SSH Agent Forwarding not working - github

I'm having an hard time trying to configure Capistrano 3.1 to deploy an app hosted on Github.
I'm following Capistrano Documentation and I have successfully completed the first step (SSH keys from workstation to servers) and on the second one (From our servers to the repository host) I'm able to successfully run ssh -A deploy#one-of-my-servers.com 'git ls-remote git#github.com:my_user/my_repo.git':
18f38afz261df35d462f7f4e2ca847d22f148a06 HEAD
18f38afz261df35d462f7f4e2ca847d22f148a06 refs/heads/master
however, ssh deploy#one-of-my-servers.com 'git ls-remote git#github.com:my_user/my_repo.git' fails:
Permission denied (publickey).
Capistrano docs suggests
If you get the error "host key verification failed." log in into your server and run as the deploy user the command ssh git#github.com to add github.com to the list of known hosts.
SO, I tried so but I get
ssh git#github.com
Warning: Permanently added the RSA host key for IP address '192.30.252.131' to the list of known hosts.
Permission denied (publickey).
And I'm basically not able to successfully access the Github repo.
SSH documentation states:
-A Enables forwarding of the authentication agent connection. This
can also be specified on a per-host basis in a configuration
file.
How can I specified on a per-host basis in a configuration file?
My local machine runs Mac OSX Mavericks.
The VPS runs Ubuntu 12.04
Thanks.

Do you have your ssh key added to the list of agent identites ?
You can check with ssh-add -L , you should see the key your are using to connect to github :
$ ssh-add -L
ssh-rsa AAAAB3N.....0VmSiRvTzBrbU0ww== /Users/youruser/.ssh/id_rsa
If you don't see the ssh key you use for github or a message like
The agent has no identities.
Then you should add your key with :
ssh-add ~/.ssh/id_rsa
(replace with the path to the key you use for github)
See the ssh-add doc for more info

Add following lines to .ssh/config file on your local computer
Host Server_Address
ForwardAgent yes
Check your local key whether listed in ssh-add list or not with
ssh-add -L
If not add key to SSH Agent
ssh-add -K
Connect to Remote Server
ssh -v username#Server_Address
Check SSH Agent forwarding is enabled by running following command. It should list a socket file
echo "$SSH_AUTH_SOCK"
Run connection test against GitHub
ssh -T git#github.com
Run ls remote test against targeted git repository
git ls-remote --heads git#github.com:account/repo.git
Finally logout and run following from your local machine
cap production git:check

Add the following to ~/.ssh/config
Host one-of-my-servers.com
ForwardAgent yes

Yet another cause: If the target host's fingerprint doesn't match with your ~/.ssh/known_hosts, SSH automatically disables Agent Forwarding.
The solution is:
$ ssh -A -o UserKnownHostsFile=/dev/null my-target-host

