I'm trying to run a container that will expose a golang service from a package that I have on a private GitHub repo.
Since I am working with GCE, my starter image is google/debian:wheezy.
After installing all the required dependancies and tools, I am running
RUN go get github.com/<my_org>/<my_package>
where the package is a private repo.
I have added my GitHub SSH keys to allow the cloning from the private repo to the docker file:
ADD priv/id_rsa /root/.ssh/id_rsa
ADD priv/id_rsa.pub /root/.ssh/id_rsa.pub
Still, I am getting an error during the go get process when go tried to clone the repo:
# cd .; git clone https://github.com/<my_org>/<my_package> /gopath/src/github.com/<my_org>/<my_package>
Cloning into '/gopath/src/github.com/<my_org>/<my_package>'...
fatal: could not read Username for 'https://github.com': No such device or address
package github.com/<my_org>/<my_package>: exit status 128
To debug the problem, from the Dockerfile, I am running:
RUN ssh-keyscan -t rsa github.com 2>&1 >> /root/.ssh/known_hosts
And this tells me there are some problems. It looks like validating the private key is OK but something weird is going on the the public key. This is the complete ssh-keyscan result:
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.252.129] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version libssh-0.6.0
debug1: no match: libssh-0.6.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
Warning: Permanently added the RSA host key for IP address '192.30.252.129' to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
I have tried chmod 600 and chmod 700 on the priv/public keys, this did not help.
Any clues? Has anyone succeeding in running go get that fetches from private repos on debian from docker?
I figured this out after a bit of hacking around. Not an ideal solution as it involves installing SSH, plus building a private key into the container. This example is based on the official Docker golang image (Debian Wheezy):
The main difference to your example is that you need a git config command to force ssh instead of the default https.
FROM golang
RUN apt-get update && apt-get install -y ca-certificates git-core ssh
ADD keys/my_key_rsa /root/.ssh/id_rsa
RUN chmod 700 /root/.ssh/id_rsa
RUN echo "Host github.com\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config
RUN git config --global url.ssh://git#github.com/.insteadOf https://github.com/
ADD . /go/src/github.com/myaccount/myprivaterepo
RUN go get github.com/myaccount/myprivaterepo
RUN go install github.com/myaccount/myprivaterepo
go get is trying to use https, completely ignoring ssh.
You will have to setup ~/.netrc:
ADD priv/.netrc /root/.netrc
Where netrc looks like:
machine github.com login github-username password github-password
ref:
https://stackoverflow.com/a/13724351/145587
In the newest version of golang (v1.11) there are now modules.
To quote the source:
A module is a collection of related Go packages that are versioned together as a single unit. Most often, a single version-control repository corresponds exactly to a single module.
Using the latest version of golang will allow you to have dependencies that are in private repositories. Essentially by running the $ go mod vendor command will create a vendor directory locally for all external dependencies. Now making sure your docker image has Golang v1.11, you will update your Dockerfile with the following:
WORKDIR /<your repostiory>
COPY . ./
Elaborating on OneOfOne's ~/.netrc answer, this is what I am doing with Jenkins on linux:
FROM golang:1.6
ARG GITHUB_USER=$GITHUB_USER
ARG GITHUB_PASS=$GITHUB_PASS
# Copy local package files to the container's workspace.
ADD . /go/src/github.com/my-org/my-project
WORKDIR /go/src/github.com/my-org/my-project/
# Build application inside the container.
RUN echo "machine github.com\n\tlogin $GITHUB_USER\n\tpassword $GITHUB_PASS" >> ~/.netrc && \
go get github.com/tools/godep && \
go get github.com/onsi/ginkgo/ginkgo && \
godep restore && \
ginkgo -r --randomizeAllSpecs --randomizeSuites --failOnPending && \
godep go install && \
rm -f ~/.netrc
ENTRYPOINT /go/bin/my-project
EXPOSE 8080
The docker build command is:
docker build \
--build-arg GITHUB_USER=xxxxx \
--build-arg GITHUB_PASS=yyyyy \
-t my-project .
The two ARG directives map --build-args so docker can use them inside the Dockerfile.
The first and last lines of RUN create and remove the ~/.netrc.
In Jenkins, I use the same creds from git pull in the build command.
