Closed FreedomBen closed 3 years ago
Does podman system connection add ...
fail and did you run this on the client or server?
Can you provide the output of podman system connection ls
?
@Luap99 thanks for looking into this. podman system connection add
does not fail. I ran it on the client. Output of podman system connection ls
is:
[ben@benssystem76 ~]$ podman system connection ls
Name Identity URI
test3* /home/ben/.ssh/id_rsa ssh://ben@192.168.2.186:22/run/user/1000/podman/podman.sock
That is the correct username and IP for the remote machine, and the SSH key is in the client ssh agent. SSHing normally works fine.
I followed the steps and it worked for me. Not sure what's going on here if normal ssh works.
@baude @jwhonce any ideas? This issue has five thumbs up so I guess more people are running into this.
@Luap99 I don't know if it helps, but I dug into it a bit and the error message comes from a dependency, line 77 of vendor/golang.org/x/crypto/ssh/client_auth.go
For convenience again this is the error message:
Error: Failed to create sshClient: Connection to bastion host (ssh://ben@192.168.2.186:22/run/user/1000/podman/podman.sock) failed.: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
I wondered if the SSH connection doesn't even try to authenticate with the key. If the key isn't in the ssh-agent then it will ask for the passphrase but then fails the same way.
I thought too maybe a possible bug in crypto/ssh
or if we aren't doing it right in pkg/bindings/connection.go
but I didn't see anything obvious, and it appears that crypto/ssh
is used extensively by large projects, so a bug like this feels unlikely.
That error is coming from pkg/bindings/connection.go:252. The go ssh client is failing to connect to the remote sshd. It currently uses either public key (directly or via ssh-agent) or password authentication methods. Given your connection string it should be using public key. If you add --log-level=debug
option, you should see debugging events printed to the screen showing you additional information on the identity parsing. This debugging will also inform you if an ssh-agent has been found. But I doubt that with the error message including [none publickey]
methods.
$ podman --log-level=debug ps [9:59:16]
INFO[0000] podman filtering at log level debug
DEBU[0000] Called ps.PersistentPreRunE(podman --log-level=debug ps)
DEBU[0000] Found SSH_AUTH_SOCK "/private/tmp/com.apple.launchd.VBspeEuRIU/Listeners", ssh-agent signer enabled
Error: Failed to create sshClient: Connection to bastion host (ssh://root@leno/run/podman/podman.sock) failed.: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
FAIL: 125
And ssh has no problem connecting to the host. Yes, I am using ssh-agent as they keys are encrypted at rest.
$ ssh-add -l [10:03:13]
4096 SHA256:IIgRCJ84QIlEIoYJ1RiFYRwPlbxXVr3z/7jo+FTM6zg /Users/ssbarnea/.ssh/id_rsa (RSA)
2048 SHA256:oAGaCUURqEYWeDlI5OfD+lGUfTb8IYy0e79jLQojXM0 /Users/ssbarnea/.ssh/id_rsa.uploader (RSA)
4096 SHA256:ICr5NPxWA0AyFifvQt/n/N4fFiy/Y9dezPQl2FiklD0 sorin.sbarnea+bot@gmail.com (RSA)
The correct key is the first one but I really doubt that the macos podman cli is really trying to use the agent key.
@FreedomBen I added https://github.com/containers/podman/issues/8499#issuecomment-736639134 Could that be related here as well?
@jwhonce Interesting, it could be related. When I tried podman-remote
without the key in my SSH agent I was prompted me for my passphrase, but it then after entering the passphrase it failed to authenticate in the same way. I can try some of these things a bit later, tomorrow for sure.
hi, did you run his command.I have same error on my macOS big sure I did it with "https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md", then I found error
$ podman ps
Error: failed to create sshClient: dial unix /private/tmp/com.apple.launchd.zFwQB0vrnx/Listeners: connect: no such file or directory
FAIL: 125
I think it is ssh-client or system config question, after I run that command , it was solved.
eval "$(ssh-agent -s)"
A friendly reminder that this issue had no activity for 30 days.
A friendly reminder that this issue had no activity for 30 days.
@jwhonce @baude PTAL
A friendly reminder that this issue had no activity for 30 days.
@ssbarnea @Talbot3 @FreedomBen Is this still an issue? A lot of work has been happening in podman-remote for Mac.
Ah! Fedora by default rejects rsa keys, if you use an ed25519 key, this works properly. Closing now, If this is still an issue, please re-open.
