search

hashicorp / packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
http://www.packer.io
Other
14.98k stars 3.33k forks source link

Error message about SSH Key with passphrase misdirects you to believing its invalid, when its an ssh-agent not being found/able to supply one #11110

Open geoff-reason opened 3 years ago

geoff-reason commented 3 years ago

Overview of the Issue

It seems that when using a predefined ssh key with a passphrase, and that key already being preentered into an ssh-agent with passphrase submitted, packer refuses to build an image.

This was fixed for bastion/jumphosts in this issue https://github.com/hashicorp/packer/issues/4732 .

However, I note that there is also: ssh_agent_auth referred to in the documentation, but does not seem to work.

I note also that there was an attempt to be able to specify passphrase in the config, but I want to use the agent one for the standard ssh access model and possible future agent forwarding functionality.

Reproduction Steps

use:

    communicator = "ssh"
    ssh_agent_auth = true
    ssh_private_key_file = "~/.ssh/some-passphrase-protected-key.pem"

Add this key to your ssh-agent

ssh-add ~/.ssh/some-passphrase-protected-key.pem

<enter passphrase>

Now try packering

Error: 1 error(s) occurred:

* ssh_private_key_file is invalid: Error setting up SSH config: ssh: this private key is passphrase protected

Packer version

Packer v1.7.3

Simplified Packer Buildfile

No need for this, the error happens straight away

Operating system and Environment details

Mac OS X Apple M1 Silicon running packer 1.7.3 for arm64 in a linux docker image.

Log Fragments and crash.log files

Already specified above

geoff-reason commented 3 years ago

Also referencing this - where it was only applied to bastion hosts, not build machines (I think??) https://github.com/hashicorp/packer/pull/4940

geoff-reason commented 3 years ago

Ok this will probably be a docker problem, not being able to access the ssh-agent from the host. Sorry for the issue.

I will research how to forward the agent into the container to see if it works, or start up an ssh-agent inside the container instead - and post back a solution if I get it working.

geoff-reason commented 3 years ago

I decided to reopen the issue, as could the error message be a bit more helpful. The error message might be that it cant find a suitable agent, not that the key is not valid - as the key IS valid according to known configurations. I will amend the title

SwampDragons commented 3 years ago

Hi, thanks for reaching out. this seems like a valid desire -- I'll leave this open until the Packer team or a community member have a chance to update the error messaging.

rcousens commented 1 year ago

Just some notes from my own exploration of this issue:

golang/crypto throws this error when asked to parse a private key:

ParseRawPrivateKey: https://github.com/golang/crypto/blob/master/ssh/keys.go#L1087

However, if there is a passphrase, this function should be used:

ParseRawPrivateKeyWithPassphrase: https://github.com/golang/crypto/blob/master/ssh/keys.go#L1123

However, Packer uses the first function from above: https://github.com/hashicorp/packer-plugin-sdk/blob/9b87bcd755118d050b7481ca4d16f00aade700b2/communicator/ssh/ssh.go#L53

which is called from here: https://github.com/hashicorp/packer-plugin-sdk/blob/9b87bcd755118d050b7481ca4d16f00aade700b2/communicator/config.go#L555

What I'm trying to say is I think the error message is fine, until the point that Packer decides to support passphrases on ssh private keys.