search

platformsh / legacy-cli

This is the legacy version of Platform.sh's command-line interface. The new version is at: https://github.com/platformsh/cli
https://docs.platform.sh/administration/cli.html
MIT License
222 stars 121 forks source link

Inconsistency between ssh:add key location and environment:ssh search path #796

Open royallthefourth opened 5 years ago

royallthefourth commented 5 years ago

A user reports that ssh:add does not always store a newly generated key in the same search path that's used by environment:ssh. This is particularly confusing in Lando environments that generate a key at /var/www/.ssh, then search for keys in /user/.ssh at connection time.

See the full example below from @gilzow:

Before doing anything:

$ ls -al /var/www/.ssh/
total 8
drwxr-xr-x 2 www-data dialout 4096 May 10 00:24 .
drwxr-xr-x 6 www-data dialout 4096 May 10 00:24 ..
lrwxrwxrwx 1 www-data dialout   22 May 10 00:24 known_hosts -> /user/.ssh/known_hosts

$ cat /etc/ssh/ssh_config
Host *
  User gilzowp
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null
  LogLevel=ERROR
  IdentityFile /user/.ssh/id_rsa

$ ls -al /user/.ssh/
total 12
drwxr-xr-x  5 www-data dialout  160 May 10 00:17 .
drwxr-xr-x 41 www-data dialout 1312 May 10 00:24 ..
-rwx------  1 www-data dialout 3389 May 10 00:15 id_rsa
-rw-r--r--  1 www-data dialout  746 May 10 00:15 id_rsa.pub
-rw-r--r--  1 www-data dialout  578 May 10 00:20 known_hosts

$ platform ssh-keys
You do not yet have any SSH public keys in your Platform.sh account.

$ platform ssh-key:add
Generate a new key? [Y/n] y
Generated a new key: /var/www/.ssh/id_rsa.pub
Enter a name for the key [0a4833eccdec]: lando-inside
The SSH key id_rsa.pub has been successfully added to your Platform.sh account.

Redeployed master:

$ platform redeploy -e master
Are you sure you want to redeploy the environment master? [Y/n] y
Waiting for the activity ewy3vjevndzpi (Paul Gilzow-Mizzou redeployed environment Master):
Activity ewy3vjevndzpi succeeded

$ platform ssh
Permission denied (publickey)

$ platform ssh-keys
Your SSH keys are:
+--------+--------------+----------------------------------+
| ID     | Title        | Fingerprint                      |
+--------+--------------+----------------------------------+
| 117995 | lando-inside | 4b84697a780f180b794359ff04700faf |
+--------+--------------+----------------------------------+

$ platform ssh -vvv
DEBUG Finding the project root
DEBUG Project root found: /app
DEBUG Project hhjrrzu6xhki2 is mapped to the current directory
Running command: 'git' 'rev-parse' '--abbrev-ref' '--symbolic-full-name' '@{u}'
  Working directory: /app
DEBUG Selected environment Master (master), based on Git upstream: origin/master
DEBUG Found app(s): app
Running command: ssh '-o' 'SendEnv TERM' '-o' 'LogLevel DEBUG' -t 'hhjrrzu6xhki2-master-7rqtwti--app@ssh.us-2.platform.sh'
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 1: Applying options for *
debug1: Connecting to ssh.us-2.platform.sh [54.89.106.200] port 22.
debug1: Connection established.
debug1: identity file /user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /user/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u6
debug1: Remote protocol version 2.0, remote software version Platform.sh
debug1: no match: Platform.sh
debug1: Authenticating to ssh.us-2.platform.sh:22 as 'hhjrrzu6xhki2-master-7rqtwti--app'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:OrF13kDxP+BXxR12c1xWnn3iTz0tmIWwNnWIZxk9h7g
Warning: Permanently added 'ssh.us-2.platform.sh,54.89.106.200' (RSA) to the list of known hosts.
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /user/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
pjcdawkins commented 5 years ago

This was always intended to be separate, it would just create an SSH key via the normal ssh-keygen (which defaults to ~/.ssh/id_rsa) and then you'd proceed to use SSH via the normal ssh (which searches for keys in a handful of well known paths like ~/.ssh/id_rsa).

If you have a key in a non-standard location then the usual solution is to add it to an SSH agent, hence the tip here: https://github.com/platformsh/platformsh-cli/blob/4803c7ca2b1afe47ea310aeb4e1a9e961ad0b8d4/src/Command/SshKey/SshKeyAddCommand.php#L53-L58

But here /var/www/.ssh/id_rsa is being used as a standard location for key generation (ssh-keygen) because /var/www is the home directory, and /user/.ssh is being used by the SSH client because suddenly /user is the home directory. It sounds like Lando is messing up $HOME.

I guess there's some potential of having CLI-specific keys that are searched and added via SSH config (that would be a feature request), but that would be confusing for users who want to use vanilla ssh or other SSH-based tools like rsync, Drush, etc.