New Github SSH Keys - Deploy SSH Error

As of today github is changing SSH keys to a more secure type (article link)

The update about the key change:

Existing keys will continue to function through March 15, 2022" . You cannot add new DSA keys to your user account on GitHub.com. RSA keys ( ssh-rsa ) with a valid_after before November 2, 2021 may continue to use any signature algorithm. RSA keys generated after that date must use a SHA-2 signature algorithm.

I had to generate a new key for myself and I believe the new key and ansible don’t work together. When deploying I see this error:

PLAY [Deploy WP site] ***************************************************************

TASK [Gathering Facts] **************************************************************
System info:
  Ansible 2.7.0; Darwin
  Trellis 1.0.3: April 30th, 2019
---------------------------------------------------
SSH Error: data could not be sent to remote host "xxx.xxx.xxx.xx". Make sure
this host can be reached over ssh
fatal: [staging_host]: UNREACHABLE! => {"changed": false, "unreachable": true}
        to retry, use: --limit @/Users/.../trellis/deploy.retry

PLAY RECAP **************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=0   
staging_host               : ok=1    changed=0    unreachable=1    failed=0  

I’ve tried the legacy SSH key option and the new option as well. Has anyone else experienced or found a solution for this? Any help is greatly appreciated. Thank you!

I’m assuming you created a new ed25519 key? Ansible works fine with that type with many of us using them for a while now.

I’ve tried the legacy SSH key option and the new option as well.

Can you confirm exactly how/what you’ve done to try that? You need both keys set in Trellis because you need to:

  1. define the new key in your users value (the default has both as an example)
  2. provision your server (this will connect using the existing key) and add the new one
  3. (optional) remove the old key from users

note: you need to provision before deploying

Yes I meant the new ed25519 key. As well as their legacy option rsa just to be safe.

Note: If you are using a legacy system that doesn’t support the Ed25519 algorithm, use:

$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Do you know if the ed25519 key has been used/tested in ansible version 2.7.0?

As for how/what I’ve tried:

  1. I’ve tried using either key type in the users.yml. With no luck.

  2. I will have to confirm this tomorrow with my co-worker. I believe the server was provisioned when the keys were updated.

  3. I will check to see if the older keys were removed.

Thank you for the prompt and helpful reply. I’ll let you know how 2/3 go when I try them.

As far as I know, Ansible doesn’t really need to “support” different key algorithms. It just adds the key to the server without caring. And for SSH’ing, I assume Ansible just uses lower level OpenSSH libraries which would support it fine as well.

If you think it’s an Ansible key issue, you can set the ANSIBLE_HOST_KEY_CHECKING=False environment variable temporarily.