New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: Passphrase protected ssh key not being loaded #1143

Closed
becizzz opened this Issue Aug 20, 2018 · 10 comments

Comments

Projects
None yet
6 participants
@becizzz
Copy link

becizzz commented Aug 20, 2018

Bug Report

Tell us about your setup

v3.0.0-beta17 on macOS High Sierra 10.13.6

Tell us about your .lando.yml

name: multisite
recipe: drupal8

compose:
  - compose.yml

config:
  webroot: web
  via: nginx
  php: '7.1'
  xdebug: true

tooling:
  build.sh:
    service: appserver
    description: Execute build.sh
    cmd:
      - ./build.sh
  codeception:
    service: appserver
    description: Run codeception
    cmd:
      - ./vendor/bin/codecept
  phpcs:
    service: appserver
    description: Run phpcs
    cmd:
      - ./vendor/bin/phpcs
  codesniff:
    service: appserver
    description: Run code sniffer with default config
    cmd:
      - ./vendor/bin/phpcs
      - "--standard=phpcs.xml"
  phpcbf:
    service: appserver
    description: Run phpcbf
    cmd:
      - ./vendor/bin/phpcbf
  codefix:
    service: appserver
    description: Run code autofix
    cmd:
      - ./vendor/bin/phpcbf
      - "--standard=phpcs.xml"
  theme-build:
    service: node
    description: Builds themes css files
    cmd: true
  sync.sh:
    service: appserver
    description: Execute sync.sh
    cmd:
      - ./sync.sh

services:  
  mailhog:
    type: mailhog
    hogfrom:
      - appserver
  
  appserver:
    ssl: true
    extras:
      - "/app/extras.sh"
    overrides:
      services:
        environment:
          WKV_SITE_ENV: lando

  elasticsearch:
    type: compose
    services:
      image: blacktop/elasticsearch:6.3
      command: /elastic-entrypoint.sh elasticsearch
      ports:
        - "9200:9200"

  kibana:
    type: compose
    services:
      image: blacktop/kibana:6.3
      environment:
        KIBANA_ELASTICSEARCH_URL: http://elasticsearch:9200
      ports:
      - "5601:5601"
      command: /docker-entrypoint.sh kibana

  node:
    type: node
    run:
      - cd $LANDO_MOUNT/web/themes/custom/defender/ && yarn install

  db_1:
    type: mariadb:10.1
    portforward: 32001
  db_2:
    type: mariadb:10.1
    portforward: 32002
  db_3:
    type: mariadb:10.1
    portforward: 32003
  db_4:
    type: mariadb:10.1
    portforward: 32004
  db_5:
    type: mariadb:10.1
    portforward: 32005
  db_6:
    type: mariadb:10.1
    portforward: 32006
  db_7:
    type: mariadb:10.1
    portforward: 32007

proxy:
  mailhog:
    - mail.lndo.site
  elasticsearch:
    - search.lndo.site:9200
  nginx:
    - site1.lndo.site
    - site2.lndo.site
    - site3.lndo.site
    - site4.lndo.site
    - site5.lndo.site
    - site6.lndo.site
    - site7.lndo.site
  kibana:
    - kibana.lndo.site:5601


events:
  post-start:
    appserver: cd $LANDO_MOUNT && composer install && ./vendor/bin/phpcs --config-set installed_paths /app/vendor/drupal/coder/coder_sniffer/
  post-theme-build:
    node: cd $LANDO_MOUNT/web/themes/custom/defender/ && npm run build

Tell us about the command you were running

# Edit the config
echo "loadPassphraseProtectedKeys: true" >> ~/.lando/config.yml

# Poweroff lando
lando poweroff

# Reboot an app
lando start

Tell us generally about your bug

I tried to use passphrase protected ssh keys. Set the global config according to documentation https://docs.devwithlando.io/config/ssh.html, but the ssh key in question is still not loaded.

Tell us more

My guess is that something from this old commit has been lost. Looks like the variable LANDO_LOAD_PP_KEYS is always false.

@becizzz becizzz changed the title Passphrase protected ssh key not being loaded BUG: Passphrase protected ssh key not being loaded Aug 31, 2018

@tanc

This comment has been minimized.

Copy link
Contributor

tanc commented Sep 6, 2018

Thanks for reporting this, it is a problem I've come across as well. The documentation incorrectly states you need to set loadPassphraseProtectedKeys: true which does nothing at all and is never checked for in the codebase.

Instead the solution seems to be to set the LANDO_LOAD_PP_KEYS environment variable directly. You can do this in your global config (~/.lando/config.yml):

containerGlobalEnv:
  LANDO_LOAD_PP_KEYS: "true"

As there is no ssh agent you'll be asked for your passphrase every time you do something with that key.

@kevinquillen

This comment has been minimized.

