Failed to connect to the host via ssh: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 command-line line 0: Bad protocol 2 host key algorithms 'ssh- ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh- rsa'

cfx · March 20, 2017, 9:54pm

This is an attempt to provision a fresh DO Ubuntu 16.04.2x64 droplet using the latest Trellis. I tried a version from back in February and it worked no problem, but latest version won’t even install Python.

Connecting to the remote directly via SSH works.

I noticed that “The authenticity of host…” msg/prompt that usually appears doesn’t prompt me in this latest version.

$ ansible-playbook server.yml -e env=staging -vvvv
Using /Users/cfx/Sites/patstrellis/trellis/ansible.cfg as config file
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/common/tasks/disable_challenge_sites.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/common/tasks/reload_nginx.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/users/tasks/connection-warnings.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/vendor/roles/composer/tasks/global-require.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/letsencrypt/tasks/setup.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/letsencrypt/tasks/nginx.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/letsencrypt/tasks/certificates.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/wordpress-setup/tasks/database.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/wordpress-setup/tasks/self-signed-certificate.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/wordpress-setup/tasks/nginx-includes.yml
statically included: /Users/cfx/Sites/patstrellis/trellis/roles/wordpress-setup/tasks/nginx.yml
Loading callback plugin output of type stdout, v2.0 from /usr/local/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc

PLAYBOOK: server.yml ***********************************************************
4 plays in server.yml

PLAY [Ensure necessary variables are defined] **********************************

TASK [Ensure environment is defined] *******************************************
task path: /Users/cfx/Sites/patstrellis/trellis/variable-check.yml:8
skipping: [localhost] => {
    "changed": false,
    "skip_reason": "Conditional check failed",
    "skipped": true
}

PLAY [Test Connection and Determine Remote User] *******************************

TASK [connection : Require manual definition of remote-user] *******************
task path: /Users/cfx/Sites/patstrellis/trellis/roles/connection/tasks/main.yml:2
skipping: [67.205.186.228] => {
    "changed": false,
    "skip_reason": "Conditional check failed",
    "skipped": true
}

TASK [connection : Check whether Ansible can connect as root] ******************
task path: /Users/cfx/Sites/patstrellis/trellis/roles/connection/tasks/main.yml:9
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/core/commands/command.py
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: cfx
<localhost> EXEC /bin/sh -c '/usr/local/opt/python/bin/python2.7 && sleep 0'
ok: [67.205.186.228 -> localhost] => {
    "changed": false,
    "cmd": [
        "ansible",
        "67.205.186.228",
        "-m",
        "raw",
        "-a",
        "whoami",
        "-u",
        "root",
        "--connection=smart",
        "--timeout=10",
        "--inventory-file=hosts",
        "-vvvv"
    ],
    "delta": "0:00:00.415232",
    "end": "2017-03-20 17:48:12.019668",
    "failed": false,
    "failed_when_result": false,
    "invocation": {
        "module_args": {
            "_raw_params": "ansible 67.205.186.228 -m raw -a whoami -u root --connection='smart' --timeout='10' --inventory-file='hosts' -vvvv",
            "_uses_shell": false,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "warn": true
        },
        "module_name": "command"
    },
    "rc": 4,
    "start": "2017-03-20 17:48:11.604436",
    "stderr": "",
    "stdout": "Using /Users/cfx/Sites/patstrellis/trellis/ansible.cfg as config file\n\u001b[0;34mLoading callback plugin minimal of type stdout, v2.0 from /usr/local/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc\u001b[0m\n\u001b[0;34m<67.205.186.228> ESTABLISH SSH CONNECTION FOR USER: root\u001b[0m\n\u001b[0;34m<67.205.186.228> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/cfx/.ansible/cp/ansible-ssh-%h-%p-%r -tt 67.205.186.228 whoami\u001b[0m\n\u001b[1;31m67.205.186.228 | UNREACHABLE! => {\n    \"changed\": false, \n    \"msg\": \"Failed to connect to the host via ssh: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011\\ncommand-line line 0: Bad protocol 2 host key algorithms 'ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa'.\\r\\n\", \n    \"unreachable\": true\n}\u001b[0m",
    "stdout_lines": [
        "Using /Users/cfx/Sites/patstrellis/trellis/ansible.cfg as config file",
        "\u001b[0;34mLoading callback plugin minimal of type stdout, v2.0 from /usr/local/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc\u001b[0m",
        "\u001b[0;34m<67.205.186.228> ESTABLISH SSH CONNECTION FOR USER: root\u001b[0m",
        "\u001b[0;34m<67.205.186.228> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/cfx/.ansible/cp/ansible-ssh-%h-%p-%r -tt 67.205.186.228 whoami\u001b[0m",
        "\u001b[1;31m67.205.186.228 | UNREACHABLE! => {",
        "    \"changed\": false, ",
        "    \"msg\": \"Failed to connect to the host via ssh: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011\\ncommand-line line 0: Bad protocol 2 host key algorithms 'ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa'.\\r\\n\", ",
        "    \"unreachable\": true",
        "}\u001b[0m"
    ],
    "warnings": []
}

