Can't 'git push' but SSH appears to authorize?

~./ssh/config

host balena
    HostName git.balena-cloud.com
    User gh_legowerewolf
    IdentityFile %d/.ssh/keys/balena_legowerewolf

git push error:

PS █████████████████████████████████\Host> git push balena master

        ############################################################################

        None of the supplied SSH keys matched a known key for user `gh_legowerewolf`

        Known ssh key fingerprints for `gh_legowerewolf`:
                * c6██████████30072cef██████████ad

        Please make sure you've configured your keys correctly.
        https://balena.io/docs/getting-started/#adding-an-ssh-key

        ############################################################################

gh_legowerewolf@git.balena-cloud.com: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

ssh verbose connection:

PS C:\Users\████████████\.ssh\keys> ssh balena -v
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\████████████/.ssh/config
debug1: C:\\Users\\████████████/.ssh/config line 10: Applying options for balena
debug1: Connecting to git.balena-cloud.com [54.165.162.194] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\████████████/.ssh/keys/balena_legowerewolf type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\████████████/.ssh/keys/balena_legowerewolf-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version Go
debug1: no match: Go
debug1: Authenticating to git.balena-cloud.com:22 as 'gh_legowerewolf'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:NfwmqnKId5cx1RWpebbEuuM87bCJbdyhzRnqFES9Nnw
debug1: Host 'git.balena-cloud.com' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\████████████/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:MM0T3FmsrKEvEINrdPXTL/QjkyjwYYDlJTcA1OzUsIA C:\\Users\\████████████/.ssh/keys/balena_legowerewolf
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to git.balena-cloud.com ([54.165.162.194]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing
shell request failed on channel 0

So I can’t push code over git, but I can successfully authenticate? Halp?

Hey there @legowerewolf! Weird behaviour indeed, I’m just wondering if %d is valid in the .ssh/config file when using git? Have you tried specifying the full path just to test that?

@chrisys Apologies for the late response. %d works when I use it for 11 other servers.

I’d also like to point out that the fingerprint I get by running
ssh-keygen -E md5 -lf “(home)\.ssh\keys\balena_legowerewolf.pub”
matches the fingerprint provided in the login failure response.

Hi,
Could you try to run GIT_SSH_COMMAND="ssh -v" git push balena master? This should hopefully give us some more pointers on what could go wrong there.
Thanks

git_ssh.log (3.8 KB)

Hi,
It seems like the the ssh command when used with GIT is not using the IdentityFile from your ssh config file. These are two different ssh commands. (OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 vs OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019) It might not support the %d syntax there. According to the log you posted, it tries these private key files for authentication:

debug1: Will attempt key: /c/Users/████████████/.ssh/id_rsa 
debug1: Will attempt key: /c/Users/████████████/.ssh/id_dsa 
debug1: Will attempt key: /c/Users/████████████/.ssh/id_ecdsa 
debug1: Will attempt key: /c/Users/████████████/.ssh/id_ed25519 
debug1: Will attempt key: /c/Users/████████████/.ssh/id_xmss 

You can check if the %d is not supported, but changing the line

IdentityFile %d/.ssh/keys/balena_legowerewolf

with

IdentityFile /c/Users/████████████/.ssh/keys/balena_legowerewolf

or

IdentityFile ~/.ssh/keys/balena_legowerewolf

Cheers,

ssh2.log (2.4 KB)

I found the executable Git for Windows was using. It packs its own, frustratingly, and it’s not on the PATH. But, when I specified that executable and pointed it to Balena, authentication succeeded without modifying my config file.

Hey, the problem is that your git remote is set up to push to git.balena-cloud.com and so doesn’t match your ssh config alias, for it to work with your current git remote you would need to change it to:

host git.balena-cloud.com
    HostName git.balena-cloud.com
    User gh_legowerewolf
    IdentityFile %d/.ssh/keys/balena_legowerewolf

Alternatively you could change your git remote to ...@balena:... instead of ...@git.balena-cloud.com:... and have the hostname resolved from the alias