virtualMachinephabricator

Create a hosted repository

Using HTTP authentication

By default, Phabricator disables HTTP authentication, so enable it by following these steps:

  • Log in to the server console and run the command below:

    $ sudo /opt/bitnami/apps/phabricator/htdocs/bin/config set diffusion.allow-http-auth true
    
  • Restart Phabricator so the new setting comes into effect.

    $ sudo /opt/bitnami/ctlscript.sh restart phabricator
    
  • Log in to Phabricator as an administrator.

  • Click the settings icon in the top navigation bar, next to the logout icon.

  • Select the “Personal Account Settings” menu item.

  • On the resulting page, select the “Authentication -> VCS Password” menu item.

  • Enter and verify a new VCS password. Click “Change Password” to save the password.

    Password configuration

To configure a new GitHub repository hosted in Phabricator with HTTP authentication, follow these steps:

  • Click the Phabricator logo in the top navigation bar.

  • Select the “Diffusion” tab in the left navigation menu.

  • On the resulting page, click the “Create repository” link in the top right corner.

    Hosted repository configuration

  • Create a new hosted repository by selecting the repository type - in this case, Git.

    Hosted repository configuration

  • Enter a human-readable name for the repository and an internal “callsign”.

    Hosted repository configuration

  • On the repository details page, select the “Policies” menu item and click the “Edit Policies” link to define the access policies for the repository by specifying which groups can view, edit and push to it.

    Hosted repository configuration

  • On the repository details page, choose the “Activate Repository” option to create your repository and confirm activation in the resulting dialog.

    Hosted repository configuration

If all goes well, your repository will be created. You can select the “Status” menu item to confirm. You should see a success page like the one below.

Hosted repository configuration

Browse to the “URIs” page from the repository details page to obtain the repository clone URL.

Hosted repository configuration

Using SSH authentication

Step 1: Add a Special VCS User Account

Phabricator needs a user account that repository users will connect over SSH as. You must first create this user account and give it a few tweaks to work with Phabricator. In this guide, the user account is called vcs-user, although you can use a different user name if you wish (but if you do so, remember to update it in all the commands shown below).

Follow the steps below:

  • Log in to your server console as usual.

  • Create the new user account.

    $ sudo adduser vcs-user
    
  • Give the user the same privileges as the daemon user, which is the user the Phabricator daemons run as by default in the Bitnami Phabricator Stack. Execute the command below:

    $ sudo visudo
    
  • Add the line below to the end of the file and save your changes:

    vcs-user ALL=(daemon) SETENV: NOPASSWD: /opt/bitnami/git/bin/git-upload-pack, /opt/bitnami/git/bin/git-receive-pack
    
  • Edit the /etc/shadow file and within the file, find the line for the new vcs-user account and replace the password field (the second field) with the letters NP, as shown in the image below.

    Account configuration

Step 2: Configure Phabricator

Next, you must set two important configuration variables in Phabricator. The phd.user variable defines the name of the user the daemons run as, while the diffusion.ssh-user variable sets the name of the user for SSH connections.

Follow the steps below for your platform.

  • Log in to your server console as usual.

  • Run the following commands to set the necessary variables:

    $ cd /opt/bitnami/apps/phabricator/htdocs/
    $ sudo ./bin/config set phd.user daemon
    $ sudo ./bin/config set diffusion.ssh-user vcs-user
    
  • Restart Phabricator for the changes to take effect.

    $ sudo /opt/bitnami/ctlscript.sh restart phabricator
    

Step 3: Open a New Firewall Port For SSH

Phabricator uses a highly restricted version of SSH running on port 22. Therefore, before you can use SSH authentication with Phabricator, you must move your existing SSH server to a different port, such as port 222, so that you can continue to log in to the server console for other tasks.

To allow connections on port 222, run the command below:

$ sudo ufw allow 222

Step 4: Test SSH Access on the New Port

Next, run a separate instance of the SSH server on port 222 and verify that you can log in, before transferring it permanently. This is an important step to ensure that you do not inadvertently get locked out of your server.

  • Log in to your server console as usual.

  • Run the following command to start the SSH server on port 222:

    $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config -p 222
    

This will run a separate instance of the SSH server on port 222. You should now try logging in to the server console, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section below.

Step 5: Move Your SSH Server to the New Port

The steps below will permanently transfer your SSH server to run on port 222.

  • Log in to your server console as usual.

  • Edit the SSH server configuration file at /etc/ssh/sshd_config:

    $ sudo vi /etc/ssh/sshd_config
    
  • Within the file, find the line containing the Port directive and update it to use port 222, as below:

    Port 222
    

    Port configuration

  • Save the file.

  • Restart the SSH server.

    $ sudo service ssh restart
    

You should now try logging in to the server console again, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section.

Step 6: Start Phabricator’s Restricted SSH Server

The steps below will start Phabricator’s restricted SSH server on the original SSH port, port 22.

