Remote Provisioning

Hi, I’m having a very difficult time provisioning my DigitalOcean droplet with Trellis. Everything is working fine locally & I can SSH to DigitalOcean outside of the VM.

My droplet is setup using Ubuntu 16.04.4 with my SSH key added (No password).

The problem is when trying to SSH from my VM to my DigitalOcean droplet I receive a Permission denied (publickey) error.

I’ve set my production environment to the correct address and have set my admin_user to admin. Am I right to assume the VM is using my private SSH key under Users[User].ssh\id_rsa to connect with Digital Ocean?

When running the remote provisioning command ansible-playbook server.yml -e env=production I run into the following issue:
Permission denied (publickey).

fatal: [165.227.214.4]: UNREACHABLE! => {
"changed": false,
"unreachable": true
}

The full error is this:

System info:
  Ansible 2.5.3; Linux
  Trellis version (per changelog): "build-before: Checkout project source code to local temporary directory"
---------------------------------------------------
Failed to connect to the host via ssh: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4,
OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 3: Applying options for *
debug3: kex names ok: [curve25519-sha256@libssh.org,diffie-hellman-group-
exchange-sha256]
debug1: /etc/ssh/ssh_config line 20: Deprecated option "useroaming"
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/vagrant/.ansible/cp/ab14fda457" does not exist
debug2: resolving "165.227.214.4" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 165.227.214.4 [165.227.214.4] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 9942 ms remain after connect
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_ed25519-cert type -1
debug1: identity file /home/vagrant/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2
Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 165.227.214.4:22 as 'admin'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-
exchange-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-rsa-
cert-v01@openssh.com,ssh-ed25519,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,ae
s128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,ae
s128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-
sha2-256-etm@openssh.com,hmac-
ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-
sha2-256,hmac-ripemd160
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-
sha2-256-etm@openssh.com,hmac-
ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-
sha2-256,hmac-ripemd160
debug2: compression ctos: zlib@openssh.com,zlib,none
debug2: compression stoc: zlib@openssh.com,zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-
sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-
hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-
sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes
256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes
256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-
sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-
sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256
,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-
sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-
sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256
,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: zlib@openssh.com
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: zlib@openssh.com
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-ed25519
SHA256:I29x/lzbEx1quUizibZmaumxoRFPeQP+/jUrW8Cz9Sw
debug3: hostkeys_foreach: reading file "/home/vagrant/.ssh/known_hosts"
debug3: record_hostkey: found key type ED25519 in file
/home/vagrant/.ssh/known_hosts:8
debug3: load_hostkeys: loaded 1 keys from 165.227.214.4
debug1: Host '165.227.214.4' is known and matches the ED25519 host key.
debug1: Found key in /home/vagrant/.ssh/known_hosts:8
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/vagrant/.ssh/id_ed25519 ((nil))
debug2: key: /home/vagrant/.ssh/id_rsa (0x562ba0d12cb0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/vagrant/.ssh/id_ed25519
debug3: no such identity: /home/vagrant/.ssh/id_ed25519: No such file or
directory
debug1: Offering RSA public key: /home/vagrant/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

fatal: [165.227.214.4]: UNREACHABLE! => {
    "changed": false,
    "unreachable": true
}

Any help is greatly appreciated.

Is there a reason you want to SSH into your remote server from the VM?

We don’t explicitly say it in the docs, but it’s expected you’d only do that from your host local machine.

Thanks for the reply! I’m running Windows 10 on my local host machine so I’m not able to run ansible playbooks locally.

This leaves me with with using vagrant ssh to connect to my VM & running ansible playbooks there. Am I wrong to assume the VM is using my local host machine’s SSH key when running the server.yml playbook to connect & provision the remote server?

I’m new to all of this so please correct me if I’m not understanding how this works.

Do you have your key in pageant? If you do, it should be forwarded into your VM so you can vagrant ssh and run your deployment command.

Thanks, I just tried this but I’m still getting the same error. I’ve added my private key to Pageant & used Putty to SSH into my VM to run the –ansible-playbook server.yml -e env=production command.

PLAY [Ensure necessary variables are defined] **********************************

TASK [Ensure environment is defined] *******************************************
skipping: [localhost]

PLAY [Test Connection and Determine Remote User] *******************************

TASK [connection : Require manual definition of remote-user] *******************
skipping: [206.189.237.94]

TASK [connection : Specify preferred HostKeyAlgorithms for unknown hosts] ******
skipping: [206.189.237.94]

TASK [connection : Check whether Ansible can connect as root] ******************
ok: [206.189.237.94 -> localhost]

TASK [connection : Warn about change in host keys] *****************************
skipping: [206.189.237.94]

TASK [connection : Set remote user for each host] ******************************
ok: [206.189.237.94]

TASK [connection : Announce which user was selected] ***************************
Note: Ansible will attempt connections as user = admin
ok: [206.189.237.94]

TASK [connection : Load become password] ***************************************
ok: [206.189.237.94]

PLAY [Install prerequisites] ***************************************************

TASK [Install Python 2.x] ******************************************************
System info:
  Ansible 2.5.3; Linux
  Trellis version (per changelog): "build-before: Checkout project source code t                                   o local temporary directory"
---------------------------------------------------
Failed to connect to the host via ssh: Permission denied (publickey).

fatal: [206.189.237.94]: UNREACHABLE! => {"changed": false, "unreachable": true}
        to retry, use: --limit @/home/vagrant/trellis/server.retry

PLAY RECAP *********************************************************************
206.189.237.94             : ok=4    changed=0    unreachable=1    failed=0
localhost                  : ok=0    changed=0    unreachable=0    failed=0

If you have any other ideas please let me know, thanks!

It shouldn’t be necessary to use putty to SSH into your VM, and in fact that may not work (I haven’t tried it). Just the following steps:

  • Make sure key is added to pageant
  • Run vagrant ssh
  • From inside the VM, test your ssh (requires that you have added your key to your GitHub acct)
  • Attempt to SSH into your droplet

If all of these steps work, you should be able to run your deploy. If one of them fails, then you can look more closely at that step.

1 Like

(Alternatively, I think you can use WSL and avoid the whole “deploy from inside VM” thing, if you want.)