In this strategy, the password is not echoed during the docker build process and not saved on any layer of your docker image. Also note that the gingko test results are printed to console during the build.
i had this problem in Github and i fix it using personal access token:
first of all please use ARG for your Dockerfile vars(inputs):
after that configure your git with github personal access token
GITHUB_PAT -> github personal access token
FROM golang:1.17 as builder
ARG GITHUB_PAT
WORKDIR /your-app
COPY go.mod .
COPY go.sum .
RUN git config --global url."https://${GITHUB_PAT}:x-oauth-basic#github.com/".insteadOf "https://github.com/"
RUN go mod download
COPY . .
RUN go build -ldflags '-w -s' -o ./out ./main.go
FROM golang:1.17
WORKDIR /app
COPY --from=builder /your-app/out ./
WORKDIR /app/
ENTRYPOINT [ "./out" ]
Related
I've configured Windows 11 ssh-agent following the official documentation and then used ssh-add to add my SSH keys:
PS> Get-Service ssh-agent
Status Name DisplayName
------ ---- -----------
Running ssh-agent OpenSSH Authentication Agent
Command ssh-add -l show the key (just 1):
PS > ssh-add -l
3072 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Marco#PC-MARCO (RSA)
I can successfully connect to a remote machine (i.e. ssh user#remote.mydomain.com) using the SSH key from the Windows machine.
From the documentation:
[...] the extension will automatically forward your local SSH agent if one is running
In fact inside a Visual Studio Code WSL2 container, the ssh-add -l command show the same output:
vscode ➜ /workspaces/test-ssh-agent $ ssh-add -l
3072 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Marco#PC-MARCO (RSA)
However inside the container the same exact command ssh user#remote.mydomain.com ask for a password.
It seems that it doesn't know that for that user/domain the stored SSH key should be used. Any help is much appreciated!
EDIT: this is the debug log, it can't find the private key (of course) because inside the container. What's the point of ssh-agent then?
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/vscode/.ssh/id_rsa
debug3: no such identity: /home/vscode/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ecdsa
debug3: no such identity: /home/vscode/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ecdsa_sk
debug3: no such identity: /home/vscode/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ed25519
debug3: no such identity: /home/vscode/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ed25519_sk
debug3: no such identity: /home/vscode/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_xmss
debug3: no such identity: /home/vscode/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_dsa
debug3: no such identity: /home/vscode/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
I followed this guide and most importantly I updated OpenSSH to the latest version available here: https://github.com/PowerShell/Win32-OpenSSH/releases
Now works without any problem.
I am trying to use minio as a local S3 server. I am following this article
I downloaded key and cert files.
I added the env parameters:
set MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
set MINIO_KMS_KES_KEY_FILE=D:\KMS\root.key
set MINIO_KMS_KES_CERT_FILE=D:\KMS\root.cert
set MINIO_KMS_KES_KEY_NAME=my-minio-key
I started minio server: D:\>minio.exe server D:\Photos
It logs after sturt up:
Endpoint: http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000
AccessKey: minioadmin
SecretKey: minioadmin
Browser Access:
http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000
Command-line Access: https://docs.min.io/docs/minio-client-quickstart-guide
$ mc.exe alias set myminio http://169.254.182.253:9000 minioadmin minioadmin
Object API (Amazon S3 compatible):
Go: https://docs.min.io/docs/golang-client-quickstart-guide
Java: https://docs.min.io/docs/java-client-quickstart-guide
Python: https://docs.min.io/docs/python-client-quickstart-guide
JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide
.NET: https://docs.min.io/docs/dotnet-client-quickstart-guide
Detected default credentials 'minioadmin:minioadmin', please change the credentials immediately using 'MINIO_ACCESS_KEY' and 'MINIO_SECRET_KEY'
I opened UI in browser: http://localhost:9000/minio/mybacket/
I tried to upload a jpg file and got an exception:
<?xml version="1.0" encoding="UTF-8"?> <Error><Code>InternalError</Code><Message>We encountered an internal error, please try again.</Message><Key>Completed.jpg</Key><BucketName>mybacket</BucketName><Resource>/minio/upload/mybacket/Completed.jpg</Resource><RequestId>1634A6E5663C9D70</RequestId><HostId>4a46a947-6473-4d53-bbb3-a4f908d444ce</HostId></Error>
And I got this exception in minio console:
Error: Post "https://play.min.io:7373/v1/key/generate/my-minio-key": x509: certificate signed by unknown authority
3: cmd\api-errors.go:1961:cmd.toAPIErrorCode()
2: cmd\api-errors.go:1986:cmd.toAPIError()
1: cmd\web-handlers.go:1116:cmd.(*webAPIHandlers).Upload()
Most probably your OS trust store (containing the Root CA certificates) does not trust Let's Encrypt (the Let's Encrypt Authority X3 CA certificate).