  • Log in to your server console as usual.

  • Copy the /opt/bitnami/apps/phabricator/htdocs/resources/sshd/phabricator-ssh-hook.sh file to the /usr/share directory.

    $ sudo cp /opt/bitnami/apps/phabricator/htdocs/resources/sshd/phabricator-ssh-hook.sh /usr/share/
    
  • Edit the /usr/share/phabricator-ssh-hook.sh file and update the values of the VCSUSER and ROOT variables as follows:

    VCSUSER="vcs-user"
    ROOT="/opt/bitnami/apps/phabricator/htdocs"
    
  • Modify the permissions of /usr/share/phabricator-ssh-hook.sh as follows:

    $ sudo chown root /usr/share/phabricator-ssh-hook.sh
    $ sudo chmod 755 /usr/share/phabricator-ssh-hook.sh
    
  • Copy Phabricator’s restricted SSH server configuration file to your /etc/ssh directory:

    $ sudo cp /opt/bitnami/apps/phabricator/htdocs/resources/sshd/sshd_config.phabricator.example /etc/ssh/sshd_config.phabricator
    
  • Edit the /etc/ssh/sshd_config.phabricator file and modify the AuthorizedKeysCommand, AuthorizedKeysCommandUser, Port and AllowUsers directives so that they look like this:

    AuthorizedKeysCommand /usr/share/phabricator-ssh-hook.sh
    AuthorizedKeysCommandUser vcs-user
    AllowUsers vcs-user
    Port 22
    
  • Run the Phabricator SSH server as follows:

    $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
    
  • It is also necessary to make the PHP binary available in the default path for the vcs-user account. Use the following command to create the necessary link.

    $ sudo ln -s /opt/bitnami/php/bin/php /usr/bin/php
    

Step 7: Add Public Keys to Phabricator

This is a good time to add your users’ public SSH keys to Phabricator so that they can authenticate themselves over SSH. To do this, follow the steps below:

  • Log in to Phabricator as an administrator.

  • Click the settings icon in the top navigation bar, next to the logout icon.

  • Select the “Personal Account Settings” menu item.

  • On the resulting page, select the “Authentication -> SSH Public Keys” menu item.

  • Select the “SSH Key Actions -> Upload Public Key” menu item.

  • Enter the name and content of the public key.

  • Click “Upload Public Key” to save the new public key to the system.

    Public key configuration

Repeat the last three steps for each user to be authenticated over SSH.

Step 8: Test SSH Authentication

You can now run a quick test to see if everything is working correctly. To do this:

  • Log in to the server console as one of the users whose public key you just uploaded.

  • Execute the following command:

    $ echo {} | ssh vcs-user@localhost conduit conduit.ping
    

If everything is correctly configured, the server response should look like the example below:

    {"result":"my-hostname","error_code":null,"error_info":null}

SSH test

If you see a different response, see the Troubleshooting section below.

Step 9: Configure a Self-Hosted Repository with SSH Authentication

To configure a new GitHub repository hosted in Phabricator with SSH authentication, follow these steps:

  • Click the Phabricator logo in the top navigation bar.

  • Select the “Diffusion” tab in the left navigation menu.

  • On the resulting page, click the “Create repository” link in the top right corner.

    Hosted repository configuration

  • Create a new hosted repository by selecting the repository type - in this case, Git.

    Hosted repository configuration

  • Enter a human-readable name for the repository and an internal “callsign”.

    Hosted repository configuration

  • On the repository details page, select the “Policies” menu item and define the access policies for the repository by specifying which groups can view, edit and push to it.

    Hosted repository configuration

  • On the repository details page, choose the “Activate Repository” option to create your repository and confirm activation in the resulting dialog.

    Hosted repository configuration

If all goes well, your repository will be created. You can select the “Status” menu item to confirm. You should see a success page like the one below.

Hosted repository configuration

To obtain the repository clone URL, access the repository detail page from the “Diffusion” tab, which contains the complete clone URL.

Hosted repository configuration

Users whose public keys are stored in Phabricator should now be able to clone the repository using a command like:

$ git clone clone-url

Troubleshooting

The quickest way to troubleshoot authentication issues is to run Phabricator’s restricted SSH server in debug mode and view the error log it generates. To do this, first ensure it is not running (or kill the existing running process) and then replace the last command in Step 6 with this one:

$ sudo /usr/sbin/sshd -d -d -d -f /etc/ssh/sshd_config.phabricator &

This will start Phabricator’s SSH server in debug mode and display a running log of error messages on the console. You can now test SSH access as described in Step 8 and watch the log to access more detailed error information. Common errors include incorrect key file permissions, invalid file paths in configuration files or missing binaries.

Please also refer to the Troubleshooting section of the Diffusion user guide for more troubleshooting steps and ideas.

Last modification September 4, 2018