Copy link

kevinquillen commented Sep 21, 2018

Can confirm. The documented variable had no effect, my no-passphrase keys were loaded while the others are not.

When I add the above suggestion to my lando config.yml, I get this:

error: Looks like one of your build steps failed with [object Object]
warn: This **MAY** prevent your app from working
warn: Check for errors above, fix them, and try again
@bwood

This comment has been minimized.

Copy link

bwood commented Oct 23, 2018

$ lando version
v3.0.0-rc.1

This bug prevents me from using lando init github (unless I want to remove the passphrase from my key).

https://docs.devwithlando.io/config/config.html makes it sound like you can simply use

export LANDO_LOAD_PP_KEYS=true

but I also tried adding editing config.yml per tanc's comment

Do you have to run lando poweroff after changing an env variable? Did that.

The varilable is set:

$ lando config |grep PP
    "LANDO_LOAD_PP_KEYS": "true"

However my passphrased key still does not appear in the 'Using the following keys:' output when I run lando init github

I suspect the issue is this line in load-keys.sh:

   if ! grep -L ENCRYPTED $SSH_CANDIDATE &> /dev/null || [ "$LANDO_LOAD_PP_KEYS" == "true" ]; then

Perhaps another set of [] are needed on the left side of the ||...

I'm on MacOS 10.13.6 running bash 4.4.19(1)-release.

@bwood

This comment has been minimized.

Copy link

bwood commented Oct 29, 2018

I debugged the above further and found that load-keys.sh is working correctly. The problem is simply that $LANDO_LOAD_PP_KEYS is not set (despite setting it as described above) when that script runs.

Do you have to run lando poweroff after changing an env variable? Did that.
I learned that this is not necessary.

@tanc

This comment has been minimized.

Copy link
Contributor

tanc commented Oct 30, 2018

@bwood did you do a lando rebuild? Maybe even lando destroy and lando start. I think a rebuild is needed for the keys bit to re-run. I don't have a passphrase key myself and my colleague hasn't used Lando since I last tried this with success. Maybe things have changed, I'll try and test again.

@bwood

This comment has been minimized.

Copy link

bwood commented Oct 30, 2018

Hi @tanc. I am hitting this bug when I run lando init The goal of which is to get a lando.yml file. I think I can’t use rebuild unless I already have a lando.yml file. Let me know if I’m missing something.

@tanc

This comment has been minimized.

Copy link
Contributor

tanc commented Oct 31, 2018

I've just been trying this out, here are my steps:

  1. Create a passphrase protected key
  2. Edit ~/.ssh/config.yml and add LANDO_LOAD_PP_KEYS = "true" as an additional global env var.
  3. Bring up a new Lando site
  4. Look at the logs for appserver (lando logs -s appserver) and confirm my passphrase protected key is used. This will look something like:
appserver_1       | Checking whether /user/.ssh/id_rsa_test is a private key...
appserver_1       | Checking whether /user/.ssh/id_rsa_test is formatted correctly...
...
appserver_1       | Ensuring permissions for /user/.ssh/id_rsa_test...
...
appserver_1       | Using the following keys: /user/.ssh/id_rsa_test ...

I was then able to specify that key when using ssh from inside a container with something like:

ssh -i /user/.ssh/id_rsa_test username@server.com

If this was my default key I wouldn't need the -i switch to specify the private key location.

I haven't tried using lando init github so I can't comment on that. I would imagine you could set up a LEMP server or whatever you need with lando init and a specific recipe or create your own .lando.yml file as you need.

@trepmag

This comment has been minimized.

Copy link

trepmag commented Nov 27, 2018

I setup the LANDO_LOAD_PP_KEYS in ~/.lando/config.yml as follow:

containerGlobalEnv:
    LANDO_LOAD_PP_KEYS: "true"

Did a lando poweroff;build;start and now lando config return the following:

{
  ...
  "loadPassphraseProtectedKeys": false,
  ...
  "containerGlobalEnv": {
    "LANDO_LOAD_PP_KEYS": "true"
  },
  ...
}

Now, within the container the /var/www/.ssh/ directory still doesn't hold my protected ssh keys...

@trepmag

This comment has been minimized.

Copy link

trepmag commented Nov 28, 2018

In the mean time and as alternative, the following can be done in .lando to copy current host user specific key(s):

...
services:
  appserver:
    run:
      - "cp /user/.ssh/id_rsa ~/.ssh/"
...

@pirog pirog added this to the RC1 milestone Nov 28, 2018

@pirog pirog self-assigned this Nov 28, 2018

@pirog pirog modified the milestones: 3.0.0-rc.2, 3.0.0-rc.3 Jan 31, 2019

pirog added a commit that referenced this issue Feb 2, 2019

@pirog

This comment has been minimized.

Copy link
Member

pirog commented Feb 2, 2019

We are going to be loading passphrase protected keys by default now!

@pirog pirog closed this Feb 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment