So I just upgraded my Mac mini (Late 2012) to macOS 10.12 (Sierra) and everything seems fine, but I’m running into one odd problem deploying code with Capistrano. I get the following error:
Permission denied (publickey).
Never had this problem before in Mac OS X 10.11 (El Capitan) or any version prior to it. Why is this suddenly happening now? Full output of the failed Capistrano deployment below:
jakes_mac:SomeCode jake$ cap staging deploy
INFO [hkdgad21] Running /usr/bin/env mkdir -p /tmp/somecode/ as jake#example.com
DEBUG [hkdgad21] Command: /usr/bin/env mkdir -p /tmp/somecode/
jake#example.com's password:
INFO [hkdgad21] Finished in 5.166 seconds with exit status 0 (successful).
DEBUG Uploading /tmp/somecode/git-ssh.sh 0.0%
INFO Uploading /tmp/somecode/git-ssh.sh 100.0%
INFO [xyz20312] Running /usr/bin/env chmod +x /tmp/somecode/git-ssh.sh as jake#example.com
DEBUG [xyz20312] Command: /usr/bin/env chmod +x /tmp/somecode/git-ssh.sh
INFO [xyz20312] Finished in 0.240 seconds with exit status 0 (successful).
INFO [abcdef01] Running /usr/bin/env git ls-remote --heads git#github.com:SomeUser/SomeCode.git as jake#example.com
DEBUG [abcdef01] Command: ( GIT_ASKPASS=/bin/echo GIT_SSH=/tmp/somecode/git-ssh.sh /usr/bin/env git ls-remote --heads git#github.com:SomeUser/SomeCode.git )
DEBUG [abcdef01] Permission denied (publickey).
DEBUG [abcdef01] fatal: Could not read from remote repository.
DEBUG [abcdef01]
DEBUG [abcdef01] Please make sure you have the correct access rights
DEBUG [abcdef01] and the repository exists.
(Backtrace restricted to imported tasks)
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as jake#example.com: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
SSHKit::Command::Failed: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Tasks: TOP => git:check
(See full trace by running task with --trace)
The deploy has failed with an error: Exception while executing as jake#example.com: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Seems like it’s an issue with SSH keys not being automatically added as it used to be in Mac OS X 10.11 (El Capitan). Is this expected behavior from macOS Sierra or something connected to OpenSSH?
Method 1: Add all known keys to the SSH agent.
So one solution I found is to run ssh-add with the -A option—which adds all known identities to the SSH agent using any passphrases stored in your keychain—like this:
ssh-add -A
Now this works but it won’t persist across reboots. So if you want to never worry about this again, just open up your user’s ~/.bash_profile file like this:
nano ~/.bash_profile
And add this line to the bottom:
ssh-add -A 2>/dev/null;
Now when you open a new Terminal window, all should be good!
Method 2: Add only SSH keys that are in the keychain to the agent.
So while the ssh-add -A option should work for most basic cases, I ran into an issue recently where I had 6-7 Vagrant boxes (which uses SSH keys/identities for access) setup on a machine on top of the more common id_rsa.pub in place.
Long story short, I ended up being locked out of a remote server due to too many failed tries based on SSH keys/identities since the server access was based on a password and SSH keys/identities are SSH keys/identities. So the SSH agent tried all of my SSH keys, failed and I couldn’t even get to the password prompt.
The problem is that ssh-add -A will just arbitrarily add every single SSH key/identity you have to the agent even if it’s not necessary to do so; such as in the case of Vagrant boxes.
My solution after much testing was as follows.
First, if you have more SSH keys/identities added to your agent than you need—as shown with ssh-add -l then purge them all from the agent like so:
ssh-add -D
With that done, then start the SSH agent as a background process like so:
eval "$(ssh-agent -s)"
Now, it gets weird and I am not too sure why. In some cases you can specifically add the ~/.ssh/id_rsa.pub key/identity to the agent like so:
ssh-add ~/.ssh/id_rsa.pub
Type in your passphrase, hit Return and you should be good to go.
But in other cases simply running this is enough to get the key/identity added:
ssh-add -K
If that’s all worked, type in ssh-add -l and you should see one lone SSH key/identity listed.
All good? Now open up your .bash_profile:
nano ~/.bash_profile
And add this line to the bottom; comment or remove the -A version if you have that in place:
ssh-add -K
That will allow the SSH key/identity to be reloaded to the SSH agent on each startup/reboot.
UPDATE 1: Based on davidalger’s answer I discovered a nicer, global solution that can work for all user’s on a system. Just open up the global SSH config located here via sudo:
sudo nano /etc/ssh/ssh_config
And add this line to the bottom of the file:
AddKeysToAgent yes
Did that—after removing the .bash_profile fix and all is good as well.
UPDATE 2: Apple has now added a UseKeychain option to the open SSH config options and considers ssh-add -A a solution as well.
