# Best Practice: Passwordless Authentication **URL:** https://discourse.roots.io/t/best-practice-passwordless-authentication/6230 **Category:** trellis **Created:** 2016-03-17T04:08:14Z **Posts:** 14 ## Post 1 by @masoninthesis — 2016-03-17T04:08:14Z Hey guys, I keep running into the same problem over and over for at least 4 months. Back then I figured out a weird workaround and setup my iMac for deployments. I _believe_ the problem is Passwordless Authentication. Today I started setting up my Macbook for deployments but ran into this issue with Remote Server Setup on TASK [setup]: > TASK [setup] \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* > fatal: [107.170.228.201]: UNREACHABLE! =\> {“changed”: false, “msg”: “ERROR! SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue”, “unreachable”: true} > PLAY RECAP \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* > 107.170.228.201 : ok=3 changed=0 unreachable=1 failed=0 > localhost : ok=0 changed=0 unreachable=0 failed=0 [Here’s the **massive** verbose error log.](https://gist.github.com/masoninthesis/c1e597ed763587fd23e5) [Here’s the closest issue I found on this discourse.](https://discourse.roots.io/t/why-root-cant-connect-to-remote-server/5702) Where my problem differs is that if I run: `ssh -o PasswordAuthentication=no root@107.170.228.201 "echo can_connect" || echo cannot_connect` I get: `Permission denied (publickey,password). cannot_connect` Which is why I’m led to believe it has to do with my ssh root password settings. I’m pretty sure I’ve edited my **/etc/ssh/sshd\_config** correctly, but [here it is just in case](https://gist.github.com/masoninthesis/161de501ad04b1ea9934). Key lines of [code in my sshd\_config](https://gist.github.com/masoninthesis/161de501ad04b1ea9934): - `PermitRootLogin without-password` - `RSAAuthentication yes` - `PubkeyAuthentication yes` - `PasswordAuthentication no` - `ChallengeResponseAuthentication no` - `UsePAM no` Another thing possibly worth pointing out is that I’m using Ansible 2.0.0.2 (as was the original problem in the thread I linked above. But I haven’t downgraded because I don’t think our issues are related.) [Here’s my current repo.](https://github.com/masoninthesis/snapfast-wp1.3) Any pointers would be amazing. Thanks. **EDIT:** Probably worth noting that if I do an ssh login with `ssh [hostname]` I get in perfectly with no password prompt. But if I use `ssh root@ip.address` it asks for a password. So I’m pretty sure the SSH keys are setup correctly. It just won’t allow a passwordless root login. --- ## Post 2 by @fullyint — 2016-03-17T05:05:27Z > [@masoninthesis](#): > > if I do an ssh login with ssh [hostname] I get in perfectly with no password prompt This probably defaults to user `masoninthesis` whereas the `deploy.yml` playbook you’re running attempts to connect as the [user](https://github.com/roots/trellis/blob/4a972f2351532338ce6803107904eb62732f558d/deploy.yml#L8) named [`web`](https://github.com/roots/trellis/blob/4a972f2351532338ce6803107904eb62732f558d/group_vars/all/users.yml#L19). Notice how your verbose output shows `ESTABLISH SSH CONNECTION FOR USER: web`. Because `web` is the relevant user, connections as `root` are also less relevant to this specific failed connection. > [@masoninthesis](#): > > I’m pretty sure the SSH keys are setup correctly. I think there is still trouble with the keys. If a key were found, you’d probably see something like this in the verbose output: ``` debug1: Offering RSA public key: /Users/masoninthesis/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply ``` However, you don’t see that. Instead, after looking for various keys of the expected types, the message is `No such file or directory` for each. Try these steps: - Confirm that you indeed have keys on your local machine in `/Users/masoninthesis/.ssh` - Check whether your ssh agent has loaded the keys. You should see your key output after running `ssh-add -l` (lists keys known to agent) - Add your key(s) to ssh agent by running `ssh-add -K` (will probably prompt for password that normally protects each key file) - Be sure you’ve had a successful run of `server.yml` which will set up the `web` user on the remote, so it can be used with `deploy.yml` * * * > [@masoninthesis](#): > > I’m pretty sure I’ve edited my /etc/ssh/sshd\_config correctly I’d just use the defaults Trellis sets in the `sshd` role, i.e., leave any sshd settings as they are in Trellis and run `server.yml` which will apply those settings. Looking at your `sshd_config` file, it looks like maybe you haven’t run `server.yml`. Are you using Trellis to provision (`server.yml`) or just to deploy (`deploy.yml`)? * * * > [@masoninthesis](#): > > I’m using Ansible 2.0.0.2 Should be fine. Trellis minimum version is currently 2.0.0.2 --- ## Post 3 by @masoninthesis — 2016-03-17T12:54:15Z I was able to solve the server.yml issue above by respinning a server and trying again. Once I used my standard `id_rsa` (instead of creating a custom named key), the `ssh root@ip.address` worked. I’m stumped on the next part though. When I deploy [I get this](https://gist.github.com/masoninthesis/b5368321a26b523aa7b0). For some reason it seems to be telling me that [git@github.com/masoninthesis/snapfast-wp1.3.git](https://github.com/masoninthesis/snapfast-wp1.3/blob/master/trellis/group_vars/staging/wordpress_sites.yml#L7) isn’t valid. But it pulls up even in the browser for me. I spent some time verifying that my [agent forwarding](https://developer.github.com/guides/using-ssh-agent-forwarding/) is working. All