Regression with using passphrased SSH keys

rancher / rke

Rancher Kubernetes Engine (RKE), an extremely simple, lightning fast Kubernetes distribution that runs entirely within containers.

Apache License 2.0

3.21k stars 582 forks source link

Regression with using passphrased SSH keys #734

Closed oskapt closed 6 years ago

oskapt commented 6 years ago

Please see #192 for comments that this has resurfaced in v0.1.7. I'm opening a new ticket because the other is closed and unlikely to see new comments. @galal-hussein @deniseschannon

galal-hussein commented 6 years ago

@oskapt I think what you need to do is to run rke up with the option --ssh-agent-auth to use the ssh-agent, without this option rke will attempt to use the normal method to just ssh to the hosts with the encrypted key which will fail of course.

I tested with --ssh-agent-auth and it worked fine with the latest 0.1.8 rc.

galal-hussein commented 6 years ago

@oskapt can you retest the issue with the --ssh-agent-auth option and see if you can still see the issue

bootc commented 6 years ago

SSH agent auth does work, however it bails out if a key file doesn't exist:

WARN[0000] Failed to set up SSH tunneling for host [elgyn1.boo.tc]: Can't establish dialer connection: Error while reading SSH key file: open /home/bootc/.ssh/id_rsa: no such file or directory

I can work around this by creating an empty file for the key:

$ touch /home/bootc/.ssh/id_rsa
$ rke up --config rke.yml
INFO[0000] Building Kubernetes cluster                  
INFO[0000] [dialer] Setup tunnel for host [stoppit.boo.tc] 
INFO[0004] [dialer] Setup tunnel for host [tidyup.boo.tc] 
INFO[0006] [dialer] Setup tunnel for host [elgyn1.boo.tc] 
INFO[0011] [state] Found local kube config file, trying to get state from cluster 
[...]

A key file shouldn't need to exist at all when using agent auth (my key is on a Yubikey), and an empty key file is particularly nonsensical IMO.

deniseschannon commented 6 years ago

@galal-hussein can you check out this?

oskapt commented 6 years ago

@galal-hussein sorry about not responding. i was having issues receiving notifications from github.

i haven't tested with --ssh-agent-auth; i'd have to tear down and rebuild the environment.

at any rate, i'm not sure that passing a flag is the correct route. first, having a passphrase on a key is not the same as using ssh-agent. second, i shouldn't have to remember to use some special flag when i'm using a key that has a passphrase. in both cases, it would be better if the thing that wants to use the key detects that there's a passphrase on it and asks for it or detects (through env variables perhaps) that there's an agent it can talk to.

galal-hussein commented 6 years ago

@soumyalj the issue can be tested by the following steps:

enable ssh agent auth
specify a non existent ssh key path in the cluster.yml
run rke with ssh agent flag

rke should run successfully without showing an error that the key doesn't exist

soumyalj commented 6 years ago

Tested with rke version v0.1.10-rc4.

Created new ssh-key using ssh-keygen. Added the ssh key to the ssh-agent using:
```
ssh-add testsshkeyfile(privatekey)
```
In the cluster.yml file, provide a non existent sshkeypath

Run rke up --ssh-agent-auth option . Example below:


./rke_darwin-amd64-latest up --config testabc.yml --ssh-agent-auth


Cluster got created successfully. Creation of pods was fine.