The server https://play.min.io:7373 serves a TLS certificates issued by Let's Encrypt.
See:
openssl s_client -showcerts -servername play.min.io -connect play.min.io:7373
Eventually, check your the root CA store of your windows machine.
See: https://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8
Work started using Azure DevOps and im trying to clone a repo on my home computer. I created a ssh key, added it to the list of keys, and changed my git config to my work email. However, azure is still asking for a password...
(base) Name-MacBook-Pro:Company Name$ git clone git#ssh.dev.azure.com:v3/Company/AI/Repo
Cloning into 'Repo'...
Enter passphrase for key '/Users/Name/.ssh/id_rsa':
git#ssh.dev.azure.com's password:
Permission denied, please try again.
git#ssh.dev.azure.com's password:
git#ssh.dev.azure.com: Permission denied (password,publickey).
____________edit________________
Tried to generate again and I'm still having trouble
Create new ssh key
ssh-keygen -t rsa -b 4096 -C “work#email.com” - f ~/.ssh/work_id_rsa
Copy
cat ~/.ssh/work_id_rsa | pbcopy
Add to org and try to clone
ssh-agent bash -c 'ssh-add ~/.ssh/work_id_rsa; git clone https://company#dev.azure.com/Repo'
Cloning into 'Repo'...
Password for 'https://company#dev.azure.com':
fatal: Authentication failed for 'https://comapny#dev.azure.com/Repo'
In case this is the issue which may caused by ourside(Microsoft). I tried again with SSH clone and its succeed:
This issue should caused by your SSH key format. Since I could not know clearly which method are you using to generate the key, but in your issue, it should because the public key authenticate fails, so then it asked for the password of your account.
Ensure your private key has the follow format:
-----BEGIN RSA PRIVATE KEY-----
*
*
*
-----END RSA PRIVATE KEY-----
If not, please re-generate with the following command:
ssh-keygen -t rsa
Then configure public key into the org.
EDIT
I've been using more than one Azure DevOps account for some time now and I just wanted to point out 2 other ways you could use the right key:
using the -i flag
-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files).
ref.: https://linux.die.net/man/1/ssh
using a configuration file (~/.ssh/config) and changing the hostname (remote)
instead of git clone git#ssh.dev.azure.com:v3/Company/AI/Repo you'd git clone git#whatever_name_you_configured:v3/Company/AI/Repo
Microsoft has a post about it that may help:
https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-i-have-multiple-ssh-keys--how-do-i-use-different-ssh-keys-for-different-ssh-servers-or-repos
Original answer:
The method to generate the key is actually fine (OpenSSH), and I have more than one SSH Key on my .ssh, so I assume that does not matter as well. Probably you can't have more than one key using the same algorithm.
What I believe was the actual problem was the name of the key.
You used:
ssh-keygen -t rsa -b 4096 -C “work#email.com” - f ~/.ssh/work_id_rsa
which is great (big number of bytes :)
but that "work_id_rsa" will never be found when you test the connection, for example:
ssh -v git#ssh.dev.azure.com
Just to test I renamed and remove mine.
In short, here's the result:
pires#avell:~$ ssh -v git#ssh.dev.azure.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to ssh.dev.azure.com [51.144.61.32] port 22.
debug1: Connection established.
(removed for brevity)
debug1: Authenticating to ssh.dev.azure.com:22 as 'git'
(removed for brevity)
debug1: Host 'ssh.dev.azure.com' is known and matches the RSA host key.
