case you get confused and deal with several).

Save this key fingerprint somewhere (text-file). It will help you confirm (and understand) things better)

Make sure you have both the public and private key in the ~/.ssh directory
This should automatically happen if you followed the instructions above, but if you are debugging, you might want to check this, as some applications have trouble with this.

To check this, type:
$ ls ~/.ssh/id_rsa
It should output: /Users/x/.ssh/id_rsa
Then type:
$ls ~/.ssh/id_rsa.pub
It should output: /Users/x/.ssh/id_rsa.pub

(note that ls means 'list the names of these files')
You can also type $ ls ~/.ssh/
and in this case is will list out all of the contents of that directory.
You can then just look for the two file names in the list that is outputted.


Just for Fun: Look at the keys generated : public key
It might be helpful to look at the keys so you can see that they look like what you expect.

To look at the public key, type:
$ more ~/.ssh/id_rsa.pub
The output should look like:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCn6y2yDgh/qbhgNBUcpfXqDmdHRZG5gJR/g0JnXLeI7YvAlfVoLidqi2RFRVgWxxCHEzXj7xk+kSpYbHpeAlm9xGZ0H3Vv8t/BgNzQtriVj7d6G1QKW/M5SZjFtJai1It7nq2vf/eVUtTR5z/Obvy3Fuwqw7fVw4d38Fu64LnhbC0TBDokAZgeN3nXJ/IKMVhJtt3VY9mnP3s6KrAyxZrKKJwjIO4xfSyf26TU/fCPycMis5bNKY+ISH7zjt9jBDyCbRsmIgumg21m1WfW0DOPAfq3muvfLAZdr9YkopWDQ/zYUVQcdc80C6hEl+inbmm3zhpHpuAQszT5EcSwje+B4V9mbmBCHRKcWWWAUPsdBRedJu1B6LTSuwjDXRqsY4OUJp1LqcX2npfiYh2a4cpGWSwgFJJTWtKYwm88gMg32YIXUpc0oUzsMc1XWvG2BLUichG5yQ1wEFH6tOOnQl52m2KQbjLO6/gf7uzk7EodsuHTBjcY4kjiO1oyC7boGXrIliQO6EokF4udVWrMwhVEPJsKE3JhHOzsdov5TRxmsWf+BwVSutGC4qirzH5bl9OLg5kbc6tLrgK7UxRO8/cN5nYoq2EGZkeSfW5/O9iUwjGYyVqFNT1k4hoI4XufIYHbAdyNe1jDPGQpchr/p1SCXWeXxQItDTwmxtklOxU2zw== x@X-MacBook-Pro.local

ssh-rsa denotes the type of encryption method, if you had specified dsa above, it would say ssh-dsa instead

It should end with youraccountname@somecomputername


Just for Fun: Look at the keys generated : private key
It might be helpful to look at the keys so you can see that they look like what you expect.

$ more ~/.ssh/id_rsa

Okay, now if you chose 4096 above, this print out will be long, if you chose 1024, this will be a much more manageable size. 

It should start with: 
-----BEGIN RSA PRIVATE KEY-----

Then some unreadable content that is really long, here is a sample (it should be several pages of this):
MIIJKAIBAAKCAgEAp+stsg4If6m4YDQVHKX16g5nR0WRuYCUf4NCZ1y3iO2LwJX1aC4naotkRUVYFscQhxM14+8ZPpEqWGx6XgJZvcRmdB91b/LfwYDc0La4lY+3ehtU

And then it should end with:
-----END RSA PRIVATE KEY-----




Check that you have an authorized_keys file and that it has the public key content
To check this, type $ ls ~/.ssh/authorized_keys
It should output the file name: /Users/x/.ssh/authorized_keys

If no file exists, then type: $ cp id_rsa.pub ~/.ssh/authorized_keys
(cp is short for copy)

If a file does exist, then type $ cat id_rsa.pub ~/.ssh/authorized_keys
(cat is short for concatenate)

Make sure that the permissions are 700 for the directory and 600 for the keys
To do this use the chmod command:
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa.pub
$ chmod 644 ~/.ssh/authorized_keys

If you do not have your permissions strict enough, then it will not work.

chmod stands for 'change mode', which essentially means 'change the permissions'

You typed 700 above for the directory, you could have also typed 0700
But for now let's ignore the first 0.

Okay so 700 is really thought of as 3 numbers
the first number represents permissions to yourself (e.g., 7)
the second number represents permissions to the group (e.g., 0)
the third number represents permissions to the everyone/all (e.g. 0)

As for the permissions, execute has a value of 1, write has a value of 2, and read has a value of
Decide what you want for each user class (you, group, all), and then add those values together.
(Note that because these are powers of two, the value is necessarily distinct.)