As of macOS Sierra 10.12.2, Apple (I assume) has added a UseKeychain config option for SSH configs. Checking the man page (via man ssh_config) shows the following info:
UseKeychain
On macOS, specifies whether the system should search for
passphrases in the user's keychain when attempting to use a par-
ticular key. When the passphrase is provided by the user, this
option also specifies whether the passphrase should be stored
into the keychain once it has been verified to be correct. The
argument must be ``yes'' or ``no''. The default is ``no''.
Which boils down to Apple seeing the solution as either adding ssh-add -A to your .bash_profile as explained in this Open Radar ticket or adding UseKeychain as one of the options in a per user ~/.ssh/config.
Is this expected behavior from macOS Sierra or something connected to OpenSSH?
This is due to a new feature in OpenSSH 7.2 causing a change in behavior on the part of the SSH client. From the release notes:
ssh(1): Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
enabled, a private key that is used during authentication will be
added to ssh-agent if it is running (with confirmation enabled if
set to 'confirm').
There were other interesting (security related) features introduced as well, although the release was considered mainly a bug fix release. This particular feature resulted in a default behavior change on OS X since it's default value is 'no' and OS X (I don't know about other clients) previously added keys to the agent as they were used.
So if you add the following to your ~/.ssh/config file (or the global ssh_config that should be located in /etc/ssh/ssh_config), keys will again be added to your agent as they are used.
AddKeysToAgent yes
This one-liner makes it pretty easy:
echo "AddKeysToAgent yes" >> ~/.ssh/config
After doing this, I was able to achieve the expected behavior:
$ ssh-add -l
The agent has no identities.
$ ssh -T git#bitbucket.org
logged in as davidalger.
You can use git or hg to connect to Bitbucket. Shell access is disabled.
$ ssh-add -l
2048 SHA256:<snip> (RSA)
This help me to resolve the issue on MacOS Serra:
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa_file
Related
Recently I had to get my hard drive replaced on my work machine and thus had to reconfigure everything. As a result I had to reinstall git bash. Before I was able to ssh fine into wpengine and now I cannot.
I am able to connect via the regular windows terminal fine but when I try with git bash I am getting the "Permission denied (publickey)." error for the same exact command.
I have tried all the suggested options from wpengine and in the different questions related to this on other SE questions and nothing is working.
I am using a Windows machine on windows 10.
Here are the following things I have tried:
Regenerating the key and adding it to my user public keys again and
then waiting 24 hours.
Adding the config details to the ssh_config file in C:\Program
Files\Git\etc\ssh
Adding a config file to my /User/username/.ssh/ folder.
I have tried using the following link and adding the wpengine rsa file: https://gist.github.com/jherax/979d052ad5759845028e6742d4e2343b as well.
Any and all help would be appreciated.
My guess is there is some kind of permissions issue going on the local machine?
Why would the request from git bash terminal to wpengine look different from windows command terminal?
I did solve my issue. If it helps you please use it!
When I used the command to the ssh host with : ssh -v user#environment.wpengine.ssh.net info
I got back this among the debug errors:
debug1: Offering public key: /c/Users/USERNAME/.ssh/KEY_FILENAME RSA XXXXXXXXXXXXXXXXXXXXX explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: No more authentication methods to try.
user#environment.ssh.wpengine.net: Permission denied (publickey).
After finding this page:
https://transang.me/ssh-handshake-is-rejected-with-no-mutual-signature-algorithm-error/
I was able to solve the issue by adding the line:
PubkeyAcceptedAlgorithms +ssh-rsa to my ssh config file.
Honestly I am not even 10% certain on WHY this worked, however, it solved my problem.
How To Connect with SSH In WPEngine
If you are having trouble connecting to SSH in WPEngine Following are the commands which I used:
ssh-keygen -t rsa -b 4096 -f c:/users//.ssh/wpengine_rsa
Add Fingerprint in WPEngine My Profile – SSH
Add Config file
Host *.ssh.wpengine.net
IdentityFile ~/.ssh/wpengine_rsa
IdentitiesOnly yes
Connect with your wordpress website (windows command prompt)
ssh environment#environment.ssh.wpengine.net
I do some development work for a friend, who runs his own Linux git server. Everything worked until he decided to harden his server. He decided 1024-bit keys weren't good enough, so I sent him a new 4096-bit public key.
Now I can no longer access the repository from Windows.
The repository url is ssh://git#1.2.3.4:2000/home/git/code.git (IP address changed to protect the innocent). Note that ssh runs on port 2000.
Trying to clone the repo from TortoiseGit gives "Server refused our key" in the git window, and "No supported authentication methods available (server sent: publickey, gssapi-keyex,gssapi-with-mic)" in an error dialog.
Trying from Git for Windows bash gives "fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists."
However, I can happily clone the same repo from a Linux VM running on the same machine, using the same key pair.
I have updated both Git for Windows and TortoiseGit with the latest version today.