TASK [connection : Warn about change in host keys] *****************************
task path: /Users/cfx/Sites/patstrellis/trellis/roles/connection/tasks/main.yml:17
skipping: [67.205.186.228] => {
    "changed": false,
    "skip_reason": "Conditional check failed",
    "skipped": true
}

TASK [connection : Set remote user for each host] ******************************
task path: /Users/cfx/Sites/patstrellis/trellis/roles/connection/tasks/main.yml:41
ok: [67.205.186.228] => {
    "ansible_facts": {
        "ansible_user": "admin"
    },
    "changed": false,
    "invocation": {
        "module_args": {
            "ansible_user": "admin"
        },
        "module_name": "set_fact"
    }
}

TASK [connection : Announce which user was selected] ***************************
task path: /Users/cfx/Sites/patstrellis/trellis/roles/connection/tasks/main.yml:46
Note: Ansible will attempt connections as user = admin
ok: [67.205.186.228] => {}

TASK [connection : Load become password] ***************************************
task path: /Users/cfx/Sites/patstrellis/trellis/roles/connection/tasks/main.yml:50
ok: [67.205.186.228] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"}

PLAY [Install prerequisites] ***************************************************

TASK [Install Python 2.x] ******************************************************
task path: /Users/cfx/Sites/patstrellis/trellis/server.yml:17
<67.205.186.228> ESTABLISH SSH CONNECTION FOR USER: admin
<67.205.186.228> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/cfx/.ansible/cp/ansible-ssh-%h-%p-%r -tt 67.205.186.228 'sudo -H -S  -p "[sudo via ansible, key=esbpbsdswirmbvhbaadpyweebleawjze] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-esbpbsdswirmbvhbaadpyweebleawjze; which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson'"'"''
System info:
  Ansible 2.2.0.0; Darwin
  Trellis at "Change `remote-user` role to `connection` role: tests host key, user"
---------------------------------------------------
Failed to connect to the host via ssh: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec
2011
command-line line 0: Bad protocol 2 host key algorithms 'ssh-
ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-
rsa'.

fatal: [67.205.186.228]: UNREACHABLE! => {
    "changed": false,
    "unreachable": true
}
	to retry, use: --limit @/Users/cfx/Sites/patstrellis/trellis/server.retry

PLAY RECAP *********************************************************************
67.205.186.228             : ok=4    changed=0    unreachable=1    failed=0
localhost                  : ok=0    changed=0    unreachable=0    failed=0

cfx · March 20, 2017, 10:04pm

I’m running OS X 10.10.5 for reference.

I opened trellis/ansible.cfg and removed -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa for now.

