SSH-Keygen for git repo access

So normally when I provision a server, I have to ssh in as admin, su into web then run ssh-keygen take that id_rsa.pub and put it into my bitbucket’s allowed user.

Is there a simpler way to do this?

Well yes, you can avoid that method entirely :smile:

Presumably your Bitbucket account has your own local SSH key added so you can clone via password-less SSH. You should take advantage of the built-in feature to add SSH keys to the web user through the users dict variable.

See the docs here: https://roots.io/trellis/docs/ssh-keys/

Either add your GitHub username (if that account has the key like Bitbucket does too) or just use a local path. It will add those SSH keys to the web user and via SSH forwarding you can skip what you’re currently doing.

See, I’ve thought I’ve already done that.

# Documentation: https://roots.io/trellis/docs/ssh-keys/
admin_user: admin

users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://github.com/brandonshutter.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://github.com/brandonshutter.keys

web_user: web
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php5-fpm *"

And cloning doesn’t work? You can debug SSH forwarding: https://developer.github.com/guides/using-ssh-agent-forwarding/

Correct, it doesn’t.

web@brandonshutter:~$ git clone git@bitbucket.org:brandonshutter/brandon-shutter.git
Cloning into 'brandon-shutter'...
Permission denied (publickey).
fatal: Could not read from remote repository.

This is after me doing the above steps that I normally do except running ssh-keygen. I’ll look into SSH forwarding.

Edit: After running ssh-keygen as the web user, everything is good to go. The instructions for ssh-forwarding didn’t really seem to apply to my situation. I’ll just keep doing what I’ve been doing for a year or so now :smile:

@brandon when you type ssh-add -l on the computer you use to deploy, do you see your SSH key loaded? If not, that might be the problem. Add it using ssh-add.

1 Like

It was not loaded. So taking that into consideration, I went ahead and reprovisioned a server, with it loaded. Still got the same permission error. That being said, wouldn’t the fact that I included the github key act as the “same” as my local key, as they are one in the same?

What OS / SSH agent are you using?

OSX/openssh. 20 chars

How many keys do you have loaded up? I sometimes have a problem with github / bitbucket if I have more than one loaded at once.

ssh-add -L to see all the keys and ssh-add -D to dump them all

Wait are you talking about from the server or from your computer that you can’t connect?

I had the same issue as @brandon, and a manual ssh-keygen on the server works around the problem.

Hey Fellas,

I’m having the same issue with a SSH issue:

failed: [159.203.33.10] => {“cmd”: “/usr/bin/git ls-remote ‘’ -h refs/heads/master”, “failed”: true, “rc”: 128}
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

msg: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I feel really stupid but I can’t seem to identify what steps I need to take to fix this. Can someone walk me through it like I’m a 5 year old? Please?

This is the error, so there’s at least two things you’ll want to check:

  1. Do you have the correct link to the git URL where your project is set up? Make sure it’s not still github.com/roots/bedrock.git, although I don’t know if that would necessarily give you this error
  2. Make sure that SSH key forwarding is working

Oh I’ve definitely determined that it has to do with ssh key forwarding but for for the life of me I can’t wrap my head around the steps I need to take to fix it. Was reading page after page and going crazy. How would I go about getting it to work?

Without knowing any of your setup, nobody can give specific instructions. Have you read “Cloning Remote Repo Using SSH Agent Forwarding” at https://roots.io/trellis/docs/ssh-keys/

That should work on both Linux and OS X, I’ve read people have more issues with it on Windows, so this might be helpful: How to SSH Forward on Windows

Is the problem here because you’re using Bitbucket but referencing your Github keys in users.yml?

I’m confused about this too as I don’t know what to put in as the link to my Bitbucket keys. Currently my users.yml file contains:

# Documentation: https://roots.io/trellis/docs/ssh-keys/
admin_user: admin

# Also define 'vault_sudoer_passwords' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://github.com/efw.keys
      - https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys

web_user: web
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php7.0-fpm *"

When I try to provision my server it fails at:

TASK [users : Add SSH keys] ****************************************************
changed: [<DO IP address>] => (item=({u'name': u'web', u'groups': [u'www-data']}, u'<rsa key content>'))
failed: [<DO IP address>] (item=({u'name': u'web', u'groups': [u'www-data']}, u'https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys')) => {"failed": true, "item": [{"groups": ["www-data"], "name": "web"}, "https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys"], "msg": "Error getting key from: https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys"}
changed: [<DO IP address>] => (item=({u'name': u'admin', u'groups': [u'sudo']}, u'<rsa key content>'))
failed: [<DO IP address>] (item=({u'name': u'admin', u'groups': [u'sudo']}, u'https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys')) => {"failed": true, "item": [{"groups": ["sudo"], "name": "admin"}, "https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys"], "msg": "Error getting key from: https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys"}

Any ideas?

Several replies on this thread reference typing ssh-add -l, but on a Mac I believe the command to forward your key is ssh-add -K and then you need to add the remote host to ~/.ssh/config in the following format:

Host example.com
  ForwardAgent

See here for GitHub’s documentation on this.

I’ve done that many times. It all works fine with github but I can’t get it to work with bitbucket.

I believe you’re getting the error "msg": "Error getting key from: https://bitbucket.org/api/1.0/users/<my bitbucket username>/ssh-keys" because ansible sees that the content at that url is not a public ssh key. It looks like a json list containing an object with a few attributes, one of which the key. Compare my raw public key at a github url with the extra stuff added at the bitbucket url.

The point of the TASK [users : Add SSH keys] is to load your public key in your server’s authorized_keys for admin and web so that your local machine can establish an SSH connection to your server …

  • as admin to run server.yml to provision (if root is disabled) or
  • as web to run deploy.yml to deploy

In the simplest case, you are the only person provisioning and deploying, so you only need your one public key loaded for each user. It doesn’t matter where you tell Trellis to find the key (~/.ssh/id_rsa.pub, github, or elsewhere), so long as you specify a source that provides just the key, not the extra json like at the bitbucket url.

It is irrelevant if your repo happens to be at bitbucket or anywhere else. This is a connection between the local machine in front of you and your server (no repo or git host involved). If the github url works to load the key, great, you can use that. Or perhaps the local filepath works. No problem. There is no conceptual uncleanliness if your repo is elsewhere. The repo or git host is irrelevant.

With that background, and assuming you only need one key (your key), I’d suggest you list only one key source per user in users vs. your example above with with two key sources for web_user and three for admin_user. If you wish it were clearer, the ssh keys docs may help if you haven’t seen them already.

1 Like