New SSH Keys not added on Renewed Provisioning

I upgraded to the latest Trellis and I also added https://github.com/jasperf.keys to add my Mac Mini’s public SSH key to the mix so I can work on the site from it. But the key was not added to ~/.ssh/authorized_keys . This after successfully running a ansible-playbook server.yml -e env=production to re-provision the server.

I also saw:

    TASK [users : Setup users] *****************************************************

    changed: [domain.nl] => (item={u'keys': [u'ssh-rsa key== me@domain.com', u'https://github.com/jasperf.keys'], u'name': u'web', u'groups': [u'sudo']})

    TASK [users : Add web user sudoers items for services] *************************

    changed: [domain.nl]

    TASK [users : Add SSH keys] ****************************************************

    ok: [domain.nl] => (item=({u'name': u'web', u'groups': [u'sudo']}, u'ssh-rsa key== me@domain.com'))

changed: [domain.nl] => (item=({u'name': u'web', u'groups': [u'sudo']}, u'https://github.com/jasperf.keys'))

So it looked like the Github keys were added…

In the end I added the keys manually form a box that did have access with its id_rsa so I can access now. Just don’t understand why it wasn’t added in the first place…

Your output suggests that you’ve added the new pub keys to this location for the web_user. I’m guessing you’ll find the keys are there on the server in /home/web/.ssh/authorized_keys. If you don’t see the key in the logged in user’s home directory ~/.ssh/authorized_keys, I’m guessing you are making the ssh connection as a user other than web. Are you perhaps connecting as ssh web@domain.nl?

Your output also shows that you’ve added the sudo group for the web_user. This is contrary to the intention for web to be a limited privilege user. Or perhaps you renamed the admin_user: web.

I’d recommend

  • use the default of admin_user: admin and web_user: web
  • remove the sudo group from web_user in the users list
  • add your new public keys to either admin or root
  • if admin, add keys to the users under admin_user, then reprovision and do your manual ssh connections as admin
  • if root, add a new user root to the users list, with the new keys and sudo in groups, then reprovision and do your manual ssh connections as root

Alternatively, you could add any new user name you want to users (e.g. jasperfrumau), with your new keys. See the SSH-keys docs to make sense of everything I’ve mentioned above.

2 Likes

Yes I added it to the location you suggested. I currently have this in users.yml,

# Documentation: https://roots.io/trellis/docs/ssh-keys/
admin_user: dhc-user

# Also define 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://github.com/jasperf.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://github.com/jasperf.keys

web_user: web
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php7.0-fpm *"

It is similar to https://github.com/roots/roots-example-project.com/blob/master/trellis/group_vars/all/users.yml .

So I do not have the sudo group under web_user. I added my keys to both users. I am using admin (dhc-user) to access. I did not have the line : - https://github.com/jasperf.keys in the previous version though so that has changed.

As I am using a Dreamhost Cloud server I have to use the user dhc-user which is my admin. When I did a cat ~/ssh/autorized_keys I see the keys I added before. This I checked in the home directory of the dhc-user:

id
uid=1000(dhc-user) gid=27(sudo) groups=27(sudo)

So… Still not sure really what is going on. But still waking up… Might need more coffee.

1 Like

please add :coffee::coffee::coffee: :wink:

I think you’re all set, given that you’ve now added - https://github.com/jasperf.keys for the admin_user. Should work fine to use admin_user: dhc-user.

So, perhaps your keys are at home/dhc-user/.ssh/authorized_keys because you added them manually, as per your initial post, but with the keys listed under admin_user, this users setup should automatically add the keys on any new server you provision.

Maybe before you added the keys manually, they were only at /home/web/.ssh/authorized_keys, but the server.yml playbook was trying to connect as dhc-user. Anyway, now both dhc-user can connect to run server.yml and web can connect to run deploy.yml.

1 Like

Yeah, should all be good to go. Will be doing a provisioning from my MBP now and later on again from my Mac Mini. Should all be OK now I guess. And using this future setup I should avoid having further issues with keys. Thanks for helping out!