those steps seem to check out. My only current lead is that it could be [my ~/.ssh/cofig file](https://gist.github.com/masoninthesis/fd48378a7dd616cb5eff) or possibly [my trellis/group\_vars/all/users.yml](https://github.com/masoninthesis/snapfast-wp1.3/blob/master/trellis/group_vars/all/users.yml). I’m stumped for the night/morning. :sleeping: --- ## Post 4 by @swalkinshaw — 2016-03-17T15:34:39Z For troubleshooting: 1. `ssh web@ip.address` 2. `ssh -T git@github.com` That should connect fine from the `web` user. If it doesn’t, deploys won’t work. --- ## Post 5 by @masoninthesis — 2016-03-17T15:55:51Z Hey @swalkinshaw, that’s the weird thing– seems to work just fine. > [@swalkinshaw](#): > > ssh web@ip.address ``` MasonsMBP:/ masoninthesis$ ssh web@104.236.151.224 Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-79-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Thu Mar 17 12:37:51 UTC 2016 System load: 0.02 Processes: 80 Usage of /: 15.1% of 19.56GB Users logged in: 0 Memory usage: 26% IP address for eth0: 104.236.151.224 Swap usage: 3% Graph this data and manage this system at: https://landscape.canonical.com/ 32 packages can be updated. 27 updates are security updates. Last login: Thu Mar 17 12:35:49 2016 from c-98-202-143-111.hsd1.ut.comcast.net web@Snapfast-wp1:~$ ``` > [@swalkinshaw](#): > > ssh -T [git@github.com](mailto:git@github.com) ``` MasonsMBP:/ masoninthesis$ ssh -T git@github.com Hi masoninthesis! You've successfully authenticated, but GitHub does not provide shell access. MasonsMBP:/ masoninthesis$ ``` --- ## Post 6 by @swalkinshaw — 2016-03-17T15:57:45Z And can you clone it while SSH’d in? `git clone git@github.com/masoninthesis/snapfast-wp1.3.git` --- ## Post 7 by @masoninthesis — 2016-03-17T15:58:39Z > [@swalkinshaw](#): > > git clone [git@github.com](mailto:git@github.com)/masoninthesis/snapfast-wp1.3.git Doesn’t appear so. ``` web@Snapfast-wp1:~$ git clone git@github.com/masoninthesis/snapfast-wp1.3.git fatal: repository 'git@github.com/masoninthesis/snapfast-wp1.3.git' does not exist web@Snapfast-wp1:~$ ``` --- ## Post 8 by @swalkinshaw — 2016-03-17T16:01:42Z Use `git@github.com:masoninthesis/snapfast-wp1.3.git`. Remember to copy & paste the repo in SSH from GitHub to avoid formatting problems/typos. --- ## Post 9 by @masoninthesis — 2016-03-17T16:19:29Z Glorious. Thanks so much @swalkinshaw and @fullyint! Served and deployed– [http://104.236.151.224/](http://104.236.151.224/) Scott, that was a very effective way to troubleshoot it. I guess the confusion came in on that remote url. I read some docs ([github](https://help.github.com/articles/which-remote-url-should-i-use/) + [git](https://git-scm.com/book/en/v2/Git-Basics-Working-with-Remotes)) on it last night. Neither article gave me the exact url I was looking to place in group-vars//wordpress-sites.yml, so I tried a bunch of different combinations. Obviously the format is pretty easy to get by just adding your `/` to `git@github.com:`, but is there a place we can actually copy paste that exact url from in the future? Edit: Ah I see, it’s the dropdown next to your project’s git clone url. Just select `SSH` --- ## Post 10 by @swalkinshaw — 2016-03-17T16:21:21Z ![](https://discourse.roots.io/uploads/default/original/2X/b/bdb445e99152f1ad5f6bf369315c940b1aa8bf89.png) Also just did a PR so we enforce that format better: [Improve Git repo format validation by swalkinshaw · Pull Request #516 · roots/trellis · GitHub](https://github.com/roots/trellis/pull/516) --- ## Post 11 by @masoninthesis — 2016-03-18T21:55:16Z So I fixed this issue yesterday. Was able to provision and deploy to my ip address (104.236.151.224). Just changed some theme/SCSS files working locally, went to deploy it today and I’m getting a similar error again. [Verbose error Log](https://gist.github.com/masoninthesis/165b46950e431384fb68) `Git repo git@github.com:masoninthesis/snapfast-wp1.3.git cannot be accessed. Please verify the repository exists and you have SSH forwarding set up correctly.` I can still login to my SSH using `ssh web@104.236.151.224` [Here’s my repo.](https://github.com/masoninthesis/snapfast-wp1.3) It’s weird considering my Trellis hasn’t been updated/changed since my successful deploy yesterday. Any thoughts? --- ## Post 12 by @fullyint — 2016-03-18T23:52:03Z My guess is that your ssh-agent has “forgotten” your key. The verbose output mentions: > More info: \> [https://roots.io/trellis/docs/deploys/#ssh-keys](https://roots.io/trellis/docs/deploys/#ssh-keys) \> [https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding](https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding) The link about “cloning remote repo” mentions: > **OSX users.** Remember to import your SSH key password into Keychain by running **`ssh-add -K`** It links to a [troubleshooting page](https://developer.github.com/guides/using-ssh-agent-forwarding/#troubleshooting-ssh-agent-forwarding) that explains: > On Mac OS X, `ssh-agent` will “forget” this key, once it gets restarted during reboots. But you can import your SSH keys into Keychain using this command: > `ssh-add -K` Here’s a famous discourse [post on the topic](https://discourse.roots.io/t/deploy-missing-keys-to-pull-from-github/3569/3). Hopefully that will solve the clone problem. --- ## Post 13 by @swalkinshaw — 2016-03-20T20:26:55Z I’m going to close this thread as the original issue has been solved. We don’t like to keep adding separate issues to existing threads since it’s confusing and hard to search. --- ## Post 14 by @swalkinshaw — 2016-03-20T20:26:58Z