improve visibility / diagnostics around SSH key use

[kevinushey]

I spent some time with @MariaSemple trying to figure out why I couldn't ssh into my fuzzbucket instances:

$ fuzzbucket-client ssh ubuntu20
# fuzzbucket:INFO:2021-03-24T165831:: sshing into matching_box='fuzzbucket-kevinushey-ubuntu20' ssh_command=['ssh', 'ec2-54-202-41-139.us-west-2.compute.amazonaws.com', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'StrictHostKeyChecking=no', '-l', 'ubuntu']
[fuzzbucket-kevinushey-ubuntu20]
age = 0d0h1m43s
created_at = 1616630208.2625258
image_alias = ubuntu20
image_id = ami-0c007ac192ba0744b
instance_id = i-0504242b6fca4af6a
instance_type = t3.small
name = fuzzbucket-kevinushey-ubuntu20
public_dns_name = ec2-54-202-41-139.us-west-2.compute.amazonaws.com
public_ip = 54.202.41.139
ttl = 14400
user = kevinushey

Warning: Permanently added 'ec2-54-202-41-139.us-west-2.compute.amazonaws.com,54.202.41.139' (ECDSA) to the list of known hosts.
ubuntu@ec2-54-202-41-139.us-west-2.compute.amazonaws.com: Permission denied (publickey).

If I understand correctly, this ultimately came down to the SSH key on my local machine not matching the one currently available as kevinushey-key at https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#KeyPairs:.

Could the documentation and / or diagnostics around this be improved? (Or, is this already documented somewhere and I just happened to miss it?)

[meatballhat]

@kevinushey Thank you for the report! The AWS key pair in question should be exactly the same name as your github username, and it's not something that you need to manage out of band. Whatever set up kevinushey-key is not Fuzzbucket. If the RSA public key listed here is not the same as any of the RSA keys you have locally, then you will need to:

• change the RSA public key in github to match what you have locally
• fuzzbucket-client delete-key
• fuzzbucket-client delete any boxes you created before
• fuzzbucket-client create a new box

The creation of a new box after deleting your key will re-import the first RSA public key from github into AWS.

[MariaSemple]

The key that Kevin's referring to is not actually the one we had to delete to get this working. It was called kevinushey and it was in the subaccount. The issue was probably related to a mismatch between the first key in Github, the key in AWS, and the id_rsa.pub.

It is a bit fragile that only the first key in Github will be recognized, as people often have multiple keys for their different computers or OS-es and the order is a bit difficult to control. Out of curiosity, why is the GitHub key used at all, instead of just the id_rsa? If the GitHub key is necessary, would it be possible to iterate through the listed keys and find the one that matches the current id_rsa.pub?

Another (potentially separate) feature request, would be to allow the use of fuzzbucket from multiple computers. I know it would be necessary to create a different key-pair for each computer for a given user, but it would be nice not to have to switch from my macbook to my ubuntu when I want to test a problem from a support ticket (if I were actively working on my macbook).

[meatballhat]

I would love for the SSH everything to be a lot more flexible 😭

The current design is limited by what AWS understands with key pairs (must be RSA, must be imported before use). Assigning a key pair to an instance is a first-class feature, so it tends to be a lot more reliable than any solution that relies on userdata, which is where I'm assuming we're going to have to turn in order to improve the flexibility.

[MariaSemple]

Just an idea - not sure how feasible. What about something like a per-computer profile? As an example you could use hostname as part of the name of the key. So for my ubuntu machine, my key in AWS might be called MariaSemple-ubuntu and for my mac the key might be called MariaSemple-mac. Then the client can check the hostname before launching the AWS instance and put that together with the GitHub username to find the already created key pair.

I am still a bit confused at the purpose of the GitHub login. I'd be interested to know how GitHub is involved, besides looking up the top RSA key. If that's all we use it for, couldn't we just look for ~/.ssh/id_rsa.pub on the host machine and create the AWS key pair based on that? That's what you need it to match for SSH anyway, IIUC.

[meatballhat]

The primary purpose of the GitHub login is to authorize access to Fuzzbucket based on one's GitHub team membership. The SSH key use was mostly built out of convenience since GitHub publicly exposes the public keys for each user.

I can definitely see the niceness of a mode where you can tell fuzzbucket-client to use whatever keys you have locally. Given that AWS key pairs are created for each one, would it be OK to have that interaction require human action? For example;

:warning: (this is all vaporware)

# explicitly add a key from filename
fuzzbucket-client add-key -f ~/.ssh/fancy_rsa.pub

# the AWS key pair would get an automatic name like `MariaSemple-fancy`
# and the fuzzbucket config cache would store `default_key = fancy`

# automatically add an RSA key with an explicit alias
fuzzbucket-client add-key --alias ubuntu

# ~/.ssh/id_rsa.pub is found and automatically selected
# the AWS key pair would be named `MariaSemple-ubuntu`
# and the fuzzbucket config cache would store `default_key = ubuntu`

.... then during create

fuzzbucket-client create ubuntu20

# the cached config value of `default_key = ubuntu` is used

# explicitly use the key with alias `fancy`
fuzzbucket-client create -k fancy ubuntu20

[MariaSemple]

That seems very useful! I don't have any objection to that method.

[kevinushey]

I agree that would be very useful :-)