"git push" command from inside a docker container inside a pod fails with the command:
debug1: read_passphrase: can't open /dev/tty: No such device or
address Host key verification failed.
The groovy code that initiates git push:
sshagent (['my_deploy_key'])
{
sh "ls -la /dev/tty"
sh "ssh -Tv git#github.xx.xxx.com"
sh "git push origin ${branch}"
}
The log shows the /dev/tty exists with the right permissions:
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
Executing sh script inside container my-project of pod my-project-1611882622034-s6sj2-xnx40
Executing command: "ssh-agent"
exit
SSH_AUTH_SOCK=/tmp/ssh-Dm0jcALohFq6/agent.68; export SSH_AUTH_SOCK;
SSH_AGENT_PID=69; export SSH_AGENT_PID;
echo Agent pid 69;
SSH_AUTH_SOCK=/tmp/ssh-Dm0jcALohFq6/agent.68
SSH_AGENT_PID=69
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/agent/workspace/Test_Dev/mydir#tmp/private_key_6404034659918914698.key (deploy-key)
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
+ ls -la /dev/tty
crw-rw-rw- 1 root root 5, 0 Jan 29 01:10 /dev/tty
[Pipeline] sh
+ ssh -Tv git#github.xx.xxx.com
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to github.xx.xxx.com [153.64.42.159] port 22.
debug1: Connection established.
debug1: SELinux support disabled
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jenkins/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version babeld-7fdd29b
debug1: no match: babeld-7fdd29b
debug1: Authenticating to github.xx.xxx.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:+VP3LqRsSmtwgQhOdiuCaRKG8wTCeNRdwTlOvrILZq8
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification fail
ed.
Please advice
The SSH protocol does not usually use traditional certificate authorities like TLS does. Instead, when you connect to a machine for the first time, you are prompted to verify its host key, which you typically do out of band. This way, you can verify the remote system is who they claim to be.
This message occurs because normally you are prompted on the terminal to verify the host key, but in this case, there is no terminal, so you cannot be prompted. The only safe thing to do is to fail to connect.
In this case, you will want to store your GitHub Enterprise instance's host key as part of your config. You can find these by running ssh-keyscan github.xx.xxx.com. You should take this output (minus the lines starting with #) and store it in /etc/ssh/ssh_known_hosts in your container or in the ~/.ssh/known_hosts file for the given user.
You can also verify that the fingerprint is correct by going to https://github.xx.xxx.com/api/v3/meta and verifying that SHA256:+VP3LqRsSmtwgQhOdiuCaRKG8wTCeNRdwTlOvrILZq8 is the right fingerprint for the key.
Note that some people will suggest disabling host key verification, but this is not secure and is equivalent to operating on an unencrypted connection, so you should not do this. You should also not run ssh-keyscan each time in your container, because that means you'll accept any host key that's presented, even if it belongs to an attacker, which is equally insecure.
I have 2 instance in AWS EC2. 1 is for Jenkins 1 is for Angular 6. I am trying to build the pipe line from Jenkins instance to Another EC2 instance where my Angular 6 application is hosting.
What Exactly I am trying to do here, if any push got happened in my Bitbucket repo, Jenkins will identify that login to another EC2 instance via ssh -i user#ip and pull the code from master branch and deploy it via pm2.