I would like to confirm the above, saw the same issue (Fedora 34 host, Big Sur 11.3.1 Mac, podman 3.1.2 at both ends). By generating an ed25519 key this worked perfectly after a frustrating 30 minutes with my old rsa key.
Thanks @tonykay, I've run into the same issue on my macOS Big Sur.
I think this article https://www.redhat.com/sysadmin/podman-clients-macos-windows should be updated accordingly
@rhatdan @ashley-cui I think forcing people to regenerate keys here is a pretty poor user experience.
I'm also concerned that the actual issue is that podman/go are using SHA1 for the key exchange protocol for RSA keys and that's actually what is causing issues in some cases. When I tried using an RSA key on a CentOS Stream 9 machine to copy an image to a different CentOS 9 Stream machine, it keeps failing even though normal ssh between the machines with the same key works fine. If that's actually the case, then having podman use a different encryption for the key exchange should allow RSA keys to work.
@baude @jwhonce @mtrmac @vrothberg PTAL
Cc: @lsm5
I am still hitting this problem on an M1 Mac even after regenerating the ssh key.
$ ssh-keygen -t ed25519 -C "your_email@example.com"
$ eval "$(ssh-agent -s)"
# modify ~/.ssh/config
$ ssh-add -K ~/.ssh/id_ed25519
$ podman-remote system connection add myuser --identity ~/.ssh/id_ed25519 ssh://192.168.122.1/run/user/1000/podman/podman.sock
$ podman-remote system connection default myuser
$ podman-remote system connection list
Name Identity URI
myuser* /Users/myuser/.ssh/id_ed25519 ssh://myuser@192.168.122.1:22/run/user/1000/podman/podman.sock
$ podman machine init
$ podman machine start
$ podman info --log-level=debug
INFO[0000] podman filtering at log level debug
DEBU[0000] Called info.PersistentPreRunE(podman info --log-level=debug)
DEBU[0000] SSH Ident Key "/Users/myuser/.ssh/id_ed25519" SHA256:ubDEOIjZO+n01TviiUX8+4gICWwAlbO/6l/6SCNy/NY ssh-ed25519
DEBU[0000] Found SSH_AUTH_SOCK "/var/folders/n1/_q7tx11j5cl8pv3m3n2q38p40000gn/T//ssh-VlRRohsdSvuz/agent.24841", ssh-agent signer(s) enabled
Error: failed to create sshClient: Connection to bastion host (ssh://myuser@192.168.122.1:22/run/user/1000/podman/podman.sock) failed.: dial tcp 192.168.122.1:22: i/o timeout
MacOS doesn't have the systemctl
command which most of the docs use, are there any relevant launchctl
commands Mac users need to run?
TBH, I find very annoying that I need to run podman machine start
every time after a reboot. I wish it was a way to either configure podman to start the machine on demand or automatically at login. Probably on demand would a better approach as it would not drain the battery or hog the cpu when not really needed.
@rhatdan @ashley-cui I think forcing people to regenerate keys here is a pretty poor user experience.
I'm also concerned that the actual issue is that podman/go are using SHA1 for the key exchange protocol for RSA keys and that's actually what is causing issues in some cases. When I tried using an RSA key on a CentOS Stream 9 machine to copy an image to a different CentOS 9 Stream machine, it keeps failing even though normal ssh between the machines with the same key works fine. If that's actually the case, then having podman use a different encryption for the key exchange should allow RSA keys to work.
@jwboyer do you have a reproducer for this? I tried podman system connection add --identity $RSA_KEY $CONNECTION_NAME $REMOTE_HOST
on both C9S and Fedora. Worked on C9S, didn't work on fedora, I suspect because of fedora getting rid of rsa. And of course, podman image scp $IMAGE $CONNECTION_NAME::
also worked fine on C9S. This was with podman-4.0.3-1.el9.x86_64
Yep, I tried this again today using a CentOS Stream 9 VM trying to podman image scp
to a RHEL 9 Beta machine using a 2048 bit RSA key.
CentOS Stream 9 machine info
[jwboyer@localhost ~]$ cat /etc/os-release
NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"
[jwboyer@localhost ~]$ rpm -q podman
podman-4.0.3-1.el9.x86_64
[jwboyer@localhost ~]$
SSH connection with the key working:
[jwboyer@localhost ~]$ ssh -A 192.168.122.170
Warning: Permanently added '192.168.122.170' (ED25519) to the list of known hosts.
