Skip to content
This repository

Cannot use public key authentication #265

Closed
bitprophet opened this Issue August 18, 2011 · 12 comments

2 participants

Jeff Forcier fzx
Jeff Forcier
Owner

Description

Machine Fabric runs on: Windows 7

Machine I try to connect to: Ubuntu 10.04.1

I'm trying to use public key authentication with a freshly generated keypair.

This is my fabfile:

from fabric.api import *
from fabric.operations import *

env.host = ['user@host']
env.key_filename = r'S:\server.priv.ppk'

def ver():
    run('uname -a')

And this is what I see when I run it:

S:\Fabric>fab --show=debug ver
Using fabfile 'S:\Fabric\fabfile.py'
Commands to run: ver
[user@host] Executing task 'ver'
[user@host] run: /bin/bash -l -c "uname -a"
Please enter passphrase for private key:
Password for user@host [Enter for previous]:
Stopped.

I aborted when I was asked for the password.

When I point PuTTY to this private key and connect, typing my passphrase once incorrectly and once correctly, it looks like this:
Using username "user".
Authenticating with public key "rsa-key-20101205"
Passphrase for key "rsa-key-20101205":
Wrong passphrase
Authenticating with public key "rsa-key-20101205"
Passphrase for key "rsa-key-20101205":
Linux MyHostName 2.6.32-25-server #45-Ubuntu SMP Sat Oct 16 20:06:58 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to the Ubuntu Server!
* Documentation:  http://www.ubuntu.com/server/doc

Note that:

  • I cannot tell if it has picked up the right private key, because the path to the key is not displayed (PuTTY doesn't either), not even on debug. Can I turn this on?
  • I cannot tell if it has picked up the right private key, because the name of the key is not displayed (PuTTY does), not even on debug. Can I turn this on?
  • It doesn't say that my passphrase is invalid when I enter the wrong one intentionally (PuTTY does).
  • What it does is complain if the private key file is not accessible.

I tried to pass the path to the private key...

  • ... as a command line argument (-i)
  • ... in my code (env.key_filename = r'S:\server.priv.ppk')
  • ... in an rcfile (key_filename = S:\server.priv.ppk)

All have exactly the same effect, as described above.

I'm not really sure where to go from here. Is there anyway to tell Fabric to display what it is trying to do and why it fails?


Originally submitted by Henrik Heimbuerger (hheimbuerger) on 2010-12-05 at 02:33pm EST

Relations

  • Related to #269: Improve display/debugging of key authentication mechanisms

Closed as Worksforme on 2010-12-30 at 02:25pm EST

Jeff Forcier
Owner

Jason R. Coombs (jaraco) posted:


I see your private key ends with .ppk. I think that's a PuTTY Private Key, and not an OpenSSH private key (probably what fabric/paramiko supports). You might try using PuTTYGen to export that key as an OpenSSH key, and see if that doesn't work for you.

I agree it would be a nice feature if fabric could indicate that a keyfile is invalid. It would be even better if it would automatically detect the key and convert it, or utilize plink on Windows clients.


on 2010-12-07 at 08:23pm EST

Jeff Forcier
Owner

Henrik Heimbuerger (hheimbuerger) posted:


Thanks for the tip. That key was indeed generated with PuTTYGen and I wasn't aware that there are different private key formats around. I'll give converting a try in the next days and get back to you.


on 2010-12-08 at 03:21am EST

Jeff Forcier
Owner

Jeff Forcier (bitprophet) posted:


I had the same thought as Jason (thanks!) -- typically when this comes up it's due to Paramiko simply skipping over key files it cannot understand/load. At some point we may try to see if Fabric can force Paramiko to be more explicit about that sort of thing (so that we can at least have debug output about such skips), but since it's mostly out of our control it hasn't been a high priority.

Please do report back with your findings!


on 2010-12-08 at 01:27pm EST

Jeff Forcier
Owner

Henrik Heimbuerger (hheimbuerger) posted:


You're right, it's the NOPASSWD not working properly, sorry.