Currently I'm facing the problem -
Jenkins logs -
Started by user Atique Ahmed Running as SYSTEM Building in workspace /var/lib/jenkins/workspace/meanstack No credentials specified
git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from
the remote Git repository git config remote.origin.url
https://bitbucket.org/atique12/mongocrud_application_frnt_end.git #
timeout=10 Fetching upstream changes from
https://bitbucket.org/atique12/mongocrud_application_frnt_end.git git
--version # timeout=10 git fetch --tags --progress -- https://bitbucket.org/atique12/mongocrud_application_frnt_end.git
+refs/heads/:refs/remotes/origin/ # timeout=10 git rev-parse refs/remotes/origin/master^{commit} # timeout=10 git rev-parse
refs/remotes/origin/origin/master^{commit} # timeout=10 Checking out
Revision a7df8023cebbbac998274628bc761ea68da62da0
(refs/remotes/origin/master) git config core.sparsecheckout #
timeout=10 git checkout -f a7df8023cebbbac998274628bc761ea68da62da0 #
timeout=10 Commit message: "form.component.html edited online with
Bitbucket" git rev-list --no-walk
a7df8023cebbbac998274628bc761ea68da62da0 # timeout=10 [meanstack] $
/bin/bash /tmp/jenkins6972607204969540608.sh jenkins is not in the
sudoers file. This incident will be reported. total 12 -r-------- 1
ubuntu ubuntu 1696 Jan 8 05:59 allinstancepair.pem -rwxrwxrwx 1 ubuntu
ubuntu 184 Jan 8 17:21 deploy.sh drw------- 2 ubuntu ubuntu 4096 Jan 8
16:00 mykey /home/ubuntu ./deploy.sh: line 4: cd: mykey: Permission
denied Warning: Identity file /allinstancepair.pem not accessible: No
such file or directory. OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL
1.0.2n 7 Dec 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying
options for * Pseudo-terminal will not be allocated because stdin is
not a terminal. debug1: Connecting to 13.233.183.227 [13.233.183.227]
port 22. debug1: Connection established. debug1: identity file
/var/lib/jenkins/.ssh/id_rsa type 0 debug1: key_load_public: No such
file or directory debug1: identity file
/var/lib/jenkins/.ssh/id_rsa-cert type -1 debug1: key_load_public: No
such file or directory debug1: identity file
/var/lib/jenkins/.ssh/id_dsa type -1 debug1: key_load_public: No such
file or directory debug1: identity file
/var/lib/jenkins/.ssh/id_dsa-cert type -1 debug1: key_load_public: No
such file or directory debug1: identity file
/var/lib/jenkins/.ssh/id_ecdsa type -1 debug1: key_load_public: No
such file or directory debug1: identity file
/var/lib/jenkins/.ssh/id_ecdsa-cert type -1 debug1: key_load_public:
No such file or directory debug1: identity file
/var/lib/jenkins/.ssh/id_ed25519 type -1 debug1: key_load_public: No
such file or directory debug1: identity file
/var/lib/jenkins/.ssh/id_ed25519-cert type -1 debug1: Local version
string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: Remote protocol
version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat
0x04000000 debug1: Authenticating to 13.233.183.227:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key
algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher:
chacha20-poly1305#openssh.com MAC: compression: none debug1: kex:
client->server cipher: chacha20-poly1305#openssh.com MAC: compression:
none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host
key: ecdsa-sha2-nistp256
SHA256:2t3A4VkLU7+iLWc7e/HKast+vY6I3dXnOxY9pVzL6+g debug1: Host
'13.233.183.227' is known and matches the ECDSA host key. debug1:
Found key in /var/lib/jenkins/.ssh/known_hosts:1 debug1: rekey after
134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting
SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after
134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1:
kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT
received debug1: Authentications that can continue: publickey debug1:
Next authentication method: publickey debug1: Offering public key: RSA
SHA256:ZKnUTgYBL/OMjNHzEf3ATonaIBa5OfQs8htabRUA/Vo
/var/lib/jenkins/.ssh/id_rsa debug1: Authentications that can
continue: publickey debug1: Trying private key:
/var/lib/jenkins/.ssh/id_dsa debug1: Trying private key:
/var/lib/jenkins/.ssh/id_ecdsa debug1: Trying private key:
/var/lib/jenkins/.ssh/id_ed25519 debug1: No more authentication
methods to try. root#13.233.183.227: Permission denied (publickey).
allinstancepair.pem deploy.sh mykey ./deploy.sh: line 7: cd:
mongocrud_application_frnt_end: No such file or directory fatal: not a
git repository (or any of the parent directories): .git /home/ubuntu
./deploy.sh: line 10: npm: command not found ./deploy.sh: line 11:
pm2: command not found /home/ubuntu Finished: SUCCESS
My Jenkins is not able to read the pem key file
while I am trying to make the login using SSH and pem key to another instance.
I have tried -
chmod 400 - mypem.key chmod 600 - mypem.key chmod 777 - mypem.key
No help. Every time I am getting permission denied issue. Any help ?
Jenkins run the jobs under jenkins user. Jenkins user does not have the permission to read the files from other directories. Also you need to run chmod command with sudo. If you are trying to run commands from Jenkinsfile with sudo, then it won't work. For that you need to edit the sudoers file. It will give access to jenkins user to run sudo commands without password. How to change and what to change can be found here.
