Fresh DO Staging Server Provisioning Issues Too many authentication failures

jasperfrumau · December 26, 2017, 6:36am

Just set up a new Digital Ocean 16.0.4 Ubuntu Droplet and I am trying to provision. It fails all the time:

TASK [Install Python 2.x] ****************************************************************************************************************
task path: /Users/jasper/webdesign/publiqly.com/trellis/server.yml:17
<xxx.xxx.xxx.xxx> ESTABLISH SSH CONNECTION FOR USER: admin
<xxx.xxx.xxx.xxx> SSH: EXEC ssh -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/jasper/.ansible/cp/3fbaecdf22 -tt xxx.xxx.xxx.xxx 'sudo -H -S  -p "[sudo via ansible, key=wzzqdxmfjzyqkvombltcccrcgvlbfutw] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-wzzqdxmfjzyqkvombltcccrcgvlbfutw; which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson'"'"''
<xxx.xxx.xxx.xxx> (255, '', 'Received disconnect from xxx.xxx.xxx.xxx port 22:2: Too many authentication failures\r\nDisconnected from xxx.xxx.xxx.xxx port 22\r\n')
System info:
  Ansible 2.3.2.0; Darwin
  Trellis at "Accommodate deploy hook vars formatted as lists of includes"
---------------------------------------------------
Failed to connect to the host via ssh: Received disconnect from
xxx.xxx.xxx.xxx port 22:2: Too many authentication failures
Disconnected from xxx.xxx.xxx.xxx port 22

fatal: [xxx.xxx.xxx.xxx]: UNREACHABLE! => {
    "changed": false, 
    "unreachable": true
}
	to retry, use: --limit @/Users/jasper/webdesign/publiqly.com/trellis/server.retry

PLAY RECAP *******************************************************************************************************************************
xxx.xxx.xxx.xxx            : ok=4    changed=0    unreachable=1    failed=0   
localhost                  : ok=0    changed=0    unreachable=0    failed=0

And I really do not understand why this is happening. Either I get the warning I cannot log on or that there were too many authentication failures like you see here above. Tried with a VPN just now to see if that would help, but that did not matter either.
Also, when I use the domain to ssh into the server as root I get:

Warning: Permanently added 'staging.publiqly.com' (ECDSA) to the list of known hosts.
Warning: the ECDSA host key for 'staging.domain.com' differs from the key for the IP address 'xxx.xxx.xxx.xxx'
Offending key for IP in /Users/jasper/.ssh/known_hosts:85

and when I do accept I can access the server as root…

jasperfrumau · December 26, 2017, 7:16am

When I do a ssh-add -l I seem too have added a lot of vagrant keys besides my standard id_rsa key. I was suggested here to remove them using ssh-add -d path/to/key but when I try to remove on I get:

ssh-add -d /Users/jasper/webdesign/sub.domain.com/trellis/.vagrant/machines/default/virtualbox/private_key
Bad key file /Users/jasper/webdesign/sub.domain.com/trellis/.vagrant/machines/default/virtualbox/private_key: No such file or directory

So I did a ssh-add -D and then ssh-add -K to add my main key only. Then I got:

TASK [Install Python 2.x] *************************************************************************************************************
task path: /Users/jasper/webdesign/domain.com/trellis/server.yml:17
<xxx.xxx.xxx.xxx> ESTABLISH SSH CONNECTION FOR USER: admin
<xxx.xxx.xxx.xxx> SSH: EXEC ssh -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/jasper/.ansible/cp/3fbaecdf22 -tt xxx.xxx.xxx.xxx 'sudo -H -S  -p "[sudo via ansible, key=zpcsvynujdjxrfxrbefvolntnwlbdtep] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-zpcsvynujdjxrfxrbefvolntnwlbdtep; which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson'"'"''
<xxx.xxx.xxx.xxx> (255, '', 'admin@xxx.xxx.xxx.xxx: Permission denied (publickey).\r\n')
System info:
  Ansible 2.3.2.0; Darwin
  Trellis at "Accommodate deploy hook vars formatted as lists of includes"
---------------------------------------------------
Failed to connect to the host via ssh: admin@xxx.xxx.xxx.xxx: Permission
denied (publickey).

fatal: [xxx.xxx.xxx.xxx]: UNREACHABLE! => {
    "changed": false, 
    "unreachable": true
}
	to retry, use: --limit @/Users/jasper/webdesign/domain.com/trellis/server.retry

PLAY RECAP ****************************************************************************************************************************
xxx.xxx.xxx.xxx            : ok=4    changed=0    unreachable=1    failed=0   
localhost                  : ok=0    changed=0    unreachable=0    failed=0

Tried something else and it seems to be an issue with the user Ansible grabbed. When I added:

# Add each host to the [staging] group and to a "type" group such as [web] or [db].
# List each machine only once per [group], even if it will host multiple sites.

[staging]
xxx.xxx.xxx.xxx ansible_user=root

[web]
xxx.xxx.xxx.xxx

it started working but when I replace admin_user by root I do not get the admin users installed anymore and that causes other issues. So the question is … why do I need to set the ansible_user this way…

jasperfrumau · December 28, 2017, 8:54am

Solved here: Failed to connect to the host via ssh: admin@xxx.xxx.xxx.xxx: Permission denied (publickey)