user switches to root

[janbols]

Hi,

I followed the instructions on https://github.com/yokawasa/kubectl-plugin-ssh-jump#case-2-access-remote-serivces-via-ssh-local-port-forwarding but receive the following error:

Setting destination name as 'jumphost' allows to ssh into SSH jump Pod as 'root' user
using: port=22
using: args=-L 5432:someserver:5432
Agent pid 350109
ssh-agent is already running
Creating SSH jump host (Pod)...
pod/sshjump created
Forwarding from 127.0.0.1:2222 -> 22
Forwarding from [::1]:2222 -> 22
Handling connection for 2222
root@127.0.0.1: Permission denied (publickey).

[nippyin]

Me too on same boat. it works from macOS however while trying on WSL2 i get same error.

╚ $ k ssh-jump XX.XX.XX.XXX --clean-agent --clean-jump -i ~/.ssh/my_rsa -p ~/.ssh/my_rsa.pub -u azureuser using: port=22 Agent pid 6022 ssh-agent is already running Creating SSH jump host (Pod)... pod/sshjump created Forwarding from 127.0.0.1:2222 -> 22 Forwarding from [::1]:2222 -> 22 Handling connection for 2222 root@127.0.0.1: Permission denied (publickey). kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535

[yokawasa]

@janbols @nippyin (I'm very sorry for the slow response) Thank you for reaching out!

First of all, please make sure you use the latest version of ssh-jump (0.7.0). If it's not the latest one, please upgrade kubectl krew upgrade ssh-jump

kubectl krew info ssh-jump

NAME: ssh-jump
INDEX: default
URI: https://github.com/yokawasa/kubectl-plugin-ssh-jump/archive/0.7.0.zip
SHA256: 86a4729d84810274bdd010e15b564f89840d9f67fdb0d7dd0fe35d588e9d6391
VERSION: v0.7.0
...

@janbols

I try with the following options. It worked on both macOS and WSL2

kubectl ssh-jump sshjump -i ./id_rsa -p ./id_rsa.pub -a "-L 1443:someserver:443"

• make sure if your private key is not too open. if your private key is accessible by others, do chmod 600 <private key> and try again
• Please share your options just in case
• Please delete sshjump pod first with kubectl delete pod sshjump and try again. let me know if you still get the same error

@nippyin

I try with the following options. It worked on both macOS and WSL2

kubectl ssh-jump -u azureuser -i ./id_rsa -p ./id_rsa.pub --cleanpu-jump --cleanup-agent aks-nodepool1-20050870-vmss000000

• your options like --clean-agent --clean-jump are wrong. Please try again with --cleanup-agent --cleanup-jump
• make sure if your private key is not too open. if your private key is accessible by others, do chmod 600 <private key> and try again
• Please delete sshjump pod first with kubectl delete pod sshjump and try again. let me know if you still get the same error

[yokawasa]

@nippyin @janbols

One more request from me 🙏

Can you please try this version directly like this and let me know how it works?

# download kubectl-ssh-jump
curl https://raw.githubusercontent.com/yokawasa/kubectl-plugin-ssh-jump/fix-permission-denied-issue/kubectl-ssh-jump -o kubectl-ssh-jump

# make it executable
chmod +x kubectl-ssh-jump

# use the script "kubectl-ssh-jump" directly instead of "kubectl ssh-jump"  like this:
./kubectl-ssh-jump sshjump -i ./id_rsa -p ./id_rsa.pub -a "-L 1443:someserver:443"
./kubectl-ssh-jump -u azureuser -i ./id_rsa -p ./id_rsa.pub --cleanpu-jump --cleanup-agent aks-nodepool1-20050870-vmss000000

[nippyin]

Was already using latest version. Same error message.

Note: did not use this command ./kubectl-ssh-jump sshjump -i ./id_rsa -p ./id_rsa.pub -a "-L 1443:someserver:443"

[janbols]

Hi @yokawasa ,

First, I upgraded the plugin to the latest 0.7.0. I deleted any running sshjump pod and executed kubectl ssh-jump sshjump -i ./id_rsa -p ./id_rsa.pub -a "-L 1443:someserver:443":

Setting destination name as 'jumphost' allows to ssh into SSH jump Pod as 'root' user
using: port=22
using: args=-L 1443:someserver:443
Agent pid 252025
ssh-agent is already running
Creating SSH jump host (Pod)...
pod/sshjump created
Forwarding from 127.0.0.1:2222 -> 22
Forwarding from [::1]:2222 -> 22
Handling connection for 2222
root@127.0.0.1: Permission denied (publickey).

Unfortunately, no improvement there.

Then, I deleted the sshjump pod again and executed the local program:

./kubectl-ssh-jump sshjump -i ./id_rsa -p ./id_rsa.pub -a "-L 1443:someserver:443"
Setting destination name as 'jumphost' allows to ssh into SSH jump Pod as 'root' user
using: port=22
using: args=-L 1443:someserver:443
Agent pid 252025
ssh-agent is already running
Creating SSH jump host (Pod)...
pod/sshjump created
Forwarding from 127.0.0.1:2222 -> 22
Forwarding from [::1]:2222 -> 22
Handling connection for 2222
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.2.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@sshjump:~# 

So, yes, this looks much better!!!!