One more thing, if you are trying to run shh command from jenkinsfile to connect to other ec2 instance, then simple sh "ssh -i pem.key user#ip" won't work. You need to disable the verification by assigning StrictHostKeyChecking to no i.e. ssh -o "StrictHostKeyChecking no" -i pem.key user#ip
I am trying to scp some files and then ssh into a remote server. Works fine from localhost. However when I am trying the same through a shell script in Jenkins, the ssh session gets kinda stuck or closes. I tried running the scp command alone by hashing out the sab command and that works fine. I am receiving a debug1: Exit status 0 at the end of my Console Output.
The commands I'm trying to run are :
sshpass -p 0pen5ecret scp -v -o StrictHostKeyChecking=no
/home/jenkins/test_folder/${env}_test.properties
servername#${server}:/home/
and then,
sshpass -p password ssh -tt -o StrictHostKeyChecking=no
servername#${server} 'cd /home ; rm -f cachefolder ; sh test.sh'
Below is the error message I am getting in Console Output :
debug1: Host '172.21.83.215' is known and matches the RSA host key.
debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:9
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-
interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /var/lib/jenkins/.ssh/id_rsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 172.21.83.244 ([172.21.83.210]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: scp -v -t /data01/DS_Release
Sending file modes: C0777 123 TS2_DeploymentScore.properties
Sink: C0777 123 TS2_DeploymentScore.properties
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: fd 2 clearing O_NONBLOCK
Transferred: sent 3320, received 4596 bytes, in 0.1 seconds
Bytes per second: sent 54147.4, received 74958.3
debug1: Exit status 0
How can this be resolved ? Thanks in advance. Btw, this is my very first question here so be nice.
To SCP file remotely over the server, you can use either of the two options:
If you are using Jenkins file, you can use stash and unstash feature of Jenkins:
create two stages in pipeline, run the first one on the source server and stash your files in that.
run the second stage on destination server and unstash your files in that server.
(you need to install Jenkins agent on the server)
If you are using a freestyle job, you can use expect script to copy files remotely, you can use below syntax:
#!/usr/bin/expect -f
#Usage sshsudologin.expect <host> <ssh user> <ssh password> <foldername>
set timeout 20
spawn scp -r "/sourcefolder/[lindex $argv 3]" [lindex $argv 1]#[lindex $argv 0]:"/export/home/[lindex $argv 1]/"
expect "yes/no" {
send "yes\r"
expect "*?assword" { send "[lindex $argv 2]\r" }
} "*?assword" { send "[lindex $argv 2]\r" }
expect eof
I plan to write and run some integration tests using real SSH client and a SSH server. Since this requires server-level configuration, I am setting up the tests inside Docker, so a server can be built to the right spec, an OpenSSH server fired up, and the tests run.
Part of my system requires a non-root user (called nonpriv) to be able to ssh into a server on a passwordless basis. I have generated server certificates and non-root user certificates. I've set up localhost as a known host (so the server authenticity is already confirmed) but I am struggling to set up the cert as an authorised key. I want to be able to do ssh localhost as the nonpriv user and get a shell automatically. However it is skipping the key and going to password auth, which is not what I want.
The Docker ENTRYPOINT is this, so that server keys are different for every run:
