Best Practice: Passwordless Authentication

Hey guys,

I keep running into the same problem over and over for at least 4 months. Back then I figured out a weird workaround and setup my iMac for deployments. I believe the problem is Passwordless Authentication.

Today I started setting up my Macbook for deployments but ran into this issue with Remote Server Setup on TASK [setup]:

TASK [setup] *******************************************************************
fatal: [107.170.228.201]: UNREACHABLE! => {“changed”: false, “msg”: “ERROR! SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue”, “unreachable”: true}

PLAY RECAP *********************************************************************
107.170.228.201 : ok=3 changed=0 unreachable=1 failed=0
localhost : ok=0 changed=0 unreachable=0 failed=0

Here’s the massive verbose error log.

Here’s the closest issue I found on this discourse.

Where my problem differs is that if I run:
ssh -o PasswordAuthentication=no root@107.170.228.201 "echo can_connect" || echo cannot_connect

I get:
Permission denied (publickey,password). cannot_connect

Which is why I’m led to believe it has to do with my ssh root password settings.

I’m pretty sure I’ve edited my /etc/ssh/sshd_config correctly, but here it is just in case.

Key lines of code in my sshd_config:

  • PermitRootLogin without-password
  • RSAAuthentication yes
  • PubkeyAuthentication yes
  • PasswordAuthentication no
  • ChallengeResponseAuthentication no
  • UsePAM no

Another thing possibly worth pointing out is that I’m using Ansible 2.0.0.2 (as was the original problem in the thread I linked above. But I haven’t downgraded because I don’t think our issues are related.)

Here’s my current repo.

Any pointers would be amazing. Thanks.

EDIT: Probably worth noting that if I do an ssh login with ssh [hostname] I get in perfectly with no password prompt. But if I use ssh root@ip.address it asks for a password. So I’m pretty sure the SSH keys are setup correctly. It just won’t allow a passwordless root login.

This probably defaults to user masoninthesis whereas the deploy.yml playbook you’re running attempts to connect as the user named web. Notice how your verbose output shows ESTABLISH SSH CONNECTION FOR USER: web. Because web is the relevant user, connections as root are also less relevant to this specific failed connection.

I think there is still trouble with the keys. If a key were found, you’d probably see something like this in the verbose output:

debug1: Offering RSA public key: /Users/masoninthesis/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply

However, you don’t see that. Instead, after looking for various keys of the expected types, the message is No such file or directory for each.

Try these steps:

  • Confirm that you indeed have keys on your local machine in /Users/masoninthesis/.ssh
  • Check whether your ssh agent has loaded the keys. You should see your key output after running ssh-add -l (lists keys known to agent)
  • Add your key(s) to ssh agent by running ssh-add -K (will probably prompt for password that normally protects each key file)
  • Be sure you’ve had a successful run of server.yml which will set up the web user on the remote, so it can be used with deploy.yml

I’d just use the defaults Trellis sets in the sshd role, i.e., leave any sshd settings as they are in Trellis and run server.yml which will apply those settings. Looking at your sshd_config file, it looks like maybe you haven’t run server.yml. Are you using Trellis to provision (server.yml) or just to deploy (deploy.yml)?


Should be fine. Trellis minimum version is currently 2.0.0.2

1 Like

I was able to solve the server.yml issue above by respinning a server and trying again. Once I used my standard id_rsa (instead of creating a custom named key), the ssh root@ip.address worked.

I’m stumped on the next part though. When I deploy I get this.

For some reason it seems to be telling me that git@github.com/masoninthesis/snapfast-wp1.3.git isn’t valid. But it pulls up even in the browser for me.

I spent some time verifying that my agent forwarding is working. All those steps seem to check out.

My only current lead is that it could be my ~/.ssh/cofig file or possibly my trellis/group_vars/all/users.yml.

I’m stumped for the night/morning. :sleeping:

For troubleshooting:

  1. ssh web@ip.address
  2. ssh -T git@github.com

That should connect fine from the web user. If it doesn’t, deploys won’t work.

1 Like

Hey @swalkinshaw, that’s the weird thing– seems to work just fine.

MasonsMBP:/ masoninthesis$ ssh web@104.236.151.224
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-79-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Mar 17 12:37:51 UTC 2016

  System load:  0.02               Processes:           80
  Usage of /:   15.1% of 19.56GB   Users logged in:     0
  Memory usage: 26%                IP address for eth0: 104.236.151.224
  Swap usage:   3%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

32 packages can be updated.
27 updates are security updates.

Last login: Thu Mar 17 12:35:49 2016 from c-98-202-143-111.hsd1.ut.comcast.net
web@Snapfast-wp1:~$
MasonsMBP:/ masoninthesis$ ssh -T git@github.com
Hi masoninthesis! You've successfully authenticated, but GitHub does not provide shell access.
MasonsMBP:/ masoninthesis$

And can you clone it while SSH’d in?

git clone git@github.com/masoninthesis/snapfast-wp1.3.git

Doesn’t appear so.

web@Snapfast-wp1:~$ git clone git@github.com/masoninthesis/snapfast-wp1.3.git
fatal: repository 'git@github.com/masoninthesis/snapfast-wp1.3.git' does not exist
web@Snapfast-wp1:~$

Use git@github.com:masoninthesis/snapfast-wp1.3.git. Remember to copy & paste the repo in SSH from GitHub to avoid formatting problems/typos.

1 Like

Glorious. Thanks so much @swalkinshaw and @fullyint!

Served and deployed– http://104.236.151.224/

Scott, that was a very effective way to troubleshoot it. I guess the confusion came in on that remote url. I read some docs (github + git) on it last night. Neither article gave me the exact url I was looking to place in group-vars//wordpress-sites.yml, so I tried a bunch of different combinations.

Obviously the format is pretty easy to get by just adding your <org-name>/<repo> to git@github.com:, but is there a place we can actually copy paste that exact url from in the future?

Edit: Ah I see, it’s the dropdown next to your project’s git clone url. Just select SSH

Also just did a PR so we enforce that format better: Improve Git repo format validation by swalkinshaw · Pull Request #516 · roots/trellis · GitHub

1 Like

So I fixed this issue yesterday. Was able to provision and deploy to my ip address (104.236.151.224).

Just changed some theme/SCSS files working locally, went to deploy it today and I’m getting a similar error again.

Verbose error Log

Git repo git@github.com:masoninthesis/snapfast-wp1.3.git cannot be accessed. Please verify the repository exists and you have SSH forwarding set up correctly.

I can still login to my SSH using ssh web@104.236.151.224

Here’s my repo.

It’s weird considering my Trellis hasn’t been updated/changed since my successful deploy yesterday.

Any thoughts?

My guess is that your ssh-agent has “forgotten” your key. The verbose output mentions:

More info:
> https://roots.io/trellis/docs/deploys/#ssh-keys
> https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding

The link about “cloning remote repo” mentions:

OSX users. Remember to import your SSH key password into Keychain by running ssh-add -K

It links to a troubleshooting page that explains:

On Mac OS X, ssh-agent will “forget” this key, once it gets restarted during reboots. But you can import your SSH keys into Keychain using this command:
ssh-add -K

Here’s a famous discourse post on the topic.

Hopefully that will solve the clone problem.

2 Likes

I’m going to close this thread as the original issue has been solved. We don’t like to keep adding separate issues to existing threads since it’s confusing and hard to search.