Restricted access, permission denied

Asked by lz.li on 2011-11-23

Hi,
I came here humbly for help! I met one problem when trying to deploy restricted access feature (bzr + openssh on windows XP SP3).
My previous authorized_keys is as follow (one of the public keys):
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA6Cvm5D+zEU2NqUPYIG1+NIurkNtFPv2F9jgwLhh3CgQBclHLW0YCx1fdXMBxnbuBFi4lbD+DJ3sD3mQp/4BSXtnZ/Abnl6jmo34Ix0jRtc0HbHAIDFhdRrUUNryDmkhaZhH2M+1l7Npg6U5Tuk/SBEIei4BXpptS5VAdlmk+ln8= zuli@SHASVN
With it, I can access the bzr repository well.

To deploy the restricted access feature, I modified it as follow:
command="bzr serve --allow-writes --directory=D:\Bazaar\bzr_root_test",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA6Cvm5D+zEU2NqUPYIG1+NIurkNtFPv2F9jgwLhh3CgQBclHLW0YCx1fdXMBxnbuBFi4lbD+DJ3sD3mQp/4BSXtnZ/Abnl6jmo34Ix0jRtc0HbHAIDFhdRrUUNryDmkhaZhH2M+1l7Npg6U5Tuk/SBEIei4BXpptS5VAdlmk+ln8= zuli@SHASVN
Then I failed to access the bzr server!
It is really confusing me and the log information could not tell me the reason.
Wed 2011-11-23 14:17:01 +0800
0.078 bazaar version: 2.4.1
0.078 bzr arguments: [u'qsubprocess', u'--bencode', u'l8:checkout68:bzr+ssh://10.177.75.51/D:/Bazaar/bzr_root_test/MyTestProject1/Trunk/15:D:\\lz_tmp\\Test7e']
0.109 looking for plugins in C:/Documents and Settings/zuli/Application Data/bazaar/2.0/plugins
0.109 looking for plugins in C:/Program Files/Bazaar/plugins
0.140 encoding stdout as osutils.get_user_encoding() 'cp936'
0.203 bazaar version: 2.4.1
0.203 bzr arguments: [u'checkout', u'bzr+ssh://10.177.75.51/D:/Bazaar/bzr_root_test/MyTestProject1/Trunk/', u'D:\\lz_tmp\\Test7']
0.219 encoding stdout as osutils.get_user_encoding() 'cp936'
0.250 Unable to look up default port for ssh
0.469 ssh implementation is OpenSSH
1.172 Transferred: 0kB (0.2kB/s r:0kB w:0kB)
1.172 Transferred: 0kB (0.0kB/s r:0kB w:0kB)
1.172 Traceback (most recent call last):
  File "bzrlib\commands.pyo", line 946, in exception_to_return_code
  File "bzrlib\commands.pyo", line 1150, in run_bzr
  File "bzrlib\commands.pyo", line 699, in run_argv_aliases
  File "bzrlib\commands.pyo", line 721, in run
  File "bzrlib\cleanup.pyo", line 135, in run_simple
  File "bzrlib\cleanup.pyo", line 165, in _do_with_cleanups
  File "C:/Program Files/Bazaar/plugins\qbzr\lib\commands.py", line 821, in run
  File "C:/Program Files/Bazaar/plugins\qbzr\lib\subprocess.py", line 888, in run_subprocess_command
  File "bzrlib\commands.pyo", line 1150, in run_bzr
  File "bzrlib\commands.pyo", line 699, in run_argv_aliases
  File "bzrlib\commands.pyo", line 721, in run
  File "bzrlib\cleanup.pyo", line 135, in run_simple
  File "bzrlib\cleanup.pyo", line 165, in _do_with_cleanups
  File "bzrlib\builtins.pyo", line 1382, in run
  File "bzrlib\bzrdir.pyo", line 918, in open_tree_or_branch
  File "bzrlib\bzrdir.pyo", line 828, in open
  File "bzrlib\bzrdir.pyo", line 863, in open_from_transport
  File "bzrlib\bzrdir.pyo", line 1590, in open
  File "bzrlib\remote.pyo", line 293, in _open
  File "bzrlib\remote.pyo", line 356, in __init__
  File "bzrlib\remote.pyo", line 368, in _probe_bzrdir
  File "bzrlib\remote.pyo", line 375, in _rpc_open_2_1
  File "bzrlib\remote.pyo", line 56, in _call
  File "bzrlib\smart\client.pyo", line 132, in call
  File "bzrlib\smart\client.pyo", line 145, in call_expecting_body
  File "bzrlib\smart\client.pyo", line 93, in _call_and_read_response
  File "bzrlib\smart\message.pyo", line 299, in read_response_tuple
  File "bzrlib\smart\message.pyo", line 264, in _wait_for_response_args
  File "bzrlib\smart\message.pyo", line 286, in _read_more
ConnectionReset: Connection closed: Unexpected end of message. Please check connectivity and permissions, and report a bug if problems persist.