Related

GitHub using the wrong SSH key

I have two GitHub accounts setup with ssh keys, one personal and one enterprise.
I have an ssh config file as such:
# * GitHub CKO SSH Key
Host github-enterprise
HostName github.com
AddKeysToAgent yes
UseKeychain yes
User git
IdentityFile ~/.ssh/id_ed25519_github
# * GitHub Personal SSH Key
Host github-personal
HostName github.com
AddKeysToAgent yes
UseKeychain yes
User git
IdentityFile ~/.ssh/gh_mervinhemaraju_ed25519
Both keys were created seperately and attached to the respective account.
The weird issue is that I was using this for like a month, and it was working. Today, when i logged in, i committed some work on my personal repo and when i tried to do a remote push (which was working for this repo previously), i got and user permission denied.
I then performed an ssh test on both ssh keys and the results was as such:
ssh -T ssh -T git#github-personal
Hi mervin-hemaraju-enterprise! You've successfully authenticated, but GitHub does not provide shell access.
ssh -T git#github-enterprise
Hi mervin-hemaraju-cko! You've successfully authenticated, but GitHub does not provide shell access.
The personal key test is wrong. It should've been Hi mervinhemaraju! You've successfully authenticated, but GitHub does not provide shell access. since mervinhemaraju is my personal account, but is instead referring to the enterprise one.
I am on MacOs. Can someone please help ?
Add IdentitiesOnly yes for the entries in the ssh config. This will prevent the SSH Agent from trying all the keys it knows of and only use the ones specified in the config file.
Specifies that ssh should only use the identity keys configured in the ssh_config files, even if ssh-agent offers more identities.
https://www.ssh.com/academy/ssh/config
I have had a similar issue, and what I did was create a local git config that explicitly specifies which SSH key to use.
My ~/.ssh/config file specifies to use my "work" ssh key, since that's most common on my work computer.
I have something like this in my ~/.ssh/config:
Host *
PreferredAuthentications publickey
IdentityFile ~/.ssh/my-work-ssh-key
ServerAliveInterval 60
In my "personal" projects, I configure Git to ignore my ~/.ssh/config file, and I set the identity file to my "personal" SSH key.
Something like this:
git config --local core.sshCommand "ssh -i ~/.ssh/my-personal-ssh-key -F /dev/null"
That puts the following in .git/config:
[core]
sshCommand = ssh -i ~/.ssh/my-personal-key -F /dev/null

How to run multiple VS Code instances to use different identities for interacting with a remote git repository while working with Remote Containers?

Sorry for a long post
I have a VS Code Remote Development setup using containers. I have multiple user accounts for the same git server. I am using key-based authentication to interact with git-server. I am using Ubuntu 18.04 LTS in my host machine and Debian Buster in containers.
Git Server - git.server.com
Git urls
- git#git.server.com:repo1.git
- git#git.server.com:repo2.git
Repo1 is used by User1 account
Repo2 is used by User2 account
ssh-key for User1 - ~/.ssh/id_ed25519_user1
ssh-key for User2 - ~/.ssh/id_ed25519_user2
I have created an ssh config in ~/.ssh/config
Host user1.git.server.com
HostName git.server.com
User git
IdentityFile /home/user/.ssh/id_ed25519_user1
IdentitiesOnly yes
Host user2.git.server.com
HostName git.server.com
User git
IdentityFile /home/user/.ssh/id_ed25519_user2
IdentitiesOnly yes
From a terminal in host machine I can authenticate to server
as user1:
ssh git#user1.git.server.com
as user2:
ssh git#user2.git.server.com
I can launch multiple vs code instances and inside the vs code terminal (without opening the folder in remote container), I can use the above commands to authenticate.
Things get interesting once we use "Reopen in Containers".
I don't have the .ssh/config folder mounted inside containers so the above commands fail to execute by giving error:
Could not resolve hostname user1.git.server.com: Name or service not known
or
Could not resolve hostname user2.git.server.com: Name or service not known
I don't want to mount my ./ssh folder to containers for obvious reasons. Also mount=type=ssh is also not possible as this is not building a container but working with container as a dev environment.
Next thing I notice is that ssh-agent forwarding is working.
ssh-add -l
If I execute the above command in terminal in host, terminal in vs code (when folder is opened locally) and terminal in vs code (when folder is opened in remote container) all returns same output (the fingerprint for keys of identities for user1 and user2).
So I start a new ssh-agent in host terminal before launching the code.
~/repo1$ eval `ssh-agent -s`
~/repo1$ ssh-add ~/.ssh/id_ed25519_user1
~/repo1$ code .
and in another terminal
~/repo2$ eval `ssh-agent -s`
~/repo2$ ssh-add ~/id_ed25519_user2
~/repo2$ code .
In respective host terminal and vs code terminal (without opening folder in remote container) I get the desired result. I can use:
ssh git#git.server.com
So I don't need a ssh-config file anymore.
But this does not work when the folder is opened in Remote Container. VS Code only connects to the first ssh-agent started. That is (in this case) the repo1 opened in VS Code Remote Container works perfectly with all git support but repo2 opened in VS Code Remote Container does not work.
How can I direct VS Code to use which ssh-agent to forward to container when switching to remote container?
Workaround
The workaround which I am using currently is use the default ssh-agent (Ubuntu starts an ssh-agent at the time of logging in). This agent already contains both the identities. Verify by running
ssh-add -l
Launch multiple vs code instances as usual and switch to Remote Container.
When I want to perform a git operation I do the following in host terminal:
For repo1 (user1) operations
$ ssh-add -D
$ ssh-add ~/.ssh/id_ed25519_user1
For repo2 (user2) operations
$ ssh-add -D
$ ssh-add ~/.ssh/id_ed25519_user2
Is there any other suggested way? Is there any settings that can be added to devcontainer.json to achieve the proper forwarding of ssh-agent?
Thank you for your patience.

GIT pulling as i am connected to ssh remote server

Hi i'm having trouble pulling in a remote endpoint.
command to connect from remote google compute engine:
ssh -i /path/.ssh/google_compute_engine NAME#REMOTEIP "cd /home/repo/; git pull origin dev"
Connection via ssh to remote endpoint is working.
When i do manually my git pull is working but when i try to pass commands line as arguments it fail :
git#github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Also if i try to add my ssh:
ssh -i /path/.ssh/google_compute_engine NAME#IP "cd /home/repo; ssh-add ~/.ssh/rsa_pub"
it fail:
Could not open a connection to your authentication agent.
ssh -i /path/.ssh/google_compute_engine NAME#IP "ls /home; cd /home/repo; eval ssh-agent;"
return :
SSH_AGENT_PID=311; export SSH_AGENT_PID;
echo Agent pid 311;
I have to use it like this to make a script for production.
I don't find a way to do it, and also avoid entering passphrase so it will automatically pull as i launch of the command below.
Can i somehow pass my the rsa_pub as parameter ?
Servers from some providers like AWS will not log you in as root but rather as a user with limited permissions (i.e. ubuntu#ip) try adding sudo before git pull on the server.

Private Github Repositories with Envoy

Anybody has any problems deploying with Laravel's envoy when using private Github repos?
When manually cloning my repo from the production server, the ssh key seems to be accessible but when using Envoy, I always get a "Permission denied (publickey) error.
Thanks
It is probably because the ssh key on your remote server requires a password.
If you change the Envoy.blade.php to perform some other task you should be able to establish whether you are connecting to your remote correctly.
#servers(['web' => 'user#domain.com'])
#task('deploy')
cd /path/to/site
git status
#endtask
Should return something like:
[user#domain.com]: On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working directory clean
If you are connecting using a Mac or Linux you probably don't have to enter your password because your terminal is using ssh-agent which silently handles your authentication.
Wikipedia article on ssh-agent
When connecting over ssh, ssh-agent isn't running and the script is being prompted for a password which is where it is failing.
To get around this you could to generate a new key on the remote machine that doesn't use a password.
If you want to restrict the ssh key to a single repository on GitHub have a look at deploy keys
You need to pass the -A (as per the man page it - Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file) in you ssh string.
You will also need add your ssh key for agent forwarding (on the machine which can access the git remote which I assume be your localhost)
ssh-add -K ~/.ssh/your_private_key
Something like this
#servers(['web' => '-A user#domain.com'])
#task('deploy')
cd /path/to/site
git status
#endtask
Git remote commands should now work.

