I have encrypted the AWS .pem file with ansible vault to upload to GitHub. I'm running the playbook in Jenkins and is failing with error {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (publickey).\r\n", "unreachable": true}. If tried to run the playbook manually its asking me to enter passphrase which I haven't set. I'm running the playbook with --vault-password-file. I have set the permissions to 700 before running playbook.
Any idea why ansible started asking for passphrase after encrypting with ansible-vault and how toresolve this issue?
When ssh asks you to enter a passphrase and you know that they .pem file does not have an associated passphrase, it is normally an indication that ssh cannot interpret the file.
This might be because the format has been modified (eg strange linebreak characters) or it does not contain the expected header, key and footer.
Based upon your description, it would appear that ssh is trying to use the encrypted version of your file, which it cannot interpret. You will need to decrypt the file before using it with ssh.
Related
I'm a bit confused.
I'm trying to use a github action to SSH into my ec2 instance and do a deploy. I have the key (from ec2 console) saved as a secret in github as such:
- name: Install SSH key
uses: shimataro/ssh-key-action#v2
with:
key: ${{ secrets.COBOTSSH }}
name: id_rsa
known_hosts: ${{ secrets.KNOWN_HOSTS }}
- name: ssh
run: ssh ${{ secrets.USERNAME }}#${{ secrets.KNOWN_HOSTS }}
Unfortunately I get:
Host key verification failed.
I've tried multiple SSH github action solutions, so I assume this is user error (shimataro is the gold standard). So i'm gonna be really specific as to what I did:
Went to keypairs
Created a new keypair and downloaded the pem file
Copied the entire text of the pem file into the secret COBOTSSH
Copied the DNS name of the EC2 instance into KNOWN_HOSTS (contrary to the variable name, it's just a single DNS entry)
Logged into the box using SSH on my putty terminal, and created a user called X and then put X into the USERNAME secret.
I assume this is erroring because it requires a password by default? But the error does not have any verbosity. How do I use the key from the EC2 console and still run commands like ssh-copy-id ?
A
ny line by line example of how to do this would be super appreciated - I am a linux noob.
As per the Q&A on the shimataro/ssh-key-action.
Host key verification failed.:
Set known_hosts parameter correctly (use ssh-keyscan command).
The KNOWN_HOSTS secret should reflect what a known_hosts file looks like. known_hosts files contain SSH fingerprints of remote servers you've connected to before. An entry in the known_hosts file for a remote server can look something like this on Windows (on Ubuntu Linux the IP looks like gibberish, perhaps it's encrypted too):
3.25.10.23 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNosdfwecYTItbmlzdHAyNAAAIbmlzdHAyNTYAAABBBAets0ZEyan6q5K1Z7fiMcqpLLjtSGaqn5kwec2vXCdLumKdtWmJexjc1Q8U43COnEiOyEI9HSHBYqm5E1Rog=
The error is because you copied the EC2 DNS into the KNOWN_HOSTS secret, which is not the correct format. The EC2 DNS looks something like:
ec2-3-5-30-213.ap-southeast-2.compute.amazonaws.com
To get the proper fingerprint you can open your known_hosts file in notepad. On Windows it's in C:\Users\{YourUserName}\.ssh and on Linux (Ubuntu) it's in \home\{YourUserName}\.ssh.
You might be able to identify the remote server entry by the IP address. It wasn't there on mine, so I opened a terminal (on windows or linux) and did ssh {YourRemoteServerUser}#{YourRemoteServerIP}. It shows a fingerprint in the prompt (ignore it) and asked if I wanted to connect to the host. Click 'Yes' and it will store the SSH fingerprint in the known_hosts file for your OS. Then I simply opened the file and copied the entry into KNOWN_HOSTS secret.
Note: shimataro outlines that using 'StrictHostKeyChecking=no' is not secure in most cases. See here.
I am very new to ansible.
I have managed to install it and set up the ec2.py file via the git and set up the IAM root user. but my question is I already have a ec2 instance online that uses a .pem file that amazon has created. i use windows and have created the relative .ppk file when i try to ssh into that ec2 instance from another ec2 instance I see that via
cd ~/.ssh/ the files authorized_keys and known_hosts are created
but when i run ssh ubuntu#ec2-xx-xxx-xx-xxx.us-west-2....