1.172 return code 3

Could you please kindly tell me what the root cause is, it has made me almost crazy!!
Thanks very much!

Question information

Language:
English Edit question
Status:
Open
For:
Bazaar Edit question
Assignee:
No assignee Edit question
Last query:
2011-11-24
Last reply:
2011-11-24
Martin Pool (mbp) said : #1

I guess you should have a look in the server's ssh log, and perhaps
turn up the server's logging level. The server is closing the
connection without telling bzr why.

lz.li (lizun619) said : #2

Hi Martin,

Thanks very much for your rapid and kind reply!

I have turned up the logging level to VERBOSE.

One more question:
1.Where can I find the ssh log file?

Really sorry that I am a totally newbie and have non any experience on this topic.

Have a nice day!

lz.li (lizun619) said : #4

Hi Martin,

The ssh log from event viewer is as follow:
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 5844 : Connection closed by 10.177.75.253.

It seems that as long as I add "command= ..." before the RSA key, this issue would be raised.

lz.li (lizun619) said : #5

Hi Martin,

In fact, my requirement is quite simple. Currently I run the bzr server as a windows service. Due to bzr's distributed control feature, anyone who knows the address can access the my bzr repository. That is unsafe for me! I need some authentication!

So I choose openssh as you team recommend. To ensure safety, I need to close the previous bzr server service. And now I have established openssh(could login by ssh username@ip-address or by key pair) and bzr(could run with bzr://) both, but I do not know how to combine them to have authentication.

Both by password and by key pair are OK for me. My question is how to invoke bzr server program "bzr serve ..." when receive request from ssh, and how to know when request is received on ssh.

The document on ssh server setup is really poor, besides I am a newbie on this topic, so if you have any idea, could you please give the setup step as detail as possible? I really appreciate if you can do that.

Thanks very much!

Sincerely,
lz

Martin Pool (mbp) said : #6

Hi iz.li,

> So I choose openssh as you team recommend. To ensure safety, I need to
> close the previous bzr server service. And now I have established
> openssh(could login by ssh username@ip-address or by key pair) and
> bzr(could run with bzr://) both, but I do not know how to combine them
> to have authentication.
>
> Both by password and by key pair are OK for me. My question is how to
> invoke bzr server program "bzr serve ..." when receive request from ssh,
> and how to know when request is received on ssh.

OK, I think I understand.

You've copied the 'bzr serve' command you were previously using to
start bzr in to the authorized_keys file, that's the problem.

The short answer is to just remove the command= part from the
authorized_keys file. The bzr client will automatically request to
start a bzr server.

> The document on ssh server setup is really poor, besides I am a newbie
> on this topic, so if you have any idea, could you please give the setup
> step as detail as possible? I really appreciate if you can do that.

Eventually we'd like to ship a built in SSH server; that would be much
easier for people to set up. I will see if I can improve it a bit
right now. If you point to specific things that are bad that will
help.

--
Martin

lz.li (lizun619) said : #7

Hi Martin,

Your suggestion really works on my PC and it would be very nice of you to ship a built in SSH server. I do think it would be very helpful for others.

My original purpose to add "command= "bzr server --inet ...."" is to restrict other ssh access except bzr (see "Using a restricted SSH account to host multiple users and repositories" in http://doc.bazaar.canonical.com/bzr.dev/en/admin-guide/simple-setups.html?highlight=restricted). Also I want to add some access control on different repositories, so I add "command="/path/to/bzr_access /path/to/bzr /path/to/repository <username>"..." as stated in http://doc.bazaar.canonical.com/bzr.dev/en/admin-guide/security.html?highlight=access%20control. Both of them would result the issue above. so what should I do if I desire these two features?

Another question:
To access bzr repository, I have to use the absolute path in the address, such as bzr+ssh://10.177.75.51/D:/Bazaar/bzr_root_test/MyTestProject1/Trunk. Definitely, I don't want others to know the detail path to the repository, is there any method to hide it but to access in relative path, such as bzr+ssh://10.177.75.51/MyTestProject1/Trunk? In my previous deployment (running bzr server as windows service), I can state the directory in command "bzr server --allow-writes --directory=D:/Bazaar/bzr_root_test", but where to set it if with ssh?

Thanks very much and have a nice day!

Can you help with this problem?

Provide an answer of your own, or ask lz.li for more information if necessary.

To post a message you must log in.