SSH Key Authentication Not Working

houdini3009 · December 6, 2015, 9:42pm

I typically SSH into my server using:

ssh -l root -p 34775 -i ~/.ssh/mysite.com mysite.com

This works just fine, but I can’t get Trellis to use the public key (~/.ssh/mysite.com). The contents of group_vars/all/users.yml is:

admin_user: root

users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/mysite.com') }}"
      # - https://github.com/username.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - "{{ lookup('file', '~/.ssh/mysite.com') }}"
      # - https://github.com/username.keys

web_user: www
web_group: www-data
web_sudoers:
  - "/usr/sbin/service hhvm *"
  - "/usr/sbin/service php5-fpm *"

Any ideas why I can’t connect? It seems like my public key just gets ignored. Here’s what the console output looks like (actual hostnames and IP addresses are not disclosed):

$ ansible-playbook -i hosts/production deploy.yml -vvvv

PLAY [Deploy Bedrock] *********************************************************

GATHERING FACTS ***************************************************************
<mysite.com> ESTABLISH CONNECTION FOR USER: root
<mysite.com> REMOTE_MODULE setup
<mysite.com> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/Me/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=34775 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 mysite.com /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1449438037.2-6438931786702 && echo $HOME/.ansible/tmp/ansible-tmp-1449438037.2-6438931786702'
fatal: [mysite.com] => SSH Error: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
    while connecting to 55.55.555.555:34775
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.

TASK: [deploy | Initialize] ***************************************************
FATAL: no hosts matched or all hosts have already failed -- aborting


PLAY RECAP ********************************************************************
           to retry, use: --limit @/Users/Me/deploy.retry

mysite.com                    : ok=0    changed=0    unreachable=1    failed=0

kalenjohnson · December 6, 2015, 10:33pm

Have you tried SSHing manually?

houdini3009 · December 6, 2015, 11:09pm

Yes, see the first part of my post. I can SSH in myself just fine manually.

swalkinshaw · December 7, 2015, 12:12am

Have you previously run the server.yml playbook to provision your server? You’re running deploy.yml which is just for deploying. That users variable only gets picked up during the users role which is part of provisioning (from server.yml).

houdini3009 · December 7, 2015, 12:30am

I have a server that’s already pre-configured so I was hoping to just deploy to it. I’m wary about provisioning with Trellis because I like to a run a number of different projects on this server and I wouldn’t want Trellis to overwrite my nginx configuration too badly. Does deploy only work if you’ve provisioned with Trellis first?

swalkinshaw · December 7, 2015, 12:51am

You can get it to work on a non-Trellis server, just takes a little more manual work to make sure you have the right settings and paths/permissions, etc. But any normal Trellis features don’t happen during deploys like SSH keys. You’ll need to manually add your keys to the server.

houdini3009 · December 8, 2015, 4:10am

I believe the keys should already be installed on the server properly, since I can already SSH in manually, no?

kalenjohnson · December 8, 2015, 4:20am

Since you’re apparently using a specific key since you’re calling ~/.ssh/mysite.com in your SSH command, you probably should add that key to the server’s IP in your ssh config file.

houdini3009 · December 10, 2015, 5:17am

Adding the key/IP to my SSH config file solved the issue. I’m still unclear as to why the keys in users.yml don’t get loaded.

fullyint · December 10, 2015, 6:44am

The keys in users.yml are public ssh keys loaded on the server by the server.yml playbook, which you haven’t run. It may seem counterintuitive at first, but I don’t think users.yml is relevant to the connection issue you faced.

I think the problem was that Ansible didn’t know which private key (on your local machine) to use while authenticating to your server. When connecting manually, you specified this private key (identity file) using the -i option. Once you added the ssh config, Ansible knew which private key to use when connecting to the IP in question.