Permission denied (public key) during fetch from GitHub with Jenkins user on Ubuntu

Here is my setup:
Jenkins is running on my linux machine as 'jenkins' user.
I have generated a ssh key-pair as described in Linux - Setup Git, for the 'jenkins' user.
When I sudo su jenkins and try ssh -vT git#github.com, I am always asked my passphrase, but I am always eventually authenicated. (the verbose option shows which key is used, among others).
I could clone my repo from GitHub using jenkins:
Thusly:
jenkins#alpm:~/jobs/test git/workspace$ git pull
Enter passphrase for key '/var/lib/jenkins/.ssh/id*_rsa':
Already up-to-date.
Up to this point I have followed the instructions to the letter. The problem is that the Jenkins job fails with the following error:
status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This is same error as I get when I typo the passphrase (but of course, Jenkins does not ask me for the passphrase). The following pages:
GitHub - SSH Issues
Using SSH Agent Forwarding
indicate to me that ssh-agent could help remember the passphrase, which it does when I am using my own user, but not the jenkins id. Note that while running as my normal user yields:
echo "$SSH_AUTH_SOCK"
/tmp/keyring-nQlwf9/ssh
While running the same command as my 'jenkins' yields nothing (not even permission denied)
My understanding of the problem is that the passphrase is not remembered.
Do you have any idea?
Shall I start a ssh-agent or key ring manager for the jenkins user? How?
Or is ssh forwarding suitable when forwarding to the same machine?
Any brighter idea?
ps: I never sudo gitted, I always used jenkins or my user account (as mentioned in this SO post - Ubuntu/GitHub SSH Key Issue)
Since nobody wrote the answer from the comments for several months, I will quickly do so.
There are 2 possible problems/solutions:
id_rsa created with wrong user
Create id_rsa as the jenkins user (see hudson cannot fetch from git repository)
Leave passphrase empty
To summarise what must be done on the Jenkins server:
# 1. Create the folder containing the SSH keys if necessary
if [ ! -e ~jenkins/.ssh ]; then mkdir ~jenkins/.ssh; fi
cd ~jenkins/.ssh/
# 2. Create the SSH pair of keys
# The comment will help to identify the SSH key on target systems
ssh-keygen -C "jenkins" -f ~jenkins/.ssh/id_rsa -P ""
# 3. Assign the proper access rights
chown -R jenkins ~jenkins/.ssh/
chmod 700 ~jenkins/.ssh
chmod 600 ~jenkins/.ssh/*
Remember:
Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up.
Do not use a passphrase for your key
Check that the public key (id_rsa.pub) has been uploaded on the git server (GitHub, Bitbucket, etc). Once done, test your SSH key by running: ssh -vvv git#github.com (change address according to your git server)
I got around this problem by simply leaving the passphrase empty when creating the keys.
I would add that if you created the keys by hand, they might still be owned by you and not readable by jenkins, try:
sudo chown jenkins -R /var/lib/jenkins/.ssh/*
To check are the following:
if the right public key (id_rsa.pub) is uploaded to the git-server.
jenkins user will access to github -> to CHECK if the right private key (id_rsa) is copied to /var/lib/jenkins/.ssh/
if the known_hosts file is created inside ~/.ssh folder. Try ssh -vvv git#github.com to see debug logs. If thing goes well, github.com will be added to known_hosts.
if the permission of id_rsa is set to 755 (chmod 755 id_rsa)
After all checks -> try ssh -vvv git#github.com
Dont try to do config in jenkins until ssh works!
If you are running jenkins as a service in windows, you need to verify the user running the service. If you created the keys using the user "MACHINENAME\user", change the service so the user running it can match
For Mac users, the issue can be solved by removing the existing keys and creating new Private and Public Keys by following these steps:
1.Remove all Public and Private keys located at /Users/Username/.ssh
2.Remove all the credentials saved under the Credentials tab in Jenkins.
3.Remove the existing Public SSH keys defined in the Github Repository Settings.
4.Create new SSH keys (private and public: id_rsa and id_rsa.pub) by following the steps from https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html#CreatingSSHkeys-CreatinganSSHkeyonLinux&MacOSX
5.Set the newly created public SSH key (id_rsa.pub) in Github or an equivalent Repository Settings.
6.In Jenkins,create new credentials by adding the private SSH key(id_rsa) for your Github username.
7.The Error should be removed now.
keys need to generated from jenkins user.
sudo su jenkins
ssh-keygen
once the key is generated, it should be added as ssh key in bitbucket or github.