I'll be away for a few days but I'll report back next week whether it has worked after fixing the sudo configuration issue.


on 2010-12-09 at 08:05pm EST

Jeff Forcier
Owner

Jeff Forcier (bitprophet) posted:


Hm, if you have NOPASSWD and you're 100% positive your key is working now, not sure why it's prompting. Try giving fab --debug <whatever> and it should print out exactly what sudo command it is running, which usually includes a specific prompt phrase flag, and a shell wrapper. Then you can try running that exact command by hand and see what it does, which may provide a clue.

I am guessing that either A) the sudo prompt detection is misfiring, or B) something in how Fab wraps/escapes/calls the command, is invalidating your sudoers config and causing an actual sudo prompt to appear.


on 2010-12-09 at 07:14pm EST

Jeff Forcier
Owner

Henrik Heimbuerger (hheimbuerger) posted:


Indeed, that did it! Any chance I could convince you to add this to the docs? :) Preferably here: http://docs.fabfile.org/1.0a/usage/ssh.html

It even uses Pageant btw., so if I have that running, Fabric/Paramiko will not ask me for the private key passphrase either.

Thinking about it, I'm most worried about the name of the key not being displayed when the user is challenged. I'm new to all this stuff, but isn't it an important security feature to make sure the user enters the passphrase to that key, and not some (MitM supplied?) key?


I'm now stuck trying to replace the above run() with sudo().

def apt_get_update():
    sudo('apt-get update')

I have NOPASSWD in my sudoers file. On the shell:

Using username "user".
Authenticating with public key "rsa-key-20101205" from agent
Linux MyHostName 2.6.32-25-server #45-Ubuntu SMP Sat Oct 16 20:06:58 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to the Ubuntu Server!
* Documentation:  http://www.ubuntu.com/server/doc

Last login: Thu Dec  9 23:35:18 2010 from XXXXX
user@MyHostName:~$ sudo apt-get update
Hit http://security.ubuntu.com lucid-s
Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US
[...]

No password required (and no passphrase, because Pageant ran in the background). However, Fabric asks for one. Without saying why, for what and who needs it.

S:\Fabric>fab apt_get_update
[user@host] Executing task 'apt_get_update'
[user@host] sudo: apt-get update
Password for user@host:

And again, I don't really have anything I could troubleshoot this with. Can you do some clairvoyant debugging again? :)


on 2010-12-09 at 06:34pm EST

Jeff Forcier
Owner

Henrik Heimbuerger (hheimbuerger) posted:


Seems like the NOPASSWD statement has to be at the end and it doesn't work for me for groups either. Anyway, I fixed it and I can sudo() now! Thanks for your help.

Up to you if you close this ticket now. I still think the key handling needs better display and documentation.


on 2010-12-18 at 08:56am EST

Jeff Forcier
Owner

Jeff Forcier (bitprophet) posted:


Closing this as worksforme, but I did make a new ticket for the 'try to make key usage more visible' issue: #269.


on 2010-12-29 at 03:04pm EST

Jeff Forcier
Owner

Henrik Heimbuerger (hheimbuerger) posted:


That literally worksforme. ;) I'm now watching that other issue, thanks.


on 2010-12-30 at 02:25pm EST

Jeff Forcier bitprophet closed this August 18, 2011
fzx

I still have this problem, and the problems are:
(1) Error say like this:
Fatal error: Timed out trying to connect to 61.147.69.91
Aborting

(2) When the key file name is invalid, fab did not complain!

Jeff Forcier
Owner

Timeouts are a totally separate problem and are usually not Fabric's fault. If you can SSH to the IP in question, perhaps check to see if the problem is IPv6 vs IPv4.

Invalid key filenames are an ongoing issue, see #269 and related tickets :)

fzx

@bitprophet,thank you for your help. I can SSH to the IP, after disabled the its IPv6 Protocol, the problem still existed. I want to use fabric, but this problem is very annoying.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.