I get a permission denied (puplickey)
I examined the contents of the authorized_keys file and the ppk and pem file and it seems that the public key is stored in the authorized_keys file correctly and the user is correct.
Am I correct in thinking that I need to copy the private key into this file?(although I don't really want to) or is it because I need a passphrase?
and in relation to ansible
How do I utilise this key to manage the host in the same VPC?
Edit (extra): I found out that the authorized_keys file is the file that contains the public key and fingerprint. when i edited the file i was no longer able to access the EC2 instance and it kept asking for a password and saying that the fingerprint had changed. so I guess that's why its best practice to create a ssh-key on the ansible system and then import into AWS
If you can ssh to the host in question via putty with key.ppk file, then:
convert key.ppk back into key.pem
place key.pem somewhere onto the control host (where Ansible is installed)
define inventory (hosts file) for Ansible:
myserver ansible_host=ip-or-dns-of-your-server ansible_user=your-user ansible_ssh_private_key_file=path/to/key.pem
run ansible myserver -m ping to confirm connectivity
This way Ansible will try to connect to your server aliased myserver at ip-or-dns-of-your-server with your-user account using path/to/key.pem private key.
I'm trying to run a Spark cluster on AWS using https://github.com/amplab/spark-ec2.
I've generated a key and and login credentials, and I'm using this command:
./spark-ec2 --key-pair=octavianKey4 --identity-file=credentials3.csv --region=eu-west-1 --zone=eu-west-1c launch my-instance-name
However, I keep getting this:
Warning: SSH connection error. (This could be temporary.)
Host: mec2-myHostNumber.eu-west-1.compute.amazonaws.com
SSH return code: 255
SSH output: Warning: Permanently added 'ec2-myHostNumber.eu-west-1.compute.amazonaws.com,myHostNumber' (ECDSA) to the list of known hosts.
Permission denied (publickey).
If I quit the console and then try to start the cluster again, I get this:
Setting up security groups...
Searching for existing cluster my-instance-name in region eu-west-1...
Found 1 master, 1 slave.
ERROR: There are already instances running in group my-instance-name-master or my-instance-name-slaves
The command is incorrect. Key pair name should be the one you mention in AWS. Identity file is .pem file associated. You can't ssh into a machine with AWS credentials (your csv file is credentials).
./spark-ec2 --key-pair=octavianKey4 --identity-file=octavianKey4.pem --region=eu-west-1 --zone=eu-west-1c launch my-instance-name
Can you add --resume to your spark-ec2 command and try? Your slave may not have the key. --resume will make sure it is transferred to the slave.
Running Spark on EC2
If one of your launches fails due to e.g. not having the right
permissions on your private key file, you can run launch with the
--resume option to restart the setup process on an existing cluster.
I'm trying to connect to my AWS Elastic Beanstalk EC2 instance using OpenSSH, which I have downloaded because I'm using Windows.
When running eb ssh I am greeted with the message: "Warning: Unprotected Key File! Permissions 0444 for '(key name)' are too open."
This is frustrating because I went into the .ssh folder and used chmod to set it to 0400, not 0444.
The key I am using was generated using the ssh tool, and I uploaded it to AWS and set it as the key pair so I know it's OpenSSH at fault here, rather than AWS.
I am then prompted to enter the key's passphrase, but doing so just displays the message again.
As a result of this, I cannot connect to the instance.
Does anybody know how I can fix this?
You can use Putty to connect to your server, here is the documentation instructing how to do this -
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
I have been trying to use Ansible over AWS.
I am using ppk file to login to AWS. I want to use the same with Ansible.
This ppk file was extracted from pem file which i got from AWS.
This is the command i am using.
ansible all -m ping -u ubuntu --private-key /opt/keys/privateKey.ppk
I get the following
Enter passphrase for key '/opt/keys/privateKey.ppk
172.31.50.XX | FAILED => SSH Error: Permission denied (publickey).
while connecting to 172.31.50.XX:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
I did not create the keys with a passphase so not sure why I am getting this error
Ansible uses OpenSSH under the covers so you'll need to use the original pem file that AWS generated for you.