So 700 means:
7 - read (4), write (2), execute (1) to the owner (4+2+1)
0 - no access to group
0 - no access to all

644 means:
6 - read (4), write (2) access to owner (4+2)
4 - read access to group
4 - read access to all

In order to enter a directory, you need to be able to execute it, which is why you set the directory itself to 700.

The other files you just need to read.

You may wonder why the id_rsa.pub file does not allow outside people to read it. This is because you are going to give the particular program/user that file yourself.


Check your permissions:

To check your permissions, type
$ ls -l ~/.ssh/
(ls lists the directory contents)
(the -l option give the long version, so you can also see permissions)

It will first list the total number of system blocks (e.g., total 56), this depends on several things, including the number of files you have in the directory. Ignore this line.

Within the output, you should see:

-rw-------@  1 x  groupname  3243 May 22 02:02 id_rsa
-rw-------@  1 x  groupname   758 May 22 02:02 id_rsa.pub

The important part is the file names, and that the permissions are correct.

To process -rw-------@ : ignore the first -, the next three letters specify the owner access, the following three specify the group, the last three specify all.
-rw-------@ : means read write for the owner.

If you specify $ls -la ~/.ssh/
the -a option states to list the hidden files.
Then you will also see:
drwx------  10 x  groupname   340 May 22 02:00 .
which is the current directory, note that is equivalent to 700

drwxr-xr-x+ 27 x  groupname   918 May 22 00:28 ..
or the upper directory, note that this is equivalent to 755
Note that it is important that neither groups nor all have access to write.
This will also cause the ssh keys not to take.


Look to see what keys are in your ssh list:
To check this, type:
$ ssh-add -l
(the -l option just lists what keys are in the list)

The output should look spit out one or more of the following:
4096 40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5 id_rsa (RSA)


Now there are three options:
1) It lists only one key, and it is yours.
Output: 4096 40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5 id_rsa (RSA)

Note that the key fingerprint (e.g.: 40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5) *must* match the one that was printed out before when you created your key.


2) It states: The agent has no identities.
In this case, simply add the key
It should output: Identity added: /Users/x/.ssh/id_rsa (/Users/x/.ssh/id_rsa)

Confirm this by running $ ssh-add -l
and checking that your desired key is in the list.

If this doesn't work, then you created your key pair incorrectly. Note that I had trouble using keys generated from putty on windows to work.  There are several different key formats. Make sure you generated them using the key-gen method described above.


3) There are several keys in the list.
In this case, it is easiest to simply delete all of the keys in the list and start from scratch.
Do this by typing $ ssh-add -D
The system should respond with: All identities removed.

Then re-reun $ ssh-add -l
The list should be empty (option 2). Re-add the key. Confirm that it is there (option 1)

Check the key at GitHub.com

I am going to first assume you are not in SRL, and want to just generally check your private/public key pair.

First, login to your account at github.com.  Just because you are part of a local repository (such as the srl git repository) does not mean you have an account at github.com. Go to github.com, try to login, and if you can't create a login. (You can delete it later if you want, but you may want to keep it.) Fill in any required information.

Click on Edit Your profile.  Click on SSH Keys. Click on Add SSH Key.
Make the title what ever you want (recommended title: id_rsa.pub)

Now, back in the terminal, you need to get a copy of the text of your id_rsa.pub key. Type:

$ more ~/.ssh/id_rsa.pub
The output should look like:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCn6y2yDgh/qbhgNBUcpfXqDmdHRZG5gJR/g0JnXLeI7YvAlfVoLidqi2RFRVgWxxCHEzXj7xk+kSpYbHpeAlm9xGZ0H3Vv8t/BgNzQtriVj7d6G1QKW/M5SZjFtJai1It7nq2vf/eVUtTR5z/Obvy3Fuwqw7fVw4d38Fu64LnhbC0TBDokAZgeN3nXJ/IKMVhJtt3VY9mnP3s6KrAyxZrKKJwjIO4xfSyf26TU/fCPycMis5bNKY+ISH7zjt9jBDyCbRsmIgumg21m1WfW0DOPAfq3muvfLAZdr9YkopWDQ/zYUVQcdc80C6hEl+inbmm3zhpHpuAQszT5EcSwje+B4V9mbmBCHRKcWWWAUPsdBRedJu1B6LTSuwjDXRqsY4OUJp1LqcX2npfiYh2a4cpGWSwgFJJTWtKYwm88gMg32YIXUpc0oUzsMc1XWvG2BLUichG5yQ1wEFH6tOOnQl52m2KQbjLO6/gf7uzk7EodsuHTBjcY4kjiO1oyC7boGXrIliQO6EokF4udVWrMwhVEPJsKE3JhHOzsdov5TRxmsWf+BwVSutGC4qirzH5bl9OLg5kbc6tLrgK7UxRO8/cN5nYoq2EGZkeSfW5/O9iUwjGYyVqFNT1k4hoI4XufIYHbAdyNe1jDPGQpchr/p1SCXWeXxQItDTwmxtklOxU2zw== x@X-MacBook-Pro.local


Control-copy the text from your output. Make sure you don't have strange line breaks. If you need to open the file in another way do that.