Appears to work as expected.

stefanlindberg · March 22, 2017, 10:59am

Same problem on OS X 10.10.5. Same solution but after that mine fails at TASK [deploy : Add known_hosts]

I updated Trellis yesterday and it’s supposed to default back to old behavior but it seems to be breaking with the changes somewhere. I’ll post if I figure something out

strarsis · March 22, 2017, 11:53am

I had a similar issue, it was caused by explicitly set HostKey algorithms in ansible (SSH client) config.
See https://github.com/roots/trellis/issues/784
and https://github.com/ansible/ansible/issues/22289 .

You could try to comment out the explicit HostKey algorithms list for the initial provisioning.
After a successful Trellis provisioning the SSH server/config is in a well-known working state.

stefanlindberg · March 23, 2017, 8:09pm

Figured out something… I ran old OSX 10.10.5 with outdated ssh client which doesn’t include HostKeyAlgorithms

Problem solves if updating ssh client. Now I run latest OSX on a new Mac.

However I ran into another problem when running deploy.yml and this is probably out of topic in this thread but I ask it here anyway.

On task TASK [deploy : Add known_hosts]

I get on all four known_hosts (github.com, bitbucket.org, gitlab.com gitlab.com)

Failed to write to file /home/deploy/.ssh/known_hosts: [Errno 2] No such file
or directory: '/home/deploy/.ssh/tmpREfbNz'
failed: [example.com] (item={u'name': u'github.com', u'key': u'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='}) => {
    "failed": true,
    "invocation": {
        "module_args": {
            "key": "github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==",
            "name": "github.com",
            "path": "/home/deploy/.ssh/known_hosts",
            "state": "present"
        },
        "module_name": "known_hosts"
    },
    "item": {
        "key": "github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==",
        "name": "github.com"
    }
}

what looks weird to me is this line '/home/deploy/.ssh/tmpREfbNz' what is that hash at the end?

Any idea @fullyint ?

fullyint · March 23, 2017, 8:42pm

HostKeyAlgorithms. I’ll create a Trellis update regarding HostKeyAlgorithms shortly. The problem should only occur on machines where ssh -V shows an OpenSSH version less than 6.5.

In the meantime, people may deal with this issue by removing -o HostKeyAlgorithms=... from ansible.cfg then just deal with the host key change that will probably appear on later connections.

known_hosts. tl;dr just try this:

# ensure web_user exists on server
ansible-playbook server.yml -e env=production --tags users

# try deploying again
./bin/deploy.sh production example.com

Now the long conceptual version…

Regarding the tmpREfbNz, I bet Ansible is just attempting to create a tmp file before modifying the actual known_hosts file expected to be in that directory.

What stands out to me is the /home/deploy.ssh/ directory. This means that the ansible_user variable is resolving to deploy, which implies that the web_user making the connection is defined as web_user: deploy. Given that web_user is normally web by default, it looks like you have some customizations that you could double-check.

Ensure that your user running the deploy exists on the server(i.e., has a /home/username/.ssh directory). Check these:

users includes {{ web_user }}
you have run the users role from server.yml with your latest definition of web_user
you have the default definition of remote_user: "{{ web_user}}" in deploy.yml

The docs provide more conceptual info on users, for those interested.

stefanlindberg · March 23, 2017, 9:14pm

Thanks for the great explanation. I should have been more detailed in my custom case.

You are correct that I deploy with a user called deploy. I’ve ran the trellis box for a long time and at one point this was the deploy user. I’d like to keep it this was since it’s the same on a lot of websites I deploy.

Other issue is that these servers are not provisioned with trellis but run a similar stack so I can’t really run server.yml

I’ll try and figure it out. If you have any ideas please PM me I’m sure you know a lot more what’s going on. I’d rather not pollute this thread because I think my problem is irrelevant.

fullyint · March 24, 2017, 3:35am

Proposed fix for HostKeyAlgorithms on old OpenSSH: roots/trellis#798
Testing welcome!