#!/bin/sh
#
# With thanks to https://github.com/danielguerra69/alpine-sshd
if [ ! -f "/etc/ssh/ssh_host_rsa_key" ]; then
# generate fresh rsa key
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
fi
if [ ! -f "/etc/ssh/ssh_host_dsa_key" ]; then
# generate fresh dsa key
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
fi
# Prepare run dir
if [ ! -d "/var/run/sshd" ]; then
mkdir -p /var/run/sshd
fi
# Start the SSH daemon
/usr/sbin/sshd
# Generate an SSH key for the nonpriv user
su -c /tmp/install/generate-keys.sh nonpriv
# Sleep so we can debug the server while it is running
# Will be replaced by test runner when SSH client works!
sleep 10000
As is usual for Docker, this is all run as root, so I use su -c towards the end to generate the user keys:
#!/bin/sh
mkdir -p /home/nonpriv/.ssh
# Add the server to recognised hosts
ssh-keyscan localhost >> /home/nonpriv/.ssh/known_hosts
# Generate an SSH key with an empty passphrase
ssh-keygen \
-t rsa \
-b 4096 \
-f /home/nonpriv/.ssh/id_rsa \
-N ''
# Add it to the list of authorised keys for self
ln -s /home/nonpriv/.ssh/id_rsa.pub /home/nonpriv/.ssh/authorized_keys
As you can see I use a symlink to add the public key to the authorised keys list. I then run the Docker container and shell in thusly (where "silly_name" is the automatically generated container name):
docker exec -it silly_name sh
From the shell I do this:
/ # whoami
root
/ # su nonpriv
/ $ whoami
nonpriv
/ $ ssh -vvv localhost
OpenSSH_7.4p1, LibreSSL 2.4.4
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/nonpriv/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/nonpriv/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/nonpriv/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/nonpriv/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/nonpriv/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/nonpriv/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/nonpriv/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/nonpriv/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'nonpriv'
debug3: hostkeys_foreach: reading file "/home/nonpriv/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/nonpriv/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01#openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01#openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01#openssh.com,ecdsa-sha2-nistp384-cert-v01#openssh.com,ecdsa-sha2-nistp521-cert-v01#openssh.com,ssh-ed25519-cert-v01#openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib#openssh.com,zlib
debug2: compression stoc: none,zlib#openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com
debug2: ciphers stoc: chacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com
debug2: MACs ctos: umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib#openssh.com
debug2: compression stoc: none,zlib#openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:ierfDQtTWiobxAGsyEf1PrjRcmsr5jQbZVOzcNCnBo4
debug3: hostkeys_foreach: reading file "/home/nonpriv/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/nonpriv/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/nonpriv/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/nonpriv/.ssh/id_rsa (0x5645c099ae80)
debug2: key: /home/nonpriv/.ssh/id_dsa (0)
debug2: key: /home/nonpriv/.ssh/id_ecdsa (0)
debug2: key: /home/nonpriv/.ssh/id_ed25519 (0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/nonpriv/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/nonpriv/.ssh/id_dsa
debug3: no such identity: /home/nonpriv/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/nonpriv/.ssh/id_ecdsa
debug3: no such identity: /home/nonpriv/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/nonpriv/.ssh/id_ed25519
debug3: no such identity: /home/nonpriv/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
nonpriv#localhost's password:
From this it is clear that /home/nonpriv/.ssh/id_rsa is available, but it is not successful. I have tried a number of resources on the internet, often to do with permissions on the home directory, or the ~/.ssh folder, or the authorized_keys file, but to no avail. I will keep trying, but it would be useful to get some information from the system as to what the issue might be.
I think it is possible to set up keys to make ssh-ing into localhost, since I have done this in my development laptop (admittedly with Mint 18 as an OS rather than Alpine/BusyBox).
Unfortunately there are no logs at all in /var/log/, so there is not much info to go on here. Where could I look next?
Update
In case the sshd config could be important, I have the default one from Alpine:
$ less /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
I have solved this one, though I don't fully understand why this solves it. (I will accept any answers in preference to my own if anyone has an explanation).
In my Dockerfile I was setting up a user thus:
# -s specify a shell; -D = don't prompt for a password
RUN adduser -s /bin/sh -D nonpriv
As far as I know that is just a user with a home directory and a null password. However, it looks like I do in fact need to specify a password, so I now also do this:
# It looks like passwordless access does not work unless the user
# has a password!
RUN echo 'nonpriv:Password123' | chpasswd
That seems odd to me, since the PPK access system should not care what the password of the user is, or whether it has one.
I can now SSH into self:
/ $ whoami
nonpriv
/ $ ssh localhost
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org>.
You can setup the system with the command: setup-alpine
You may change this message by editing /etc/motd.
d4dded05c2d1:~$
In my case fully password-less ssh required also the following settings:
Host *
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
in the /etc/ssh/ssh_config file in the docker
ENV APPUSER=myuser
ENV UID=110
ENV GID=110
RUN set -x ; addgroup -g "$GID" -S "$APPUSER" && \
adduser \
-g "$GID" \
-D \
-s "/bin/bash" \
-h "/home/$APPUSER" \
-u "$UID" \
-G "$APPUSER" "$APPUSER" && exit 0 ; exit 1
RUN echo "$APPUSER:secret-pass" | chpasswd
RUN ssh-keygen -A
RUN apk add --no-cache procps su-exec sudo coreutils supervisor && \
apk add --no-cache openrc openssh && \
mkdir -p /run/openrc/ && touch /run/openrc/softlevel && rc-update add sshd
&& rc-status && \
rm -rf /tmp/* /var/cache/apk/* && \
apk del .build-dependencies
USER myuser
RUN ssh-keygen -q -t rsa -N '' -C '' -f ~/.ssh/id_rsa && \
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys && \
chmod 644 ~/.ssh/authorized_keys