Now, control-paste that text into the large text box at the github.com site.

Click AddKey.

You should be able to see your key listed in the box:
id_rsa.pub (40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5)

Note that if you have an error, you either copied it wrong, or you generated a bad key (go back, make sure you didn't generated from putty, or somewhere else, or make sure you didn't get confused and work with another file.. It should not have any line-breaks. It should start with ssh-rsa. It should end with someone@computernamesite

Make sure that the listed key fingerprint in github.com is the SAME as the key fingerprint listed from ssh-add -l. THIS IS VERY IMPORTANT.

Test the Key:


Use the command: $ ssh -vT git@github.com
This command will try to talk to github.com and verify your ssh key at the github.com site. (Please type this exactly, do not replace anything with a user name.)

The output will be long. But here is what you are looking for, and what it means:


OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
you have openssh on your computer and the ssh program works
debug1: Reading configuration data /etc/ssh_config
you may or may not have this, but if you do, and things don't work, it is worth looking in your ssh_config file for any strange options. on mine, everything is commented out with a #
debug1: Applying options for *
debug1: Connecting to github.com [207.97.227.239] port 22.
debug1: Connection established.
It was able to connect to the github.com site. (if this doesn't work, make sure you actually typed the command right.
debug1: identity file /Users/x/.ssh/id_rsa type 1
The 1 means that the private key was actually found. This is good because this is what we named the key.
If you have a 2 (or more) at the end, you may be confusing too many private keys of the same type. Check ssh-add -l and make sure you have the right (and not more) keys in there.
debug1: identity file /Users/hammond/.ssh/id_rsa-cert type -1
debug1: identity file /Users/hammond/.ssh/id_dsa type -1
debug1: identity file /Users/hammond/.ssh/id_dsa-cert type -1
The -1 means that we didn't find any other keys. Note that dsa is another encryption method. We only need one, so this is fine.
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1+github2
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1+github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /Users/hammond/.ssh/known_hosts:3
You may have been asked earlier to add key to known_hosts. Please do this. Else, you will have needed to add it during this step. This is verifying that github.com is allowed to talk to you.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/hammond/.ssh/id_rsa
This is the line you are looking for. This means that your key was found.
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([207.97.227.239]:22).
Yea! Your key works!
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command: gerve login 40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5
Login should be the login name you created at github.com
The fingerprint here should match the fingerprint of your private key.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command: gerve login 40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5

Login should be the login name you created at github.com
The fingerprint here should match the fingerprint of your private key.

debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
Hi loginname! You've successfully authenticated, but GitHub does not provide shell access.
This is string means you have successfully confirmed your key.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3152, received 3240 bytes, in 0.2 seconds
Bytes per second: sent 12983.4, received 13345.9
debug1: Exit status 1



That should be the end of your output (note that certain differences can exist.)

Possible problems:

debug1: Offering RSA public key: /Users/x/.ssh/id_rsa
debug1: Authentications that can continue: public key
If you get this message, are you sure you have an account at github.com and that you loaded the correct key, and that the fingerprints match? Check that again.




Checking your key on the SRL GIT server.

If you are not from SRL and you don't have an account on the git server, then please ignore this.

Basically these are the commands for people who are sharing in a repository that someone else created.

Do the same as above, but log into the srl gitorious (or your) repository and add your key there:

You should see that your account has the correct key added, with the correct fingerprint (again, add ssh keys, etc.) e.g.:
gitorious has loaded this key:
22 May 07:14 x@X-Ma... ssh-rsa 40:4f:16:3e:f6:f3:87:b1:d9:37:c0:e2:1f:f0:1c:a5

Now test with your repository name (don't add any special login information):
$ ssh -vT git@srl-old.cse.tamu.edu
or
$ssh -vT git@yourrepositoryaddress
(don't add any extra information, like no project name, no login name, etc.)

If you did everything right, your output should be similar to above.
You are looking for the phrase:
Authenticated to yourrespository.edu ([008.004.003.001]:12).


In Eclipse (note that this is assuming you already have your repository pulled, but it is somehow broken)
Go to Eclipse -> Preferences
In the top left corner (where it says type filter text)
Type ssh
In the General tab, it should say
SSH2 home: /Users/x/.ssh
Private keys: id_rsa
In the Authentification Methods tab, it should have only publickey clicked.
Exit out

Right click on the project name, click Team > Remote > Configure Push to Upstream
The most likely problem is that the URI is wrong:
Go back to your git repository, click on the project, and get the push repository name.
Most probably you just have to change the start of the URI from ssh@... to git@...

Feel free to contact me if you have any comments or questions.