search

jsiebens / hashi-up

bootstrap HashiCorp Consul, Nomad, or Vault over SSH < 1 minute
MIT License
676 stars 54 forks source link

Allow for host authentication #15

Closed brizzbuzz closed 3 years ago

brizzbuzz commented 3 years ago

Hey, awesome tool, I had previously abandoned a vault installation because it was a headache lol. This looks like it resolves a lot of that pain.

Was running through your digital ocean demo for vault and came across a small little issue.

When a new droplet is created, (at least on Mac) you need to actually ssh to the box ahead of running hashi-up. The reason being, for new SSH connections, you need to approve adding the host.

Reproduce

To recreate, create a new droplet 

doctl compute droplet create --image ubuntu-18-04-x64 --size s-1vcpu-2gb --region nyc1 vault --tag-names vault --wait --ssh-keys $SSH_KEY

try to run hashi-up 

hashi-up vault install --ssh-target-addr 111.111.111.11 --version 1.7.1 --ssh-target-key ~/my/key

you should(?) get the following error

Error: TargetConnectError

There was an issue connecting to your target host. 
This could happen when hashi-up can not reach the target host or when the private key authentication is invalid.

The resolution here is super simple, you should just be able to run

ssh -I /my/key root@111.111.111.11

and manually approve the host 

The authenticity of host '111.111.111.11' can't be established.
ECDSA key fingerprint is {{omitted}}.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

at this point you can go ahead with hashi-up.

Since this isn't really a bug with hashi-up, I wonder if the best path forward is to pass the host authentication through to the user, if possible. Alternatively, perhaps just a warning in the error output to make sure users have checked their host authentication.

jsiebens commented 3 years ago

Hi @rgbrizzlehizzle,

I couldn't reproduce this issue myself (yet). At this moment, hashi-up ignores host keys, so I believe the issue is related to something else, e.g the ssh server was not ready yet or something similar With the latest release, some additional info is printed out when something went wrong. Perhaps you can give it a try?

brizzbuzz commented 3 years ago

Hmm it's possible that it was a transient server error, I'll close this

coreycarvalho commented 2 years ago

This might still be an issue, I opened up a new issue here: https://github.com/jsiebens/hashi-up/issues/35