ssh problem with conflicting keys in .ssh/config

[Germar]

Private key specified in configuration will not override an existing key defined in ~/.ssh/config or /etc/ssh/ssh_config.

I don't think this behavior is expected since a key is explicitly defined in the profile's configuration.

Update: Removed original description since problem is better understood thanks to Germar's help.

---

Imported from Launchpad using lp2gh.

• date created: 2015-03-18T16:12:24Z
• owner: plaxx
• the launchpad url was https://bugs.launchpad.net/bugs/1433682

[Germar]

(by germar) As far as I can see there is not -i option for sshfs. So this wouldn't help over there.

But I don't think this is your problem. We use an own ssh-agent instance for BackInTime (due to bug #841672). And this ssh-agent should only contain those keys which where added by BIT it self. So (IMHO) there can't be to much keys.

There is a problem with password handling (bug #1431305) on which I'm currently working on. I'll push a new version which should hopefully fix this in a few minutes to our testing PPA. Would be great if you could test this (sudo add-apt-repository ppa:bit-team/testing && sudo apt-get update && sudo apt-get upgrade) and report back if problems still exist.

[Germar]

(by germar) Okay, for sshfs this could be done through sshfs -o ssh_command='ssh -i ~/.ssh/KEY'

[Germar]

(by plaxx) Thanks for the quick response!

I don't have a passphrase on my key. I tried at first but created a new one instead (since I was having issues). So I didn't tried your latest version.

I tried on a different server (at home) and I'm getting the same results but I was successful with a direct sshfs mount (using -o ssh_command to setup my key).

I realize now that I have a rather fancy .ssh/config file with strict default ciphers, host aliases and per-entry keys. If BIP is trying to ping the host first based on the name I've given in the config this will never work (its an alias to an .ssh/config entry).

Ping failed. Host is down or wrong address.

If I give the full hostname or the IP of the machine it won't work either because of very strict default cipher list. I add exceptions overrides in my .ssh/config for old servers (which my backup servers happen to be).

With the latest version, I added in my .ssh/config an alias to an hardcoded IP address and used that address in the BIP config and I got further. It requested the passphrase specified by my .ssh/config entry for this host. Not being overridden by the one I specified in BIP.

I would have no problem with setuping a specific .ssh/config entry only with the right passwordless key and ssh cipher options for BIP but if it needs to be pingable then it definitely limits my options.

Step by step instructions on how to reproduce the ssh-agent/sshfs environment that BIP is setuping would be awesome and I would be willing to spend some time crafting some ssh troubleshooting FAQ entry with your input. This would help users figure problems by themselves I think.

Ultimately shouldn't you specify the exact key provided by the user using the "-o ssh_command=..." or lookup if there is an entry in .ssh/config before trying to ping it and if so trust the user, ssh and sshfs to do the right thing.

[Germar]

(by plaxx) I found a workaround.

Create a new hostname in your /etc/hosts pointing to your server IP. Setting this hostname in BIP will satisfy the "server must be pingable requirement".

Connect to this host with ssh. This will make sure that an entry is created in your .ssh/known_hosts for this new hostname. (If you skip this test BIP will complain about a lack of entry of that server in ssh_known_host.)

Add a new entry in your .ssh/config under that hostname and set whatever cipher and/or key requirement you have.

Configure BIP to use this new hostname for ssh backups.

Profit!

I think I wouldn't have to do any of this if BIP would:

• specify a "-o ssh_command='ssh -i ~/.ssh/KEY'" when calling sshfs. My .ssh/config would be honored and the key overridden.
• doesn't have a 'host must be pingable' requirement

I'll check if this would be easily done.

[Germar]

(by germar) Good to hear that you was able to fix this. I wrote this before your last post and will post it anyways ;-)

I'll consider the '-i ' option. But it won't make it into next release anymore.

---

Okay, with passphrase-less keys the other bug shouldn't matter.

Host must be a regular domain or IP Address. Aliases would only work if you define them in /etc/hosts.

A strict cipher list shouldn't matter as long as you leave cipher in BIT to default. This will let ssh negotiate the cipher. If you choose one in BIT this will add '-o Ciphers=' so only this one is allowed.

Here is what BIT does for SSH after pressing OK in Settings:

1. unlock_ssh_agent:
   • check if 'ssh-add -l' contains privat key's fingerprint
   • if not set environ SSH_ASKPASS=backintime-askpass and run 'ssh-add '
   • check again if 'ssh-add -l' contains fingerprint and raise error if not
2. check_ping_host: this is actually no ping anymore as some people deactivate ICMP. instead this does a port check with trying 5 times to connect to configured Host/Port with 2sec timeout.
3. check_fuse:
   • check if sshfs is installed (same like 'which sshfs')
   • check if current user is in group 'fuse'
   • if group 'fuse' does not exist just pass as it is most probaply not used on this distri
4. check_known_hosts:
   • run 'ssh-keygen -F ' and check if this returns 'Host found'
   • this is done twice. First with configured host and second with []:
5. check_login:
   • try to run 'ssh -o PreferredAuthentications=publickey -p -o ServerAliveInterval=240 USER>@<HOST echo "Hello"' (all one line)
6. check_cipher:
   • if cipher is 'default' just pass this test
   • try to run 'ssh -o Ciphers= -p -o ServerAliveInterval=240 USER>@<HOST echo "Hello"'

7. check_remote_folder: this will run a script on remote to check if snapshot folder exist and is rwx. If it doesn't exist it will create it.

   script (all one line): d=0; test -e || d=1; test $d -eq 1 && mkdir ; err=$?; test $d -eq 1 && exit $err; test -d || exit 11; test -w || exit 12; test -x || exit 13; exit 20

   run with 'ssh -p -o ServerAliveInterval=240 USER>@<HOST Githubissues.

8. Githubissues is a development platform for aggregating issues.