hey guys - how would I go about troubleshooting a ...
# generala
ancient-car-89914
05/25/2022, 9:45 AMhey guys - how would I go about troubleshooting a failure in command.remote.Command where it fails to connect over ssh to a digitalocean droplet, while using the exported private key to manually connect works fine?
ancient-car-89914
05/25/2022, 9:47 AMeven with -v=9 I don’t see any more detailed information than:
Copy code
provider_plugin.go:1586] provider received rpc error `Unknown`: `ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remainancient-car-89914
05/25/2022, 9:49 AMI’ve basically copied this example: https://www.pulumi.com/blog/executing-remote-commands/ (except for what seems to be a small typo, I had to change civoSshKey.id to doSsshkey.id, might be worth fixing this in the blog post @quiet-wolf-18467)
ancient-car-89914
05/25/2022, 10:07 AMsome progress - I have found this error in the auth.log of the droplet:
Copy code
no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]ancient-car-89914
05/25/2022, 10:12 AMso somehow pulumi’s ssh client is offering only these legacy key exchange methods? which the droplet’s sshd (running on ubuntu 22.04) doesn’t support - I suppose I could get around this by using cloud-init to edit the sshd config on the droplet upon creation, but I would much rather get pulumi to use a key exchange method that isn’t open to logjam attacks…
q
quiet-wolf-18467
05/25/2022, 10:42 AM
These are the default supported keys by the Google crypto library:
https://cs.opensource.google/go/x/crypto/+/master:ssh/common.go;drc=5d542ad81a58c89581d596f49d0ba5d435481bcf;l=71
quiet-wolf-18467
05/25/2022, 10:42 AM
Which
pulumi/commanda
ancient-car-89914
05/25/2022, 11:50 AMyour highlight is for suppoertdHostKeyAlgos while I guess my error is related to suppoertedKexAlgos 25 lines higher up in the linked file
ancient-car-89914
05/25/2022, 11:53 AMbut there are 8 different key exchange algorithms in the array on line 46, most of which overlap with the ones accepted by the sshd in my droplet, but the sshd log seems to show pretty clearly that pulumi offered only three legacy sha1 methods
q
quiet-wolf-18467
05/25/2022, 1:47 PM
What code did you use to generate your key?
a
ancient-car-89914
05/25/2022, 2:13 PMthe code from the blog post:
Copy code
const sshKey = new tls.PrivateKey('sshKey', {
algorithm: 'RSA',
rsaBits: 4096
})
export const privateKey = sshKey.privateKeyPem
const doSshkey = new digitalocean.SshKey('sshKey', {
publicKey: sshKey.publicKeyOpenssh
})q
quiet-wolf-18467
05/25/2022, 2:15 PM
OK. I’ll try this with DigitalOcean and get back to you
a
ancient-car-89914
05/25/2022, 2:16 PMthank you!
ancient-car-89914
05/25/2022, 2:17 PMfor completeness, here’s the droplet:
Copy code
new digitalocean.Droplet(
'myDroplet',
{
size: 's-4vcpu-8gb',
image: 'ubuntu-22-04-x64',
region: 'fra1',
sshKeys: [doSshkey.id]
},
{
replaceOnChanges: ['diskImage', 'script']
}
)q
quiet-wolf-18467
05/25/2022, 2:37 PM
Reproduced
quiet-wolf-18467
05/25/2022, 2:44 PM
Fun. I found my example from that blog and it still runs 😄
quiet-wolf-18467
05/25/2022, 2:45 PM
Now to play spot the difference
a
ancient-car-89914
05/25/2022, 2:50 PMubuntu version perhaps?
q
quiet-wolf-18467
05/25/2022, 2:51 PM
Yeah, it seems that way. I tried swapping out the
package-lock.jsona
ancient-car-89914
05/28/2022, 9:54 PMupdate: I was able to get it working by switching to ED25519:
Copy code
const sshKey = new tls.PrivateKey('sshKey', {
algorithm: 'ED25519'
})
export const privateKey = sshKey.privateKeyOpenssh72 Views