mac: awless ssh fails finding keys in ~/.ssh and ~/.awless/keys

[ebarault]

hi, I just installed awless using brew awless version=v0.1.5, commit=21a3a94174dfe7033ce760f050c187637100d22e, build-date=2017-10-18T10:04:20+02:00, build-arch=amd64, build-os=darwin, build-for=brew

and awless ssh me@my-instance does not work although
awless ssh me@my-instance -i ~/.ssh/rsa_id works
as well as ssh me@w.x.y.z (where w.x.y.z is the public ip of my-instance)

any idea?

edit: tried with v0.1.6 compiled from source, no working either

[fxaguessy]

Hi, What error do you have ?

awless uses the value you have for the Keypair property for the instance, to select the key file. What is the value of the Keypair property when doing awless list instances ? If it is not "rsa_id", awless will not find such key.

For now, a solution is either to use the -i flag, or to create a symlink from ~/.ssh/my-instance-keypair-name to ~/.ssh/rsa_id

[simcap]

What I do usually is that I use the command awless create keypair -h. Here is an example:

> awless create keypair name=testkey
[info]    Dry running template ...
create keypair name=testkey

Confirm? (y/n): y
[info]    Generating locally a RSA 4096 bits keypair...
[info]    4096 RSA keypair generated locally and stored in '/home/simon/.awless/keys/testkey.pem'
[info]    create keypair 'testkey' done
    OK  keypair = testkey   

[info]    Revert this template with `awless revert 01BWQVV8RND4H21R66SXNKV5XG -r us-west-2 -p default`
[info]    Resyncing infra ... (disable with --no-sync global flag)

The advantages are:

• that awless creates the private and public keys locally
• push the reference to AWS
• store your private key under ~/.awless/keys.

Then to create or connect to instances using that key it will be easy:

> awless create instance name=redis-prod keypair=testkey .....

or 

> awless ssh redis-prod

[ebarault]

hi @fxaguessy,

the error is: [error] unable to authenticate to w.x.y.z:22 for users ["ebarault"]. Last error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

indeed when listing instance with awless list instances, KEYPAIR property refers to the aws key pair used when provisioning the ec2 instance.

what i don't get is that for one of my colleagues (on Ubuntu ftr), awless ssh him@my-instance works out of the box, meaning that it manages to find its private key in ~/.ssh.

just to be clear: I do not do awless ssh my-instance, but I specify my username (my public key is in the ec2 instance's authorized hosts) : awless ssh ebarault@my-instance

[ebarault]

anyhow, copying the server pem key right in ~/.ssh or ~/.awless/keys does not change anything, i still have the same error.

[fxaguessy]

You can get the name of keypairs by instance by listing instances (e.g. awless list instances --columns id,name,keypair) ? Are you sure that the name of the keypair attached to my-instance is rsa_id ?

awless ssh will look up the key using the AWS name (see listing above) in the folders ~/.ssh and ~/.awless/keys.

[ebarault]

@rgarrigue : could you shime in and confirm please?

-- @fxaguessy : it seems that for my colleague @rgarrigue, awless ssh rgarrigue@bastion works like a charm from the moment his public key is provisioned in the ssh authorized keys on host bastion for the user named rgarrigue. (His private key is contained in file rsa_id, which is not the aws key used to create the instance)

for me it's not working

although: renaming my own rsa_id into bastion.pem, (where bastion is the name of the aws key) works with awless ssh ebarault@bastion, which is not convenient because on some hosts i have to log in as ebarault, and on some other as ec2-user which i can't without manually specifying the key with -i option as i can't have 2 different keys named bastion.pem

proposal: would it be possible to either:

• have awless ssh look for any key in the .ssh/.. dir rather than only look for files with the same name as the aws key pair ?
• and/or have awless look for a key named as my user account on the remote machine (here it would be ebarault.pem) ?
• and/or include the current account's id_rsa by default ?

[fxaguessy]

Perhaps @rgarrigue uses ssh-agent to manage is private key (and you don't) ? I think that the last fallback of awless ssh to try to connect to an instance is to use (if available) the local ssh-agent.

[ebarault]

I followed the usual procedure described here to load my ssh key with ssh-agent, and at first had no luck either...

but, I then tried removing any key name bastion.pem I had previously configured and now it's working.

so yes, awless ssh uses the local ssh-agent as a last resort, so the problem is half solved : I still can't use both my personal key provisioned on some hosts and the aws key pair for other hosts because if a key exists named after the aws key name and fails for a given user, awless ssh will fail without trying with ssh-agent.

🖐 maybe it's doable to change this behavior and try with ssh-agent even if failing with a key named as the aws key pair?

also a quick addition to the doc regarding the use of ssh-agent would prevent further questions of the like.

[rgarrigue]

Hi

I believe Eric got this pinned down, but just in case, I'm not running ssh agent. Here's a strace how what's happening on my machine.

➜  ~ echo $SSH_AGENT_PID

➜  ~ strace -e open,stat,openat awless ssh --through rgarrigue@prd-bastion prd-ha-sonarqube | grep -v '/etc/ssl/certs'
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/proc/sys/net/core/somaxconn", O_RDONLY|O_CLOEXEC) = 3
stat("/home/remy/.awless/awless.db", {st_mode=S_IFREG|0600, st_size=65536, ...}) = 0
stat("/home/remy/.awless/keys", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
openat(AT_FDCWD, "/home/remy/.awless/awless.db", O_RDWR|O_CREAT|O_CLOEXEC, 0600) = 3
openat(AT_FDCWD, "/home/remy/.aws/config", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/home/remy/.aws/credentials", O_RDONLY|O_CLOEXEC) = 3
stat("/home/remy/.awless/cache/credentials", 0xc4203625e8) = -1 ENOENT (No such file or directory)
stat("/home/remy/.ssh/known_hosts", {st_mode=S_IFREG|0600, st_size=10538, ...}) = 0
stat("/home/remy/.awless/known_hosts", 0xc4203621d8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/remy/.ssh/known_hosts", O_RDONLY|O_CLOEXEC) = 9
stat("/home/remy/bin/ssh", 0xc420362378) = -1 ENOENT (No such file or directory)
stat("/home/remy/.local/bin/ssh", 0xc420362448) = -1 ENOENT (No such file or directory)
stat("/usr/local/sbin/ssh", 0xc420362518) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/ssh", 0xc4203625e8) = -1 ENOENT (No such file or directory)
stat("/usr/sbin/ssh", 0xc4203626b8)     = -1 ENOENT (No such file or directory)
stat("/usr/bin/ssh", {st_mode=S_IFREG|0755, st_size=707248, ...}) = 0
openat(AT_FDCWD, "/tmp/awless-ssh-proxycommand", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0700) = 9
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/dev/tty", O_RDWR|O_NONBLOCK)     = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
stat("/home/remy", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
open("/tmp/awless-ssh-proxycommand", O_RDONLY) = 3
Last login: Fri Oct 27 14:31:06 2017 from 10.0.1.63

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

[fxaguessy]

Thank you both for the feedback.

As a summary:

• if a key exists named after the aws key name and fails for a given user, awless ssh will fail without trying with ssh-agent or another key. => This should be fixed
• We should add doc regarding the use of ssh-agent

[rgarrigue]

:+1: