Open ebarault opened 6 years ago
Hi, What error do you have ?
awless
uses the value you have for the Keypair
property for the instance, to select the key file. What is the value of the Keypair
property when doing awless list instances
? If it is not "rsa_id", awless
will not find such key.
For now, a solution is either to use the -i
flag, or to create a symlink from ~/.ssh/my-instance-keypair-name
to ~/.ssh/rsa_id
What I do usually is that I use the command awless create keypair -h
. Here is an example:
> awless create keypair name=testkey
[info] Dry running template ...
create keypair name=testkey
Confirm? (y/n): y
[info] Generating locally a RSA 4096 bits keypair...
[info] 4096 RSA keypair generated locally and stored in '/home/simon/.awless/keys/testkey.pem'
[info] create keypair 'testkey' done
OK keypair = testkey
[info] Revert this template with `awless revert 01BWQVV8RND4H21R66SXNKV5XG -r us-west-2 -p default`
[info] Resyncing infra ... (disable with --no-sync global flag)
The advantages are:
~/.awless/keys
. Then to create or connect to instances using that key it will be easy:
> awless create instance name=redis-prod keypair=testkey .....
or
> awless ssh redis-prod
hi @fxaguessy,
the error is:
[error] unable to authenticate to w.x.y.z:22 for users ["ebarault"]. Last error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
indeed when listing instance with awless list instances
, KEYPAIR property refers to the aws key pair used when provisioning the ec2 instance.
what i don't get is that for one of my colleagues (on Ubuntu ftr), awless ssh him@my-instance
works out of the box, meaning that it manages to find its private key in ~/.ssh
.
just to be clear: I do not do awless ssh my-instance
, but I specify my username (my public key is in the ec2 instance's authorized hosts) : awless ssh ebarault@my-instance
anyhow, copying the server pem key right in ~/.ssh
or ~/.awless/keys
does not change anything, i still have the same error.
You can get the name of keypairs by instance by listing instances (e.g. awless list instances --columns id,name,keypair
) ? Are you sure that the name of the keypair attached to my-instance
is rsa_id
?
awless ssh
will look up the key using the AWS name (see listing above) in the folders ~/.ssh
and ~/.awless/keys
.
@rgarrigue : could you shime in and confirm please?
--
@fxaguessy : it seems that for my colleague @rgarrigue, awless ssh rgarrigue@bastion
works like a charm from the moment his public key is provisioned in the ssh authorized keys on host bastion
for the user named rgarrigue
. (His private key is contained in file rsa_id
, which is not the aws key used to create the instance)
for me it's not working
although: renaming my own rsa_id
into bastion.pem
, (where bastion
is the name of the aws key) works with awless ssh ebarault@bastion
, which is not convenient because on some hosts i have to log in as ebarault
, and on some other as ec2-user
which i can't without manually specifying the key with -i
option as i can't have 2 different keys named bastion.pem
proposal: would it be possible to either:
awless ssh
look for any key in the .ssh/..
dir rather than only look for files with the same name as the aws key pair ? ebarault.pem
) ?id_rsa
by default ?Perhaps @rgarrigue uses ssh-agent
to manage is private key (and you don't) ?
I think that the last fallback of awless ssh
to try to connect to an instance is to use (if available) the local ssh-agent.
I followed the usual procedure described here to load my ssh key with ssh-agent, and at first had no luck either...
but, I then tried removing any key name bastion.pem
I had previously configured and now it's working.
so yes, awless ssh
uses the local ssh-agent as a last resort, so the problem is half solved : I still can't use both my personal key provisioned on some hosts and the aws key pair for other hosts because if a key exists named after the aws key name and fails for a given user, awless ssh will fail without trying with ssh-agent.
🖐 maybe it's doable to change this behavior and try with ssh-agent even if failing with a key named as the aws key pair?
also a quick addition to the doc regarding the use of ssh-agent would prevent further questions of the like.
Hi
I believe Eric got this pinned down, but just in case, I'm not running ssh agent. Here's a strace how what's happening on my machine.
➜ ~ echo $SSH_AGENT_PID
➜ ~ strace -e open,stat,openat awless ssh --through rgarrigue@prd-bastion prd-ha-sonarqube | grep -v '/etc/ssl/certs'
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/proc/sys/net/core/somaxconn", O_RDONLY|O_CLOEXEC) = 3
stat("/home/remy/.awless/awless.db", {st_mode=S_IFREG|0600, st_size=65536, ...}) = 0
stat("/home/remy/.awless/keys", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
openat(AT_FDCWD, "/home/remy/.awless/awless.db", O_RDWR|O_CREAT|O_CLOEXEC, 0600) = 3
openat(AT_FDCWD, "/home/remy/.aws/config", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/home/remy/.aws/credentials", O_RDONLY|O_CLOEXEC) = 3
stat("/home/remy/.awless/cache/credentials", 0xc4203625e8) = -1 ENOENT (No such file or directory)
stat("/home/remy/.ssh/known_hosts", {st_mode=S_IFREG|0600, st_size=10538, ...}) = 0
stat("/home/remy/.awless/known_hosts", 0xc4203621d8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/remy/.ssh/known_hosts", O_RDONLY|O_CLOEXEC) = 9
stat("/home/remy/bin/ssh", 0xc420362378) = -1 ENOENT (No such file or directory)
stat("/home/remy/.local/bin/ssh", 0xc420362448) = -1 ENOENT (No such file or directory)
stat("/usr/local/sbin/ssh", 0xc420362518) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/ssh", 0xc4203625e8) = -1 ENOENT (No such file or directory)
stat("/usr/sbin/ssh", 0xc4203626b8) = -1 ENOENT (No such file or directory)
stat("/usr/bin/ssh", {st_mode=S_IFREG|0755, st_size=707248, ...}) = 0
openat(AT_FDCWD, "/tmp/awless-ssh-proxycommand", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0700) = 9
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
stat("/home/remy", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
open("/tmp/awless-ssh-proxycommand", O_RDONLY) = 3
Last login: Fri Oct 27 14:31:06 2017 from 10.0.1.63
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
Thank you both for the feedback.
As a summary:
:+1:
hi, I just installed awless using brew
awless version=v0.1.5, commit=21a3a94174dfe7033ce760f050c187637100d22e, build-date=2017-10-18T10:04:20+02:00, build-arch=amd64, build-os=darwin, build-for=brew
and
awless ssh me@my-instance
does not work althoughawless ssh me@my-instance -i ~/.ssh/rsa_id
worksas well as
ssh me@w.x.y.z
(wherew.x.y.z
is the public ip ofmy-instance
)any idea?
edit: tried with v0.1.6 compiled from source, no working either