ECDSA SSH key not working

fahu commented 1 year ago

I'm trying to run kamal setup. If I try to configure an SSH key of type ECDSA (generated with ssh-keygen -t ecdsa -b 521 -C "fabian@x.com") I get the following error:

$kamal setup -vvv

INFO [b6c185d2] Running /usr/bin/env mkdir -p .kamal on XXX.XXX.XXX.XXX
DEBUG [b6c185d2] Command: /usr/bin/env mkdir -p .kamal
Enter passphrase for /Users/fahu/.ssh/XXX:
  Finished all in 6.8 seconds
  ERROR (OpenSSL::PKey::ECError): Exception while executing on host XXX.XXX.XXX.XXX: EVP_PKEY_sign: missing private key

/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/3.2.0/openssl/pkey.rb:262:in `rescue in dsa_sign_asn1'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/3.2.0/openssl/pkey.rb:259:in `dsa_sign_asn1'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/transport/openssl.rb:246:in `ssh_do_sign'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/key_manager.rb:174:in `sign'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/methods/publickey.rb:60:in `authenticate_with_alg'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/methods/publickey.rb:126:in `authenticate_with'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/methods/publickey.rb:19:in `block in authenticate'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/key_manager.rb:131:in `block in each_identity'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/key_manager.rb:128:in `each'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/key_manager.rb:128:in `each_identity'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/methods/publickey.rb:18:in `authenticate'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/session.rb:87:in `block in authenticate'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/session.rb:71:in `each'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh/authentication/session.rb:71:in `authenticate'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/net-ssh-7.2.0/lib/net/ssh.rb:260:in `start'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/kamal-1.0.0/lib/kamal/sshkit_with_ext.rb:95:in `block in start_with_concurrency_limit'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent/atomic/mutex_semaphore.rb:31:in `acquire'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/kamal-1.0.0/lib/kamal/sshkit_with_ext.rb:94:in `start_with_concurrency_limit'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/connection_pool.rb:63:in `call'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/connection_pool.rb:63:in `with'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/kamal-1.0.0/lib/kamal/sshkit_with_ext.rb:83:in `with_ssh'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/netssh.rb:130:in `execute_command'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/abstract.rb:148:in `block in create_command_and_execute'
<internal:kernel>:90:in `tap'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/abstract.rb:148:in `create_command_and_execute'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/abstract.rb:80:in `execute'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/kamal-1.0.0/lib/kamal/cli/base.rb:175:in `block in ensure_run_directory'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/abstract.rb:31:in `instance_exec'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/backends/abstract.rb:31:in `run'
/Users/fahu/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/sshkit-1.21.5/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'

Any idea on how I can solve this?

jmarchello commented 1 year ago

@fahu Have you added your public key to the authorized_keys file on your remotes host(s)? AFAIK kamal does not support any way of configuring ssh on your hosts. You need to have them configured to accept ssh connections before running kamal setup

fahu commented 1 year ago

@fahu Have you added your public key to the authorized_keys file on your remotes host(s)?

Yes, I can ssh to the remote server.

jmarchello commented 1 year ago

And you set an empty passphrase for the key during keygen?

fahu commented 1 year ago

No I didn't. Is it not possible to connect with key's that have a password?

As I'm even asked for the password I would not expect this to be the problem 🤔

florentdestremau commented 1 year ago

I kinda have the same issue.

New setup:

servers:
    - 161.xx.xx.xxx (digital ocean server, I can ssh manually on the server)

Using the alias on Ubuntu 22.04:

alias kamal="docker run -it --rm -v '${PWD}:/workdir' -v '/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock' -e SSH_AUTH_SOCK='/run/host-services/ssh-auth.sock' -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/basecamp/kamal:latest"

A kamal setup -v command exits with this error:

  INFO [5f5256e6] Running /usr/bin/env mkdir -p .kamal on 161.xx.xx.xx
 DEBUG [5f5256e6] Command: /usr/bin/env mkdir -p .kamal
  Finished all in 0.3 seconds
  ERROR (Net::SSH::AuthenticationFailed): Exception while executing on host 161.xx.xx.xx: Authentication failed for user root@161.xx.xx.xx
/usr/local/bundle/gems/net-ssh-7.2.0/lib/net/ssh.rb:273:in `start'
/usr/local/bundle/gems/kamal-1.0.0/lib/kamal/sshkit_with_ext.rb:95:in `block in start_with_concurrency_limit'
/usr/local/bundle/gems/concurrent-ruby-1.2.2/lib/concurrent-ruby/concurrent/atomic/mutex_semaphore.rb:31:in `acquire'
/usr/local/bundle/gems/kamal-1.0.0/lib/kamal/sshkit_with_ext.rb:94:in `start_with_concurrency_limit'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/connection_pool.rb:63:in `call'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/connection_pool.rb:63:in `with'
/usr/local/bundle/gems/kamal-1.0.0/lib/kamal/sshkit_with_ext.rb:83:in `with_ssh'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/netssh.rb:130:in `execute_command'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/abstract.rb:148:in `block in create_command_and_execute'
<internal:kernel>:90:in `tap'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/abstract.rb:148:in `create_command_and_execute'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/abstract.rb:80:in `execute'
/usr/local/bundle/gems/kamal-1.0.0/lib/kamal/cli/base.rb:175:in `block in ensure_run_directory'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/abstract.rb:31:in `instance_exec'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/backends/abstract.rb:31:in `run'
/usr/local/bundle/gems/sshkit-1.21.4/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'

I tried the various "eval ssh-agent" tricks found here and there, none of them worked for now.

HeinrichFilter commented 10 months ago

alias kamal="docker run -it --rm -v '${PWD}:/workdir' -v '/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock' -e SSH_AUTH_SOCK='/run/host-services/ssh-auth.sock' -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/basecamp/kamal:latest"

I had various SSH issues while trying to run kamal using the docker alias e.g.

Kamal couldn't reach a server even though I was able to SSH into it manually
I couldn't get the SSH proxy host option to work

I switchted to using the gem and haven't had issues since then

leomorpho commented 3 months ago

I got the dockerized kamal to work by passing the ssh config as shown in this issue: https://github.com/basecamp/kamal/issues/218#issuecomment-2083590982

basecamp / kamal

ECDSA SSH key not working #530