Git authentication to GitLab via SSH


I'm running TeamCity on Windows, running the service using a local user account TeamCity.

I'm trying to set up a Git VCS root to begin configuring a build.

So far, I've created a passwordless RSA key pair using ssh-keygen from within a git bash shell, saved to C:\Users\TeamCity\.ssh\rsa_id and Next I uploaded the public key to GitLab and successfully performed a git clone using the git bash shell - the key is accepted and the server key is added to the known hosts file.

Now, I've created a VCS root with the following settings:

  • Type of VCS: Git
  • VCS root name: Git Repository
  • VCS root ID: Platform_GitRepository
  • Fetch URL:
  • Default branch: refs/heads/master

For simplicity I have configured the authentication as follows:

  • Authentication method: Custom Private Key
  • Username: teamcity
  • Private key path: C:\Users\TeamCity\.ssh\id_rsa

I'd like to be able to use some of the alternative SSH key options, but I would like to get this to work in its simplest form first.

When pressing the Test Connection button, I get a very terse:

    List remote refs failed: com.jcraft.jsch.JSchException: Auth cancel
I've looked in the teamcity-vcs.log file and can see the equivalent exception and stack trace:
[2016-04-07 14:53:24,470]   INFO [nio-8000-exec-1] -      jetbrains.buildServer.VCS - Error occurred in test connection: jetbrains.buildServer.vcs.VcsException: List remote refs failed: com.jcraft.jsch.JSchException: Auth cancel
	at jetbrains.buildServer.buildTriggers.vcs.git.OperationContext.wrapException(
	at jetbrains.buildServer.buildTriggers.vcs.git.GitVcsSupport.getRemoteRefs(
	at jetbrains.buildServer.buildTriggers.vcs.git.GitVcsSupport.getCurrentState(
	at jetbrains.buildServer.buildTriggers.vcs.git.TestConnectionCommand.checkFetchConnection(
	at jetbrains.buildServer.buildTriggers.vcs.git.TestConnectionCommand.testConnection(
	at jetbrains.buildServer.buildTriggers.vcs.git.GitVcsSupport.testConnection(
	at jetbrains.buildServer.controllers.admin.projects.TestConnectionCommand.runTestConnection(
	at jetbrains.buildServer.controllers.admin.projects.TestConnectionCommand.doTestConnection(
	at jetbrains.buildServer.controllers.admin.projects.EditVcsRootsController.doPost(
	at jetbrains.buildServer.controllers.BaseFormXmlController$1.handleRequest(
	at jetbrains.buildServer.controllers.AjaxRequestProcessor.processRequest(
	at jetbrains.buildServer.controllers.BaseFormXmlController.doHandle(
	at jetbrains.buildServer.controllers.BaseController.handleRequestInternal(
	at org.springframework.web.servlet.mvc.AbstractController.handleRequest(
	at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(
	at org.springframework.web.servlet.DispatcherServlet.doService(
	at org.springframework.web.servlet.FrameworkServlet.processRequest(
	at org.springframework.web.servlet.FrameworkServlet.doPost(
	at javax.servlet.http.HttpServlet.service(
	at org.springframework.web.servlet.FrameworkServlet.service(
	at javax.servlet.http.HttpServlet.service(
	at jetbrains.buildServer.maintenance.TeamCityDispatcherServlet.service(
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
	at jetbrains.buildServer.web.DependencyParametersCalculationContextFilter.doFilter(
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
	at jetbrains.buildServer.web.DisableSessionIdFromUrlFilter.doFilter(
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
	at jetbrains.buildServer.diagnostic.web.DiagnosticFilter.doFilter(
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
	at jetbrains.buildServer.web.ResponseFragmentFilter.doFilter(
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
	at org.apache.catalina.core.StandardWrapperValve.invoke(
	at org.apache.catalina.core.StandardContextValve.invoke(
	at org.apache.catalina.core.StandardHostValve.invoke(
	at org.apache.catalina.valves.ErrorReportValve.invoke(
	at org.apache.catalina.core.StandardEngineValve.invoke(
	at org.apache.catalina.connector.CoyoteAdapter.service(
	at org.apache.coyote.http11.AbstractHttp11Processor.process(
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
	at java.util.concurrent.ThreadPoolExecutor.runWorker(
	at java.util.concurrent.ThreadPoolExecutor$
	at org.apache.tomcat.util.threads.TaskThread$
Caused by: org.eclipse.jgit.errors.TransportException: Auth cancel
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(
	at org.eclipse.jgit.transport.SshTransport.getSession(
	at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(
	at org.eclipse.jgit.transport.TransportGitSsh.openFetch(
	at jetbrains.buildServer.buildTriggers.vcs.git.GitVcsSupport.getRemoteRefs(
	at jetbrains.buildServer.buildTriggers.vcs.git.GitVcsSupport.getRemoteRefs(
	... 53 more
Caused by: com.jcraft.jsch.JSchException: Auth cancel
	at com.jcraft.jsch.Session.connect(
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(
	... 58 more
There doesn't seem to be any more useful information available; I'm not sure how to proceed from here to diagnose why TeamCity isn't able to authenticate with the key specified.
I should also add that I've managed to get a connection to a GitHub account to work with the same key, so it would appear to be a specific combination of JSch and our GitLab server's setup.
Are there any logs available for JSch, or any verbosity switches I could enable? Any suggestions on steps I could take to progress this further?


Comment actions Permalink

Hello Paul,

To get additional logging you can enable 'debug-vcs' logging preset on Administration diagnostics page, reproduce the issue and check the content of teamcity-vcs.log file. Also please check whether GitLab logs contain any clues on why authentication fails.

Do you use submodules?

Comment actions Permalink

Having enabled the logging preset and repeated, I'm afraid there's no additional information in the log; the same exception stack appears.

We don't use submodules.

Comment actions Permalink

After some more experimenting, it looks like in specifying the `teamcity` username the connection is trying to set up an SSH tunnel with the username `teamcity`. That's not a shell user on the GitLab server; the shell user is `git` (as specified in the SSH URL). The `git` user itself doesn't have rights over any repositories; its just there for SSH tunnels and services.

I believe GitLab is supposed to use the SSH key to determine the GitLab user, even though all users are using `git` as their SSH tunnel principal.

Comment actions Permalink

After dealing with some permission issues on the GitLab end I can confirm that removing the username has fixed the issue for me. GitLab wants all users to SSH as the "git" user and will use the key to determine the internal principal.


Please sign in to leave a comment.