Avoid the codeserver.drush.in password prompt?

[jodriscoll]

Not necessarily a bug report?

Issue description
I'm unable to figure out why one of my machines require the codeserver drush passphrase and the other does not. I've tracked down that both machines are using the same terminus machine token and both sshkeys that are defined in the lando config are added to Pantheon as valid keys.

Am I missing something in the configuration process in understanding why one is machine behaves differently than the other?

Tell us about your setup
OSx 10.13.3
v3.0.0-beta.37

Tell us about your .lando.yml

Not applicable?

Tell us about the command you were running

lando pull & lando push

Tell us about the error you got

Being prompted multiple times for a passphase at each step of a pull/push; codeserver.dev.xxxxxxx.drush.in's password:

Tell us generally about your bug
Same configuration on two machines, but one requires a password and the other doesn't.

Additional findings
Part 1: Verify the sshkey does not require a passphrase
Findings: Based on the following link, the key referenced for lando does not have a passkey required

---

Part 2: Viewing lando logs for an app

> lando logs -s appserver

# non-passphrase prompt machine
Attaching to [redacted]_appserver_1
appserver_1  | Making sure correct user exists...
appserver_1  | 33
appserver_1  | Scanning /user/.ssh for keys...
appserver_1  | Scanning /lando/keys for keys...
appserver_1  | Checking whether /user/.ssh/known_hosts2 is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is formatted correctly...
appserver_1  | Checking whether /user/.ssh/github_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is formatted correctly...
appserver_1  | Ensuring permissions for /user/.ssh/id_rsa...
appserver_1  | Ensuring permissions for /lando/keys/pantheon.lando.id_rsa...
appserver_1  | Using the following keys: /user/.ssh/id_rsa /lando/keys/pantheon.lando.id_rsa
appserver_1  | Running command docker-php-entrypoint php-fpm
appserver_1  | [23-Mar-2018 15:10:02] NOTICE: fpm is running, pid 78
appserver_1  | [23-Mar-2018 15:10:02] NOTICE: ready to handle connections
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:11 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:11 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:11 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:12 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | Making sure correct user exists...
appserver_1  | 33
appserver_1  | Scanning /user/.ssh for keys...
appserver_1  | Scanning /lando/keys for keys...
appserver_1  | Checking whether /user/.ssh/known_hosts2 is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is formatted correctly...
appserver_1  | Checking whether /user/.ssh/github_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is formatted correctly...
appserver_1  | Ensuring permissions for /user/.ssh/id_rsa...
appserver_1  | Ensuring permissions for /lando/keys/pantheon.lando.id_rsa...
appserver_1  | Using the following keys: /user/.ssh/id_rsa /lando/keys/pantheon.lando.id_rsa
appserver_1  | Running command docker-php-entrypoint php-fpm
appserver_1  | [23-Mar-2018 15:25:09] NOTICE: fpm is running, pid 78
appserver_1  | [23-Mar-2018 15:25:09] NOTICE: ready to handle connections
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:18 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:33 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:33 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:18 +0000 "GET /index.php" 200

# passphrase prompt machine
Attaching to [redacted]_appserver_1
appserver_1  | Making sure correct user exists...
appserver_1  | 33
appserver_1  | chown: changing ownership of '/user/.ssh/config': Operation not permitted
appserver_1  | Scanning /user/.ssh for keys...
appserver_1  | chown: changing ownership of '/user/.ssh/config': Operation not permitted
appserver_1  | Running command docker-php-entrypoint php-fpm
appserver_1  | [23-Mar-2018 16:05:47] NOTICE: fpm is running, pid 57
appserver_1  | [23-Mar-2018 16:05:47] NOTICE: ready to handle connections

Findings: Permissions for the ~/.ssh/config were not permitted

---

Part 3: Viewing the permission of the ~/.ssh/ contents

> lando ssh -c "ls -lsa /user/.ssh"
total 28
 0 drwxrwxr-x  6 www-data www-data   192 Mar 12 14:25 .
 0 drwxrwxr-x 70 root     root      2240 Mar 23 16:04 ..
 4 -rwx------  1 www-data www-data   171 Mar 12 14:26 config
 4 -rwx------  1 www-data www-data  3243 Sep  1  2017 id_rsa
 4 -rwxrwxr-x  1 www-data www-data   750 Sep  1  2017 id_rsa.pub
16 -rwxrwxr-x  1 www-data www-data 15314 Mar 22 15:58 known_hosts

Findings: Permissions appear correct for the app container.

---

Part 4: List all the files in the /var/www/.ssh/ directory of the appserver

> lando ssh -c "ls -lsa /var/www/.ssh"
total 8
4 drwxr-xr-x 2 www-data www-data 4096 Mar 23 16:05 .
4 drwxr-xr-x 1 www-data www-data 4096 Mar 23 16:05 ..
0 lrwxrwxrwx 1 www-data www-data   22 Mar 23 16:05 known_hosts -> /user/.ssh/known_hosts

Findings: Symlink appears to be correct on the appserver

---

Part 5: Listing the contents of ~/.ssh/ with user permissions shown

> ls -lsa ~/.ssh

# non-passphrase prompt machine
total 32
0 drwx------@  6 user1  staff   192 Mar 23 11:30 .
0 drwxr-xr-x+ 51 user1  staff  1632 Mar  4 16:17 ..
8 -rw-------@  1 user1  staff  1766 May 26  2014 github_rsa
8 -rw-r--r--@  1 user1  staff   403 May 26  2014 github_rsa.pub
8 -rwx------@  1 user1  staff  1679 Nov  5  2016 id_rsa
8 -rw-r--r--@  1 user1  staff   392 Nov  5  2016 id_rsa.pub

# passphrase prompt machine
total 56
 0 drwxrwxr-x@  6 user2  staff    192 Mar 12 10:25 .
 0 drwxrwxr-x+ 70 user2  staff   2240 Mar 23 12:04 ..
 8 -rwx------   1 700    staff    171 Mar 12 10:26 config
 8 -rwx------@  1 user2  staff   3243 Sep  1  2017 id_rsa
 8 -rwxrwxr-x@  1 user2  staff    750 Sep  1  2017 id_rsa.pub
32 -rwxrwxr-x@  1 user2  staff  15314 Mar 22 11:58 known_hosts

Findings: The machine that is persistently prompting for a passphrase has a config document, whereas the machine that is not, does not contain one.

[jodriscoll]

I'm going to close this as @pirog is helping through slack and it technically isn't an "issue" :)

[jodriscoll]

Contents of the ~/.ssh/config document from the machine with the password prompt.

Host *
  AddKeysToAgent yes
  UseKeychain yes

Host github.com
  HostName github.com
  User [redacted]
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

[twfahey1]

I was running into this issue, and for my case, I finally found a solution - The issue for me was my SSH key was password protected. I had to enable the global "Load PP protected ssh keys" config in my config.yml per the instructions here. Once I did that, and rebuild my app, my container properly forwarded the PP ssh key, and unfortunately still have to type my PW every time I pull since there is no SSH agent, but at least the pull is now possible.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions and please check out this if you are wondering why we auto close issues.

[beto-aveiga]

Sometimes it is a thing of permissions. I was running lando pull which, in my Lando config pulls only the DB from live, and I was getting the password prompt.

Then I tried to pull from dev environment and it worked.

It took me hours to figure it out because I have permissions to access DB backups from Live environment, but I don't have access to the Live database, which is odd at least.

So, check with the Administrator of the hosting account (Pantheon in my particular case) what permissions you have on your account, what is your role, and also try pulling from different environments, that might give you a hint of what is happening.