Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
a
ancient-car-89914
05/25/2022, 9:45 AMhey guys - how would I go about troubleshooting a failure in command.remote.Command where it fails to connect over ssh to a digitalocean droplet, while using the exported private key to manually connect works fine?
even with -v=9 I don’t see any more detailed information than:
provider_plugin.go:1586] provider received rpc error `Unknown`: `ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remainI’ve basically copied this example: https://www.pulumi.com/blog/executing-remote-commands/ (except for what seems to be a small typo, I had to change civoSshKey.id to doSsshkey.id, might be worth fixing this in the blog post @quiet-wolf-18467)
some progress - I have found this error in the auth.log of the droplet:
no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]so somehow pulumi’s ssh client is offering only these legacy key exchange methods? which the droplet’s sshd (running on ubuntu 22.04) doesn’t support - I suppose I could get around this by using cloud-init to edit the sshd config on the droplet upon creation, but I would much rather get pulumi to use a key exchange method that isn’t open to logjam attacks…
q
quiet-wolf-18467
05/25/2022, 10:42 AMThese are the default supported keys by the Google crypto library:
https://cs.opensource.google/go/x/crypto/+/master:ssh/common.go;drc=5d542ad81a58c89581d596f49d0ba5d435481bcf;l=71
Which
pulumi/commanda
ancient-car-89914
05/25/2022, 11:50 AMyour highlight is for suppoertdHostKeyAlgos while I guess my error is related to suppoertedKexAlgos 25 lines higher up in the linked file
but there are 8 different key exchange algorithms in the array on line 46, most of which overlap with the ones accepted by the sshd in my droplet, but the sshd log seems to show pretty clearly that pulumi offered only three legacy sha1 methods
q
quiet-wolf-18467
05/25/2022, 1:47 PMWhat code did you use to generate your key?
a
ancient-car-89914
05/25/2022, 2:13 PMthe code from the blog post:
const sshKey = new tls.PrivateKey('sshKey', {
algorithm: 'RSA',
rsaBits: 4096
})
export const privateKey = sshKey.privateKeyPem
const doSshkey = new digitalocean.SshKey('sshKey', {
publicKey: sshKey.publicKeyOpenssh
})q
quiet-wolf-18467
05/25/2022, 2:15 PMOK. I’ll try this with DigitalOcean and get back to you
a
ancient-car-89914
05/25/2022, 2:16 PMthank you!
for completeness, here’s the droplet:
new digitalocean.Droplet(
'myDroplet',
{
size: 's-4vcpu-8gb',
image: 'ubuntu-22-04-x64',
region: 'fra1',
sshKeys: [doSshkey.id]
},
{
replaceOnChanges: ['diskImage', 'script']
}
)q
quiet-wolf-18467
05/25/2022, 2:37 PMReproduced
Fun. I found my example from that blog and it still runs 😄
Now to play spot the difference
a
ancient-car-89914
05/25/2022, 2:50 PMubuntu version perhaps?
q
quiet-wolf-18467
05/25/2022, 2:51 PMYeah, it seems that way. I tried swapping out the
package-lock.jsona
ancient-car-89914
05/28/2022, 9:54 PMupdate: I was able to get it working by switching to ED25519:
const sshKey = new tls.PrivateKey('sshKey', {
algorithm: 'ED25519'
})
export const privateKey = sshKey.privateKeyOpenssh