debug1: Found key in /home/pires/.ssh/known_hosts:3
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
(((((important detail here:)))))
debug1: Will attempt key: /home/pires/.ssh/id_rsa
debug1: Will attempt key: /home/pires/.ssh/id_dsa
debug1: Will attempt key: /home/pires/.ssh/id_ecdsa
debug1: Will attempt key: /home/pires/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/pires/.ssh/id_ed25519 ED25519 SHA256: *************
debug1: Will attempt key: /home/pires/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/pires/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/pires/.ssh/id_rsa
debug1: Trying private key: /home/pires/.ssh/id_dsa
debug1: Trying private key: /home/pires/.ssh/id_ecdsa
debug1: Trying private key: /home/pires/.ssh/id_ecdsa_sk
debug1: Offering public key: /home/pires/.ssh/id_ed25519 ED25519 SHA256:************
(((((and here:)))))
debug1: Authentications that can continue: password,publickey
debug1: Trying private key: /home/pires/.ssh/id_ed25519_sk
debug1: Trying private key: /home/pires/.ssh/id_xmss
debug1: Next authentication method: password
git#ssh.dev.azure.com's password:
So, actually OpenSSH will never find it. I mean, I didn't put a work_id_rsa there, but it doesn't matter because it does not look for everything inside the folder, in your case, it expects a /home/pires/.ssh/id_rsa to be exactly there. Or better, whatever ~ points to + /.ssh/id_encryptionmethod
Also, since it couldn't find the private key to authenticate, it falls back to password.
I am facing a very strange problem with SFTP::Foreign while trying to log in a remote machine from HP-UX. Strange is that the issue is very hard to reproduce. The program which uses SFTP::Foreign to log in, runs every work day at the same time and once in a week or two it fails. It uses RSA key for authentication to server.
I enabled -vvv for tracing and I was hoping that here I'll find some help. I captured logs when authentication is successful and when it failed. Below I will put parts of the logs when the difference started
This is a part of the log when logging in is successful
debug1: Offering RSA public key: <intentionally hidden by me>
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: <intentionally hidden by me>
debug3: sign_and_send_pubkey: <intentionally hidden by me>
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
This is part when logging fails
debug1: Offering RSA public key: <intentionally hidden by me>
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
The error which I am getting is:
Permission denied, please try again.
Any ideas?
I'm using "Net::SFTP" in perl cgi file to put files to a windows M/C from my dev box.
After adding below new directory manually (with 0777 permissions) everything works fine:
bash-4.1$ pwd
/.ssh
-bash-4.1$ cd ..
-bash-4.1$ ls -ltra | grep .ssh
drwxrwxrwx 2 root root 4096 Jan 23 23:57 .ssh
Problem (if I don't add above directory manually ) here is as per my understanding:
Apache is running cgi with user as "nobody" which do not have permissions to make directory after connection is established via sftp and I'm getting below error messages in logs:
xxx.xxx.net: Reading configuration data /.ssh/config
xxx.xxx.net: Reading configuration data /etc/ssh_config
xxx.xxx.net: Connecting to xxx.xxx.xxx.com, port 22.
xxx.xxx.net: Remote protocol version 2.0, remote software version 5.17 FlowSsh: Bitvise SSH Server (WinSSHD) 5.58: free only for personal non-commercial use^M
Math::BigInt: couldn't load specified math lib(s), fallback to Math::BigInt::Calc at /usr/lib/perl5/site_perl/5.8.8/Crypt/DH.pm line 6
xxx.xxx.net: Net::SSH::Perl Version 1.34, protocol version 2.0.
xxx.xxx.net: No compat match: 5.17 FlowSsh: Bitvise SSH Server (WinSSHD) 5.58: free only for personal non-commercial use^M.
xxx.xxx.net: Connection established.
xxx.xxx.net: Sent key-exchange init (KEXINIT), wait response.
xxx.xxx.net: Algorithms, c->s: 3des-cbc hmac-sha1 none
xxx.xxx.net: Algorithms, s->c: 3des-cbc hmac-sha1 none
xxx.xxx.net: Entering Diffie-Hellman Group 1 key exchange.
xxx.xxx.net: Sent DH public key, waiting for reply.
xxx.xxx.net: Received host key, type 'ssh-dss'.
xxx.xxx.net: Permanently added 'xxx.xxx.xxx.com' to the list of known hosts.
**mkdir //.ssh: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Net/SSH/Perl/Util/Hosts.pm line 92**
I tried to solve this problem with different methods given over internet but nothing is working for me.
Can anybody suggest possible solution?
Any help will be greatly appreciated.
I recently ran into the same problem myself and you are correct that it is a permissions issue. When your nobody process tries to connect to the remote server, it wants to write the remote host key to a file. This is the step that is failing in your error message (Hosts.pm line 92).
My solution was to create a nobody-writable location for the NET::SFTP to write the known_hosts file and to specify that location before you construct your NET::SFTP connection.
$ENV{HOME} = '/nobody/writable/location/';
You can find more information on this problem at http://www.perlmonks.org/?node_id=599078