https://pulumi.com logo
#general
Title
# general
a

ancient-car-89914

05/25/2022, 9:45 AM
hey guys - how would I go about troubleshooting a failure in command.remote.Command where it fails to connect over ssh to a digitalocean droplet, while using the exported private key to manually connect works fine?
even with -v=9 I don’t see any more detailed information than:
Copy code
provider_plugin.go:1586] provider received rpc error `Unknown`: `ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
I’ve basically copied this example: https://www.pulumi.com/blog/executing-remote-commands/ (except for what seems to be a small typo, I had to change civoSshKey.id to doSsshkey.id, might be worth fixing this in the blog post @quiet-wolf-18467)
some progress - I have found this error in the auth.log of the droplet:
Copy code
no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
so somehow pulumi’s ssh client is offering only these legacy key exchange methods? which the droplet’s sshd (running on ubuntu 22.04) doesn’t support - I suppose I could get around this by using cloud-init to edit the sshd config on the droplet upon creation, but I would much rather get pulumi to use a key exchange method that isn’t open to logjam attacks…
q

quiet-wolf-18467

05/25/2022, 10:42 AM
Which
pulumi/command
uses
a

ancient-car-89914

05/25/2022, 11:50 AM
your highlight is for suppoertdHostKeyAlgos while I guess my error is related to suppoertedKexAlgos 25 lines higher up in the linked file
but there are 8 different key exchange algorithms in the array on line 46, most of which overlap with the ones accepted by the sshd in my droplet, but the sshd log seems to show pretty clearly that pulumi offered only three legacy sha1 methods
q

quiet-wolf-18467

05/25/2022, 1:47 PM
What code did you use to generate your key?
a

ancient-car-89914

05/25/2022, 2:13 PM
the code from the blog post:
Copy code
const sshKey = new tls.PrivateKey('sshKey', {
  algorithm: 'RSA',
  rsaBits: 4096
})

export const privateKey = sshKey.privateKeyPem

const doSshkey = new digitalocean.SshKey('sshKey', {
  publicKey: sshKey.publicKeyOpenssh
})
q

quiet-wolf-18467

05/25/2022, 2:15 PM
OK. I’ll try this with DigitalOcean and get back to you
a

ancient-car-89914

05/25/2022, 2:16 PM
thank you!
for completeness, here’s the droplet:
Copy code
new digitalocean.Droplet(
  'myDroplet',
  {
    size: 's-4vcpu-8gb',
    image: 'ubuntu-22-04-x64',
    region: 'fra1',
    sshKeys: [doSshkey.id]
  },
  {
    replaceOnChanges: ['diskImage', 'script']
  }
)
q

quiet-wolf-18467

05/25/2022, 2:37 PM
Reproduced
Fun. I found my example from that blog and it still runs 😄
Now to play spot the difference
a

ancient-car-89914

05/25/2022, 2:50 PM
ubuntu version perhaps?
q

quiet-wolf-18467

05/25/2022, 2:51 PM
Yeah, it seems that way. I tried swapping out the
package-lock.json
to identify a bug in our providers, but there isn’t one
a

ancient-car-89914

05/28/2022, 9:54 PM
update: I was able to get it working by switching to ED25519:
Copy code
const sshKey = new tls.PrivateKey('sshKey', {
  algorithm: 'ED25519'
})

export const privateKey = sshKey.privateKeyOpenssh
59 Views