VCS SSH Documentation Clarification

Log in to the server console as one of the users whose public key you just uploaded.

What is meant by this? I am hosting on AWS and only SSH into the server with the bitnami user. I can only do this with the pem key I downloaded from aws when I instantiated the VM. Did I miss a step where the “uploaded key” gets added to the authorized_keys or something? In the screenshot of your console window you are logged in as bitnami when the test command echo {} | ssh vcs-user@localhost conduit conduit.ping is run.

Also there is now a Generate Key option on Phabricator instead of just uploading the public key. None of the documentation here suggests using the private key anywhere.

I think it would be very valuable to walk the user through actually using ssh to clone or pull a repo. I realize this isn’t that this isn’t specific to phabricator or bitnami, but the documentation kind just gets you through configuration and then leaves you hanging.

Hi @arend.danielek,

There is a step 7 (previous to that step ) mentioning how to upload user private keys: https://docs.bitnami.com/aws/apps/phabricator/#step-7-add-public-keys-to-phabricator

Basically, that is meant for being able to authenticate to Phabricator via SSH.

Please let us know if you have any questions.

Um, the previous step covers how to upload public keys and doesn’t mention the private key at all. That wasn’t my question though nearly as much as the meaning of

Log in to the server console as one of the users whose public key you just uploaded.

spcifically

Log in to the server

which server… the VM instance my entire Phabricator stack is hosted on or the new SSH?

This could refer to SSHing into the server VM on AWS. This could technically also refer to SSHing into the SSH “server” I am trying to set up for repositories as per the documentation.

The official Phabricator documentation looks like this:

If you did everything correctly, you should be able to run this command:

Start SSHD: Now, start the Phabricator sshd:

sudo /path/to/sshd -f /path/to/sshd_config.phabricator

$ echo {} | ssh vcs-user@phabricator.yourcompany.com conduit conduit.ping

...and get a response like this:

{"result":"phabricator.yourcompany.com","error_code":null,"error_info":null}

Which indicates that the

echo {} | ssh vcs-user@phabricator.yourcompany.com conduit conduit.ping

command should just be entered in my normal SSH into the VM instance. I’m assuming this based off the first two lines:

Start SSHD: Now, start the Phabricator sshd:

sudo /path/to/sshd -f /path/to/sshd_config.phabricator

I guess this is less of a question and more me letting it be known that the line mentioned above from your documentation can be very confusing, as at no point do any of the previous steps allow me to use my newly generated private key to SSH into the AWS instance using my admin connection used up until that point. In theory one could SSH into the repo SSH server, but it is not clearly worded.

Also I really do suggest documenting the Phabricator generation of keys and all the local steps a user would need to take to install their private key on their local client machine in order to pull from the newly setup SSH. Sure most users who are working on this stuff won’t have issues generating their own key-pairs but the GUI operations of doing so through Phabricator are far simpler.

Hi @arend.danielek,

Please keep in mind that, because of how the RSA public-key system works, you only need to provide Phabricator with your public key, while authenticating with your private key.

Once authenticated via SSH, you should be able to execute commands in the server.

These lines in the Bitnami documentation indicate that I should SSH into my normal admin SSH for my AWS EC2 instance which I am hosting the Bitnami Phabrictor stack on. The line immidietely following that in the image has the user generate a host key.

I guess what I did not realize in the past was that it is a host key. Perhaps making a note of why it is necessary and not just that it is would help distinguish to the user that they are not generated the SSH key they will upload to Phabricator and use for VCS SSH authentication.

I wasn’t ever confused about uploading the private or public key. I was confused about the generation location of the SSH keypair as I misread step 4 and made a poor assumption.

Anyways i got SSH working mostly now, although

You are logged in as arend.danielek.

You haven't specified a command to run. This means you're requesting an interactive shell, but Phabricator does not provide an interactive shell over SSH.

Usually, you should run a command like `git clone` or `hg push` rather than connecting directly with SSH.

Supported commands are: conduit, git-lfs-authenticate, git-receive-pack, git-upload-pack, hg, svnserve.
[2017-06-15 16:22:09] EXCEPTION: (Exception) Unable to write to logfile "/var/log/ssh_logs/"! at [<phutil>/src/filesystem/PhutilDeferredLog.php:193]
arcanist(head=stable, ref.stable=21fe07925b07), phabricator(head=stable, ref.stable=d3b7a0f37c97, custom=2), phutil(head=stable, ref.stable=d02cc05931b0)
  #0 <#2> PhutilDeferredLog::__destruct()
  #1 phlog(Exception) called at [<phutil>/src/filesystem/PhutilDeferredLog.php:201]
  #2 PhutilDeferredLog::write() called at [<phutil>/src/filesystem/PhutilDeferredLog.php:155]
  #3 PhutilDeferredLog::__destruct()

I am now hitting this exception which shouldn’t be to hard to resolve. I just need to decide if it would be better to reroute the msg to a different path or change permissions for that location.

Hi @arend.danielek,

Thanks for your feedback, we will take it into account.

About your issue, what steps have you performed at this point? Could you please execute the following command into your server and share the output with us? It should be something like:

$ netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:222             0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::222                  :::*                    LISTEN 

If you are able to connect to your instance with your usual user through the 222 port with no issues, you may want to ignore that exception for now. Please double check that the previous steps are completed and continue with all the steps following carefully the indications in the guide.

Best regards,
Andrés Bono