cf ssh error message for insufficient rights

[mcelep]

Hi,

The CF CLI is generating a misleading error message for users with an AUDITOR role, when trying to connect via ssh to a diego app.

$ cf ssh someapp
FAILED
Error opening SSH connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

I would expect to see a more meaningful message, e.g. "not authorized".

BR,
Murat

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/112506119.

[dkoper]

Hi Murat,

Thank you for reporting this. I have handed over the linked tracker story to the Diego team, who will first take a look at it and see if they can return a better message for the CLI to display.

Cheers,
Dies Koper
CF CLI PM

[mcelep]

Hey Dies,

I see from the pivotal tracker that there was no progress on this issue. Can you please ask the Diego team again?

Cheers,
Murat Celep

[dkoper]

Hi @mcelep

Thanks for following up. Diego team investigated and concluded they are not able to improve the message that is returned to the CLI. So we will look at catching that message and improving it on the CLI side.
Rather than replacing the error message, how would you feel about an added tip (as done in e.g. https://www.pivotaltracker.com/story/show/86356180) so the original message details remain available?

$ cf ssh someapp
FAILED
Error opening SSH connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
TIP: You may encounter this error if you lack the SpaceManager role for the space of this app.

Regards,
Dies Koper
CF CLI PM

[prakash1991]

Hi,
I am trying to deploy to AWS and everything goes fine until the " Waiting for the agent on VM.." step has to happen.
I am able to ssh into the instance using ssh -i bosh.pem vcap@ip
But i am getting an error similar to the one above.
=======My Output======
Command 'deploy' failed:
Deploying:
Creating instance 'bosh/0':
Waiting until instance is ready:
Starting SSH tunnel:
Failed to connect to remote server:
ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

Any help would be appreciated.Thanks in advance.

Regards,
Prakash

[cloudlena]

Thanks for your suggestion, @dkoper! I replaced @mcelep in his role and am therefore taking over from our side. The tip sounds like a good idea! However, it should say You may encounter this error if you lack the SpaceDeveloper role for the space of this app. (instead of SpaceManager).

[cloudlena]

@dkoper, can we therefore take

$ cf ssh someapp
FAILED
Error opening SSH connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
TIP: You may encounter this error if you lack the SpaceDeveloper role for the space of this app.

as the solution to go for?

[dkoper]

@mastertinner We addressed this in v3-ssh by changing the output to:

Error opening SSH connection: You are not authorized to perform the requested action

This message (not authorized...) is the message you get with most commands when you do not have the right role. The issue with the (more user friendly) approach of mentioning the required role in the output is that there is currently a Fine-grained Permissions project working on breaking down the roles so the rolename may actually confuse users soon.
Once we refactor ssh (on our to do list, but many higher priority stories above it), I'd like to port the message improvements we've applied in v3-ssh.

[skarian92]

Try restarting the app, if u have just enabled ssh for the app

[abbyachau]

Hi everyone, thank you for your feedback and comments. We no longer plan on refactoring cf ssh on V6 CLI. We plan on devoting resources to building out the V3 CAPI/V7 CLI instead and so no longer plan on doing any major rewrites on V6. We can look into how feasible it would be for us to add a TIP to V6 cf ssh but are advising users to use v3-ssh instead if possible. Thanks and please let us know if you have any feedback.

[NagaTheDon]

Try restarting the app, if u have just enabled ssh for the app

Thanks! It worked after

• Making sure you have the SpaceManager role: cf set-space-role <username> <org_name> <space_name> SpaceManager
• Enabling the ssh on the app using cf enable-ssh APP_NAME
• Restart the app using cf restart APP_NAME