SSH Key Authentication Not Working

I typically SSH into my server using:

ssh -l root -p 34775 -i ~/.ssh/

This works just fine, but I can’t get Trellis to use the public key (~/.ssh/ The contents of group_vars/all/users.yml is:

admin_user: root

  - name: "{{ web_user }}"
      - "{{ web_group }}"
      - "{{ lookup('file', '~/.ssh/') }}"
      # -
  - name: "{{ admin_user }}"
      - sudo
      - "{{ lookup('file', '~/.ssh/') }}"
      # -

web_user: www
web_group: www-data
  - "/usr/sbin/service hhvm *"
  - "/usr/sbin/service php5-fpm *"

Any ideas why I can’t connect? It seems like my public key just gets ignored. Here’s what the console output looks like (actual hostnames and IP addresses are not disclosed):

$ ansible-playbook -i hosts/production deploy.yml -vvvv

PLAY [Deploy Bedrock] *********************************************************

GATHERING FACTS ***************************************************************
<> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/Me/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=34775 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1449438037.2-6438931786702 && echo $HOME/.ansible/tmp/ansible-tmp-1449438037.2-6438931786702'
fatal: [] => SSH Error: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
    while connecting to 55.55.555.555:34775
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.

TASK: [deploy | Initialize] ***************************************************
FATAL: no hosts matched or all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/Users/Me/deploy.retry                    : ok=0    changed=0    unreachable=1    failed=0

Have you tried SSHing manually?

Yes, see the first part of my post. I can SSH in myself just fine manually.

Have you previously run the server.yml playbook to provision your server? You’re running deploy.yml which is just for deploying. That users variable only gets picked up during the users role which is part of provisioning (from server.yml).

I have a server that’s already pre-configured so I was hoping to just deploy to it. I’m wary about provisioning with Trellis because I like to a run a number of different projects on this server and I wouldn’t want Trellis to overwrite my nginx configuration too badly. Does deploy only work if you’ve provisioned with Trellis first?

You can get it to work on a non-Trellis server, just takes a little more manual work to make sure you have the right settings and paths/permissions, etc. But any normal Trellis features don’t happen during deploys like SSH keys. You’ll need to manually add your keys to the server.

I believe the keys should already be installed on the server properly, since I can already SSH in manually, no?

Since you’re apparently using a specific key since you’re calling ~/.ssh/ in your SSH command, you probably should add that key to the server’s IP in your ssh config file.

1 Like

Adding the key/IP to my SSH config file solved the issue. I’m still unclear as to why the keys in users.yml don’t get loaded.

The keys in users.yml are public ssh keys loaded on the server by the server.yml playbook, which you haven’t run. It may seem counterintuitive at first, but I don’t think users.yml is relevant to the connection issue you faced.

I think the problem was that Ansible didn’t know which private key (on your local machine) to use while authenticating to your server. When connecting manually, you specified this private key (identity file) using the -i option. Once you added the ssh config, Ansible knew which private key to use when connecting to the IP in question.

1 Like