Operating system
MacOS Monterey 12.7.3
Ubuntu/Vagrant/Ansible
vagrant_box: 'bento/ubuntu-20.04'
vagrant_box_version: '>= 202012.23.0'
vagrant_ansible_version: '2.10.7'
vagrant_ansible_python_interpreter: '/usr/bin/python3'
VM
Digital Ocean droplet
Repo
Azure DevOps
The project was setup up with trellis-cli and has been working great up until two weeks ago.
When deploying to our staging and production server we receive an SSH error regarding deprecated ssh-rsa. This is on the step where we try to connect to the Azure DevOps repo. See the deploy steps and error below.
TASK [deploy : Clone project files] ********************************************
task path: /<user>/development/<site_name>/trellis/roles/deploy/tasks/update.yml:24
Using module file /<user>/development/<site_name>/trellis/.trellis/virtualenv/lib/python3.7/site-packages/ansible/modules/git.py
Pipelining is enabled.
<157.230.97.148> ESTABLISH SSH CONNECTION FOR USER: web
<157.230.97.148> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=+ssh-rsa -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="web"' -o ConnectTimeout=10 -o ControlPath=/<user>/.ansible/cp/0805fbc1e6 157.230.97.148 '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
<157.230.97.148> (1, b'\n{"msg": "Failed to download remote objects and refs: remote: Command git-upload-pack: You\\u2019re using ssh-rsa that is about to be deprecated and your request has been blocked intentionally. Any SSH session using SSH-RSA is subject to brown out (failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://aka.ms/ado-ssh-rsa-deprecation.\\nremote: ERROR_SSH_UNSUPPORTED_CIPHER (7)\\nfatal: Could not read from remote repository.\\n\\nPlease make sure you have the correct access rights\\nand the repository exists.\\n", "failed": true, "cmd": ["/usr/bin/git", "fetch", "--tags", "--force", "origin"], "invocation": {"module_args": {"archive_prefix": null, "force": true, "track_submodules": false, "reference": null, "verify_commit": false, "ssh_opts": null, "bare": false, "archive": null, "executable": null, "recursive": true, "umask": null, "version": "staging", "dest": "/srv/www/<site_name>/shared/source", "clone": true, "gpg_whitelist": [], "update": true, "repo": "git@ssh.dev.azure.com:v3/<azure_project>/<project_name>/<site_name>", "remote": "origin", "refspec": null, "separate_git_dir": null, "accept_hostkey": true, "depth": null, "key_file": null}}}\n', b"OpenSSH_8.6p1, LibreSSL 3.3.6\r\ndebug1: Reading configuration data /<user>/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files\r\ndebug1: /etc/ssh/ssh_config line 54: Applying options for *\r\ndebug2: resolve_canonicalize: hostname 157.230.97.148 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/<user>/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/<user>/.ssh/known_hosts2'\r\ndebug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 13761\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\n")
<157.230.97.148> Failed to connect to the host via ssh: OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /<user>/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 157.230.97.148 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/<user>/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/<user>/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 13761
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 1
System info:
Ansible 2.10.16; Darwin
Trellis 1.13.0: January 21st, 2022
---------------------------------------------------
Failed to download remote objects and refs: remote: Command git-upload-pack:
You’re using ssh-rsa that is about to be deprecated and your request has been
blocked intentionally. Any SSH session using SSH-RSA is subject to brown out
(failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512
instead. For more details see https://aka.ms/ado-ssh-rsa-deprecation.
remote: ERROR_SSH_UNSUPPORTED_CIPHER (7)
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: [157.230.97.148]: FAILED! => {
"changed": false,
"cmd": [
"/usr/bin/git",
"fetch",
"--tags",
"--force",
"origin"
],
"invocation": {
"module_args": {
"accept_hostkey": true,
"archive": null,
"archive_prefix": null,
"bare": false,
"clone": true,
"depth": null,
"dest": "/srv/www/<site_name>/shared/source",
"executable": null,
"force": true,
"gpg_whitelist": [],
"key_file": null,
"recursive": true,
"reference": null,
"refspec": null,
"remote": "origin",
"repo": "git@ssh.dev.azure.com:v3/<azure_project>/<project_name>/<site_name>",
"separate_git_dir": null,
"ssh_opts": null,
"track_submodules": false,
"umask": null,
"update": true,
"verify_commit": false,
"version": "staging"
}
}
}
...ignoring
TASK [deploy : Failed connection to remote repo] *******************************
task path: /<local_project>/trellis/roles/deploy/tasks/update.yml:35
System info:
Ansible 2.10.16; Darwin
Trellis 1.13.0: January 21st, 2022
---------------------------------------------------
Git repo git@ssh.dev.azure.com:v3/<azure_project>/<project_name>/<site_name> on branch staging cannot be accessed. Please verify the
repository/branch are correct and you have SSH forwarding set up correctly.
More info:
> https://roots.io/trellis/docs/deploys/#ssh-keys
> https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-
agent-forwarding
Error:
Failed to download remote objects and refs: remote: Command git-upload-pack:
You’re using ssh-rsa that is about to be deprecated and your request has been
blocked intentionally. Any SSH session using SSH-RSA is subject to brown out
(failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512
instead. For more details see https://aka.ms/ado-ssh-rsa-deprecation.
remote: ERROR_SSH_UNSUPPORTED_CIPHER (7)
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: [157.230.97.148]: FAILED! => {
"changed": false
}
I’ve read through this link (End of SSH-RSA support for Azure Repos - Azure DevOps Blog) shown in the error message and tried to update my SSH-keys as they have instructed. Uploaded them to the DevOps repo but still get the same error message. Is there some option we need to change in the ansible.cfg file to force rsa-sha2-256 or rsa-sha2-512? I have tried to find a similar issue but it seems to be a pretty new change from Microsoft.
Is there a way to use the command trellis key generate to create the correct keys for Azure? I can only find options for GitHub.
Grateful for any help regarding this.