fix: Failed to create ssh client to the server

[pythoninthegrass]

Hi @MightyMoud !

Having some difficulties getting this running on both Ubuntu 24.04.1 directly and from my laptop running macOS 12.7.4 (21H1123).

On both I'm getting this error:

Please enter the IPv4 Address of your VPS: 192.168.8.75
Please enter an email for use with TLS certs: 4097471+pythoninthegrass@users.noreply.github.com
Please enter your docker registery: ghcr.io
Please enter your docker username for the registery: pythoninthegrass
Are you logged in to the docker registery? [Yes/no]: yes

2024/09/23 06:59:58 Failed to create ssh client to the server: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

On ubuntu I had to setup the ssh-agent and add a key manually to get SSH_AUTH_SOCK working as expected.

Didn't do anything special on macos and got the same result when connecting to the same box.

Reading your summary, it says sidekick logs in as root. Not a fan of this approach from a security perspective; would prefer to log in as a non-root user with sudo privileges to create the sidekick user.

Sidenote: it would be nice to read an .env or toml file to fill in the same info. If you're interested, I can open an issue and/or PR for that.

[MightyMoud]

Hi @pythoninthegrass<

I like the idea of reading information directly from a file. Currently, Sidekick will create a global config file ~/.config/sidekick/default.yaml and put the stuff in after you complete the setup. I think also with next release we will require far less info, IP address and an email; assuming root user too.

I get your point about not logging in as root even on first connection. I think in all my testing, I have been setting up out of the box VPS from DO; so I always log in as root to start with. I also made Sidekick with the vision of taking care of everything for you. So it will setup your VPS from the ground up. Including making the new sidekick user and disabling the login for root user. I think it makes sense. Might be an overkill to make a new user give it sudo privileges first then try to run Sidekick. What do you think?

Back to the error, I can't tell if it's because you disabled login with root or is it because of another issue?

[pythoninthegrass]

Appreciate the quick response @MightyMoud!

Those are good points all around. I'll see if I can spin up a brand new VM with the absolute bare minimum including root login and get back to you.

Re: the .env file, I refactored the init.go file last night and it would be fairly trivial to remove required input when the amount of info is pared down to just the IP address and email.

I'll open a direct issue and PR with the latter being a dialogue where I'm happy to make changes based on your feedback.

[pythoninthegrass]

Related #20

[adampresley]

I am having the same issue. The hosting provider is IONOS. It is a Ubuntu 24 VPS, has a root user, and my default key (id_rsa) is set up on the server. I can confirm that I can run ssh root@<my IP here> without issue. I can also confirm that I see the IP to my server in the known hosts file, which, based on your code, it looks like you are reading.

Sidekick was installed via Homebrew. I don't see any version information or a flag to display, so I don't know if that is relevant. I also setup my ~/.ssh/config for an entry with my host both by name and IP to point to the correct SSH key.

[adampresley]

After pulling down your code, and much debugging, it turns out that even though I could run ssh root@<myip> successfully, I needed to run ssh-add --apple-use-keychain ~/.ssh/id_rsa. This resolved my issue. Perhaps a small blurb in your README for MacOS folks can help mitigate this issue.

[MightyMoud]

@adampresley Thanks for reporting this. I think I need to improve this. We don't use the default key; Sidekick will query the agent and try the keys we get from there instead. We should try the default key first. I'll add that to my list. Meanwhile an addition to the README will do.

Funny enough I am on a mac too and I did run the ssh-add command but like it was a month ago, so I forgot to add it as part of the setup.

Also that looks like an outdated version on brew. I'll work on updating that today Cheers

[adampresley]

No problem @MightyMoud. I also noticed on line 36 of cmd/utils/stages.go that you are disabling root SSH access. It might be worth calling that out in the README as well as a side effect. I didn't know that was going to happen and I thought I messed something up on my VPS, so I re-imaged it. Then it happened again so I decided to look over the code and found that line.

[semics-tech]

@MightyMoud just to let you know, I tried running sidekick init on a brand new digitalocean Ubuntu 24.04 server, before I created another user other than root and I hit this error, it locked me out of the server (couldn't access via the DigitalOcean console either). I had to recreate the server.

[TLINDEN]

btw - I had the same issue under Linux (ubuntu as well). After adding the default ssh key to the agent, sidekick init worked.

[mrwyndham]

Not working for me where am I going wrong:

MacOS Client: Generate a new key under the ~/.ssh/y MacOS Client: Add a ~/.ssh/config file with IdentityFile ~/.ssh/y MacOS Client: restart ssh-agent MacOS Client: connect via ssh@{IP_ADDRESS} it works and asks for SSH key MacOS Client: sidekick init -> Failed to create ssh client to the server: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

also got the same issue running on linux except it said SSH_SOCK

[dirad]

Not sure if to tack on here or create a separate issue.