Web console: https://localhost:9090/ or https://192.168.122.170:9090/
Last login: Mon Apr 25 13:02:35 2022 from 192.168.122.1
[jwboyer@localhost ~]$ exit
[jwboyer@localhost ~]$ update-crypto-policies --show
DEFAULT
[jwboyer@localhost ~]$
Podman connection add
[jwboyer@localhost ~]$
podman image scp failing with handshake issue
[jwboyer@localhost ~]$ podman pull ubi8
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 4eef1fa1f1c1 done
Copying blob eb24191cef20 done
Copying config c54243b588 done
Writing manifest to image destination
Storing signatures
c54243b58814cd424740dfebb046f356ba3acc23f04e04ffba60004eb1e8b0ea
[jwboyer@localhost ~]$ podman image scp ubi8 CONNECTION::
Copying blob 30adffdbd388 done
Copying blob 0804b3644b85 done
Copying config c54243b588 done
Writing manifest to image destination
Storing signatures
Key Passphrase:
Error: failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
[jwboyer@localhost ~]$
RHEL 9 VM info
[jwboyer@localhost ~]$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.0 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.0"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.0 Beta (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.0 Beta"
[jwboyer@localhost ~]$ rpm -q podman
podman-4.0.2-4.el9_0.x86_64
[jwboyer@localhost ~]$ update-crypto-policies --show
DEFAULT
[jwboyer@localhost ~]$
As you can see, an SSH works fine between the machines with the same key, but podman image scp
fails with the handshake issue. RSA keys aren't deprecated in CS9/RHEL9 and the regular ssh connection works fine.
I have also hit this issue, with RSA keys being rejected. I agree with @jwboyer that it would be far better for users to be able to use the same keys that are usable by the standard ssh client.
To be clear, I am able to ssh using the RSA key, but podman rejects it, so this is not simply the remote host rejecting the key. I have seen this sshing to Ubuntu22.04 and CentOS9. In general it would be preferable for podman to default to using the same ssh keys that the ssh client uses rather than having to specify CONTAINER_SSHKEY
or --identity
.
Could this be reopened as I think there's still an issue in podman here?
If the hypothesis is using SSH with RSA keys and SHA1 (where it should be using SHA2), please follow #14001 , it contains more recent investigation, and in particular a supposed fix.
Am I right to assume there won't be a fix/workaround in v3.x then? :(
That is a safe assumption.
hi, did you run his command.I have same error on my macOS big sure I did it with "https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md", then I found error
$ podman ps Error: failed to create sshClient: dial unix /private/tmp/com.apple.launchd.zFwQB0vrnx/Listeners: connect: no such file or directory FAIL: 125
I think it is ssh-client or system config question, after I run that command , it was solved.
eval "$(ssh-agent -s)"
i run elval "$(ssh-agnet -s)"
command.
run command before:
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman. failed to create sshClient: Connection to bastion host (ssh://core@localhost:59949/run/user/1000/podman/podman.sock) failed.: ssh: handshake failed: s
run command after:
$ podman ps
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman. failed to create sshClient: dial unix C:/Users/yabdong/AppData/Local/Temp/ssh-WE7zhJvY7rSa/agent.1145: connect: No connection could be made because the target machine actively refused it.
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Trying to run Podman on a remote machine and use the podman-remote client to drive it.
Following instructions here: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md
Podman on the remote machine seems to be working fine, but it cannot be driven by the local podman because the local Podman fails to authenticate properly over SSH.
Steps to reproduce the issue:
Describe the results you received:
Authentication error:
Error: Failed to create sshClient: Connection to bastion host (ssh://ben@192.168.2.186:22/run/user/1000/podman/podman.sock) failed.: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
Describe the results you expected:
I expected
podman-remote ps
to behave normally, outputting something like this:Additional information you deem important (e.g. issue happens only occasionally):
I also tried adding the connection with an explicit identity file instead of relying on the SSH agent:
podman system connection add test2 --identity /home/ben/.ssh/id_rsa ssh://192.168.122.1/run/user/1000/podman/podman.sock
When running
podman-remote ps
with that connection, I am prompted for the passphrase for the SSH key (as I would expect) but I get the same error message indicating that authentication failed, I think because podman didn't do the SSH handshake properly or something:Error: Failed to create sshClient: Connection to bastion host (ssh://ben@192.168.2.186:22/run/user/1000/podman/podman.sock) failed.: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
I also checked to make sure that
/run/user/1000/podman/podman.sock
existed on the remote machine, and it did. Remote user id is 1000 as expected.Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
Remote podman is the same latest version (2.1.1), running on an F33 Server that is in a KVM VM on a Dell R620 host. Local podman version 2.1.1 is on an F32 Workstation with Gnome 3, and a nice photo of my family as the wallpaper background and screensaver.