[nippyin]

Hi @yokawasa ,

First, I upgraded the plugin to the latest 0.7.0. I deleted any running sshjump pod and executed kubectl ssh-jump sshjump -i ./id_rsa -p ./id_rsa.pub -a "-L 1443:someserver:443":

Setting destination name as 'jumphost' allows to ssh into SSH jump Pod as 'root' user
using: port=22
using: args=-L 1443:someserver:443
Agent pid 252025
ssh-agent is already running
Creating SSH jump host (Pod)...
pod/sshjump created
Forwarding from 127.0.0.1:2222 -> 22
Forwarding from [::1]:2222 -> 22
Handling connection for 2222
root@127.0.0.1: Permission denied (publickey).

Unfortunately, no improvement there.

Then, I deleted the sshjump pod again and executed the local program:

./kubectl-ssh-jump sshjump -i ./id_rsa -p ./id_rsa.pub -a "-L 1443:someserver:443"
Setting destination name as 'jumphost' allows to ssh into SSH jump Pod as 'root' user
using: port=22
using: args=-L 1443:someserver:443
Agent pid 252025
ssh-agent is already running
Creating SSH jump host (Pod)...
pod/sshjump created
Forwarding from 127.0.0.1:2222 -> 22
Forwarding from [::1]:2222 -> 22
Handling connection for 2222
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.2.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@sshjump:~# 

So, yes, this looks much better!!!!

But the objective here is ssh to node itself. I think its WSL2 networking that does not allow script to directly connect with K8s nodes.

[yokawasa]

@janbols thanks for your testing! Your reported issue can be resolved with this version. I'll release a new version shortly. I'll let you know once the new version gets available via krew

[yokawasa]

@nippyin your reported issue is due to different cause. I opened another issue https://github.com/yokawasa/kubectl-plugin-ssh-jump/issues/16.

[yokawasa]

@janbols

Now ssh-jump-v0.7.1 is available. Please update it with krew

# update
kubectl krew update ssh-jump

# show info
kubectl krew info ssh-jump

NAME: ssh-jump
INDEX: default
URI: https://github.com/yokawasa/kubectl-plugin-ssh-jump/archive/0.7.1.zip
SHA256: dd912bb5a0e5813d0b2be10c1297d82aecce46125df540b82958f1a4de70bb55
VERSION: v0.7.1
HOMEPAGE: https://github.com/yokawasa/kubectl-plugin-ssh-jump
DESCRIPTION:
A kubectl plugin to access Kubernetes nodes or remote services using a SSH jump Pod.
A jump Pod is an intermediary Pod or an SSH gateway to Kubernetes node machines or
remote services, through which a connection can be made.

CAVEATS:
\
 | This plugin needs the following programs:
 | * ssh(1)
 | * ssh-agent(1)
 |
 | Please follow the documentation: https://github.com/yokawasa/kubectl-plugin-ssh-jump
/

[nippyin]

@janbols

Now ssh-jump-v0.7.1 is available. Please update it with krew

# update
kubectl krew update ssh-jump

# show info
kubectl krew info ssh-jump

NAME: ssh-jump
INDEX: default
URI: https://github.com/yokawasa/kubectl-plugin-ssh-jump/archive/0.7.1.zip
SHA256: dd912bb5a0e5813d0b2be10c1297d82aecce46125df540b82958f1a4de70bb55
VERSION: v0.7.1
HOMEPAGE: https://github.com/yokawasa/kubectl-plugin-ssh-jump
DESCRIPTION:
A kubectl plugin to access Kubernetes nodes or remote services using a SSH jump Pod.
A jump Pod is an intermediary Pod or an SSH gateway to Kubernetes node machines or
remote services, through which a connection can be made.

CAVEATS:
\
 | This plugin needs the following programs:
 | * ssh(1)
 | * ssh-agent(1)
 |
 | Please follow the documentation: https://github.com/yokawasa/kubectl-plugin-ssh-jump
/

╚ $ k ssh-jump aks-agentpool-159999996-vmss00000b -i ~/.ssh/id_rsa -u azureuser --cleanup-jump using: pubkey=/home/star/.ssh/id_rsa.pub using: port=22 Agent pid 1090 ssh-agent is already running Creating SSH jump host (Pod)... pod/sshjump created Forwarding from 127.0.0.1:2222 -> 22 Forwarding from [::1]:2222 -> 22 Handling connection for 2222 root@127.0.0.1: Permission denied (publickey). kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535 Clearning up SSH Jump host (Pod)... pod "sshjump" deleted

Still the same result. Do i need to do anything differently?

[yokawasa]

@nippyin I believe your issue is due to a different cause, which is why I open an another issue. Let's discuss on your issue here https://github.com/yokawasa/kubectl-plugin-ssh-jump/issues/16