After adding key with ssh-add, i was able to login and start kickstart init process. -- [+1 to be able to pass this key as an argument, like -i mykeyfile ] But the process fails on traefik

[STDERR]  traefik-service Pulling
panic: error running command - cd sidekick-traefik && sudo docker compose -p sidekick -f docker-compose.traefik.yml up -d: -  traefik-service Pulling

goroutine 1 [running]:
github.com/mightymoud/sidekick/cmd.init.func4(0xc0001a8900?, {0x85bb3d?, 0x4?, 0x85bb41?})
        /home/user/go/pkg/mod/github.com/mightymoud/sidekick@v0.6.0/cmd/init.go:144 +0x1cb9

Now i am left with a machine that wont let me login as root [it was open before] and sidekick init also fails to start - since it cannot login as root either...

[MightyMoud]

@dirad Try to ssh using sidekick as user. You should be able to login with the new user named sidekick instead of root. I'll plan to add the flag to tell which key to use as well. It's a good improvements.

[MightyMoud]

Hey guys,

The issue with attempted methods [none publickey], no supported methods remain is a problem with the key lookup priority Sidekick goes through. I'll fix that in next release and let you guys know.

I love working on Sidekick. But I work on it after my full-time job. So progress will be slow. So bear with me guys.

Thanks for reporting those issues nonetheless. There is still a ton of work to do till Sidekick is where I envision it. We will get there. Slowly.

Cheers.

[MightyMoud]

@adampresley Thanks for pointing this out. I have added it on the readme https://github.com/MightyMoud/sidekick/blob/a2064479dd0c36b88187c8f2e9310590eac3871d/README.md?plain=1#L86

[dirad]

@dirad Try to ssh using sidekick as user. You should be able to login with the new user named sidekick instead of root. I'll plan to add the flag to tell which key to use as well. It's a good improvements.

sure, i tried that, i can login using sidekick, but sidekick itself fails. it would be best if there was a way for sidekick to get back to what it was about to do, and failed; resuming the init process. But for sure, you need some way to run it again after it failed, at least from the beginning, otherwise so we're left with kind of one leg..

[MightyMoud]

@dirad yup, working on that soon. Maybe a couple of releases down the line

[dirad]

@MightyMoud thanks again! So just , what do you suggest I do in order to finish setting up this server?

[MightyMoud]

This is now fixed. I'll make a path release very soon and update the docs.

Sidekick will lookup the keys in sequence:

• Default Keys in ssh directory:
  • id_rsa.pub
  • id_ecdsa.pub
  • id_ed25519.pub
• ssh agent keys

If you wish to use a custom key, you can add it to the agent first and then Sidekick will pick it up from there. I have opted not to add a -i flag as it will complicate things as to which key to use later for other commands; you would need to pass that flag every time you run deploy and the any other commands.

Running a couple of final tests and will release soon.

[MightyMoud]

@dirad You would have to nuke the machine and try with another one. I'll get the commands to be repeatable soon as discussed

[MightyMoud]

This is now fixed in latest release. You can run --version to check which version you have. The fix is on v0.6.1 onwards. Will be on brew in a couple of hours.

[dvdtth]

still getting the same problem it seems. using 0.6.1. on mac. can ssh into into remote server using plain old ssh root@server.ip.xx. getting error "Failed to create ssh client to the server: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain"

[adampresley]

As an aside, your project inspired me to create my own project that behaves a little differently. I ended up using the library “goph” for SSH and that seemed to work well for me. Perhaps take a look at that for your SSH interactions?

[MightyMoud]

@adampresley very happy Sidekick inspired you. That's awesome. I'll have a look at goph soon. Thank you

[MightyMoud]

@dvdtth are you able provide me with the name of the key you used? Are you also sure you are on latest version? You ran sidekick --version?

I have just tested this again and it works just well with default keys in the order mentioned.

[dvdtth]

Hi @MightyMoud,

Here are the list of keys:

The private key used would be id_ed25519 and I've checked that its public key is in server's authorized_keys as well. Doing plain old ssh root@... works. Bombing out when ssh through sidekick init for some reason...

sidekick --version returns dev but brew says i'm already on 0.6.1

[MightyMoud]

@dvdtth Much appreciated man.

I was able to replicate it locally and made a fix. Just pushed a patched version. It will be on brew in a couple of hours. Or you can download it from github releases.

Please try and let me know if you have any issues

[dvdtth]

@MightyMoud awesome, it works now, thanks!