search

ployground / ploy

A tool to manage servers through a central configuration. Plugins allow provisioning, configuration and other management tasks.
http://ploy.readthedocs.org
BSD 3-Clause "New" or "Revised" License
78 stars 15 forks source link

paramiko ssh doesn't support proxying encrypted ssh keys #46

Open igalic opened 7 years ago

igalic commented 7 years ago

when trying to connect to a jail

ERROR: Failed to connect to ez-instance:i_eena_me (10.0.0.2)
ERROR: username: 'root'
ERROR: port: 22
ERROR: sock: <paramiko.proxy.ProxyCommand object at 0x7f2a80a6bed0>
ERROR: Couldn't validate fingerprint for ssh connection.
ERROR: Private key file is encrypted
ERROR: Is the instance finished starting up?

or configure it:

PLAY [jailhost-i_eena_me] ***************************************************** 

GATHERING FACTS *************************************************************** 
ERROR: Failed to connect to ez-instance:i_eena_me (10.0.0.2)
ERROR: username: 'root'
ERROR: port: 22
ERROR: sock: <paramiko.proxy.ProxyCommand object at 0x7f46fb3ef6d0>
fatal: [jailhost-i_eena_me] => Couldn't validate fingerprint for 'ez-instance:i_eena_me': Private key file is encrypted

TASK: [infopro-digital.apache | APACHE | Include OS-specific variables] ******* 
FATAL: no hosts matched or all hosts have already failed -- aborting

paramiko fails with encrypted keys, because it doesn't forward the ssh agent settings.

This is something btw is something ansible considered: https://github.com/ansible/ansible/pull/4100 but then declined, because their paramiko support is deprecated.

fschulze commented 7 years ago

The "Private key file is encrypted" error is often misleading. We don't rely on ssh-agent forwarding. We connect directly to the host and use a proxy command from there to the jail. My own key is encrypted and I only need my local ssh-agent with no forwarding.

Most of the time there is another issue causing the connection problems. Most likely authorized_keys in the jail doesn't have your key. Maybe the wrong username is used, or sshd isn't running in the jail. I also had that issue when I still used a DSA key and newer sshd disabled their use.

igalic commented 7 years ago

hrm… there is, indeed, no ssh daemon running

toor@meenix ~# ezjail-admin console i_eena_me
Last login: Mon Mar 13 16:02:54 on pts/0
FreeBSD 11.0-RELEASE-p8 (GENERIC) #0: Wed Feb 22 06:12:04 UTC 2017

Gehe nicht über Los.
root@i_eena_me:~ # ps awwuuxx
USER    PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
root  15901  0.2  0.6 19600 2904  0  SJ   16:03   0:00.01 -csh (csh)
root  15891  0.1  0.5 43732 2252  0  SJ   16:03   0:00.02 login [pam] (login)
root  15277  0.0  0.3 10464 1600  -  SsJ  15:03   0:00.03 /usr/sbin/syslogd -ss
root  15372  0.0  1.0 55676 5020  -  IsJ  15:04   0:00.01 /usr/sbin/sshd
root  15402  0.0  1.0 20592 4820  -  SsJ  15:05   0:00.11 sendmail: accepting connections (sendmail)
smmsp 15405  0.0  1.0 20592 4664  -  IsJ  15:05   0:00.01 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail)
root  15409  0.0  0.4 12564 1816  -  IsJ  15:05   0:00.06 /usr/sbin/cron -J 15 -s
root  15903  0.0  0.4 21164 1972  0  R+J  16:03   0:00.01 ps awwuuxx
root@i_eena_me:~ #
fschulze commented 7 years ago

uhm, there is:

root  15372  0.0  1.0 55676 5020  -  IsJ  15:04   0:00.01 /usr/sbin/sshd
igalic commented 7 years ago

yes! thanks. my eyes are tired already… so, i found the issue, when i use user: toor the $HOME is assumed to be in /usr/home/toor, rather than in /root, so the authorized_keys file was copied to the wrong location (in the basejails already)