[Later] I can actually log into the server from Putty and from Git bash:
$ ssh-agent bash
MINGW64 /e/folder
$ ssh-add rsa4096
Identity added: rsa4096 (rsa4096)
MINGW64 /e/folder
$ ssh -p 2000 git#1.2.3.4
Last login: Fri Jan 8 17:11:32 2021 from my.local.machine
(Ip addresses and machine names changed)
I can also login using "C:\Program Files\TortoiseGit\bin\TortoiseGitPlink.exe" -P 2000 (the GIT_SSH variable is set to C:\Program Files\TortoiseGit\bin\TortoiseGitPlink.exe)
Not sure what to try now - help!
I'm trying to pass from Putty/Pagent/plink to Windows OpenSSH native client.
I already managed to do this in TortoiseGit, but with the main problem with VSCode seem to be I can't set which ssh agent to use.
I enabled the OpenSSH agent service on Windows to start automatically and added my open ssh key with ssh-add.
Every time i try to push from VSCode all i got is an error message with
Git: FATAL ERROR: Disconnected: No supported authentication methods available (server sent: public key)
When trying to push from terminal I got also
Please make sure you have the correct access rights and the repository exists.
As already said, with TortoiseGit I have no problem at all, and the only differences are that in TortoiseGit I set the ssh-agent.
you might need to confirm your System environment variable GIT_SSH points to the ssh within Git: C:\Program Files\Git\usr\bin\ssh.exe
You may need to update your Windows OpenSSH. If you run ssh -V from a PowerShell window and see OpenSSH_for_Windows_7.7p1, this is probably the case. The instructions for upgrading are available in the Install Win32 OpenSSH Wiki.
General
VS Code uses the Windows version of OpenSSH.
The config file that you change in VS Code is located in /Users/<username>/.ssh/config
The default location/name of a key is at /Users/<username>/.ssh/id_rsa.
Example
Local: Windows 10 machine with VS Code and the very awesome Remote - SSH extension installed
Remote: Ubuntu, where I use git for development and need my private key available
Since the remote is shared, I want to use SSH agent forwarding and keep my private key(s) on my local machine
Config file:
Host mybox
HostName actual.ip.or.name.of.mybox.com
User myusername
IdentityFile ~/.ssh/id_rsa
ForwardAgent yes
PowerShell Commands (Run as Administrator)
Start-Service ssh-agent
ssh-add C:\Users\<username>\.ssh\id_rsa # private key to add
ssh-add -L # list keys added
Set-Service ssh-agent -StartupType Automatic # optional
I am trying to setup Ambari on single node cluster.
Ambari setup was done as root user
I tried all the post related to this , change the permission and did set up as permission
http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Installing_HDP_AMB/content/_set_up_password-less_ssh.html
cd ~/.ssh
rm -rf /root/.ssh
ssh-keygen -t dsa
cat /root/.ssh/id_dsa.pub >> /root/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
Copied the the Key from above line in Ambari while setting up cluster Step
ambari-server restart
When I try to Register and Confirm in lInstall Options I get below error
However I am able to do "ssh root#hadoop.maxsjohn.com without giving the password.
==========================
Creating target directory...
==========================
Command start time 2017-03-13 03:35:43
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
SSH command execution finished
host=hadoop.maxsjohn.com, exitcode=255
Command end time 2017-03-13 03:35:43
ERROR: Bootstrap of host hadoop.maxsjohn.com fails because previous action finished with non-zero exit code (255)
ERROR MESSAGE: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
STDOUT:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).[Error Message][1]
So, coming in a year later I got a very similar error but with a multiple host cluster. In case it helps, I found this error happens for the host running Ambari Server when the private key file chosen on the 'Install Options' page in the 'Cluster Install Wizard' is incorrect (in my case I re-created the keys but neglected to update Ambari). From the host OS perspective the passwordless SSH works just fine but Ambari fails to install the host until the corresponding SSH Private Key file is chosen.
I suspect the password cannot be blank. You need to set a password. If this is for your learning, i would suggest take a copy of VM from hortonworks site and use it. You don't have to go through the pain of installing and configuring. Here is the link
System: MacOS, standard Jenkins installation.
I can clone repository from my user. But Jenkins - can't neither from Git, not from GitHub (my key is added to Git and GitHub). I receive: "stderr: Host key verification failed."
I've copied my key into /Users/Shared/Jenkins/.ssh - but still no luck :( Maybe I've copied it to incorrect place?
Generate ssh key from Jenkins is not an option for me.
What am I doing wrong? Thanks in advance!
This is usually related to permissions, as Jenkins' process runs as user 'jenkins'.
See here: How to run jenkins as a different user -
especially the answers of Sagar and Peter Tran .
Cheers
Like the error says, the problem (at least first) is with host key verification. The first time you connect to an ssh server, ssh client will prompt you to check and accept the host key. (Of course no-one does that, so I don't know why it bothers...)
You could
sudo -u jenkins -i
and then
ssh git#github.com
and then reply to the prompt. Alternatively you can disable host key checking. Look up StrictHostKeyChecking in man ssh_config.