New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid the codeserver.drush.in password prompt? #808

Closed
jodriscoll opened this Issue Mar 23, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@jodriscoll
Copy link

jodriscoll commented Mar 23, 2018

Not necessarily a bug report?

Issue description
I'm unable to figure out why one of my machines require the codeserver drush passphrase and the other does not. I've tracked down that both machines are using the same terminus machine token and both sshkeys that are defined in the lando config are added to Pantheon as valid keys.

Am I missing something in the configuration process in understanding why one is machine behaves differently than the other?

Tell us about your setup
OSx 10.13.3
v3.0.0-beta.37

Tell us about your .lando.yml

Not applicable?

Tell us about the command you were running

lando pull & lando push

Tell us about the error you got

Being prompted multiple times for a passphase at each step of a pull/push; codeserver.dev.xxxxxxx.drush.in's password:

Tell us generally about your bug
Same configuration on two machines, but one requires a password and the other doesn't.

Additional findings
Part 1: Verify the sshkey does not require a passphrase
Findings: Based on the following link, the key referenced for lando does not have a passkey required


Part 2: Viewing lando logs for an app

> lando logs -s appserver

# non-passphrase prompt machine
Attaching to [redacted]_appserver_1
appserver_1  | Making sure correct user exists...
appserver_1  | 33
appserver_1  | Scanning /user/.ssh for keys...
appserver_1  | Scanning /lando/keys for keys...
appserver_1  | Checking whether /user/.ssh/known_hosts2 is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is formatted correctly...
appserver_1  | Checking whether /user/.ssh/github_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is formatted correctly...
appserver_1  | Ensuring permissions for /user/.ssh/id_rsa...
appserver_1  | Ensuring permissions for /lando/keys/pantheon.lando.id_rsa...
appserver_1  | Using the following keys: /user/.ssh/id_rsa /lando/keys/pantheon.lando.id_rsa
appserver_1  | Running command docker-php-entrypoint php-fpm
appserver_1  | [23-Mar-2018 15:10:02] NOTICE: fpm is running, pid 78
appserver_1  | [23-Mar-2018 15:10:02] NOTICE: ready to handle connections
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:11 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:11 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:11 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:11:12 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:12:37 +0000 "GET /index.php" 200
appserver_1  | Making sure correct user exists...
appserver_1  | 33
appserver_1  | Scanning /user/.ssh for keys...
appserver_1  | Scanning /lando/keys for keys...
appserver_1  | Checking whether /user/.ssh/known_hosts2 is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is a private key...
appserver_1  | Checking whether /user/.ssh/id_rsa is formatted correctly...
appserver_1  | Checking whether /user/.ssh/github_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is a private key...
appserver_1  | Checking whether /lando/keys/pantheon.lando.id_rsa is formatted correctly...
appserver_1  | Ensuring permissions for /user/.ssh/id_rsa...
appserver_1  | Ensuring permissions for /lando/keys/pantheon.lando.id_rsa...
appserver_1  | Using the following keys: /user/.ssh/id_rsa /lando/keys/pantheon.lando.id_rsa
appserver_1  | Running command docker-php-entrypoint php-fpm
appserver_1  | [23-Mar-2018 15:25:09] NOTICE: fpm is running, pid 78
appserver_1  | [23-Mar-2018 15:25:09] NOTICE: ready to handle connections
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:18 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:33 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:33 +0000 "GET /index.php" 200
appserver_1  | 172.23.0.6 -  23/Mar/2018:15:25:18 +0000 "GET /index.php" 200

# passphrase prompt machine
Attaching to [redacted]_appserver_1
appserver_1  | Making sure correct user exists...
appserver_1  | 33
appserver_1  | chown: changing ownership of '/user/.ssh/config': Operation not permitted
appserver_1  | Scanning /user/.ssh for keys...
appserver_1  | chown: changing ownership of '/user/.ssh/config': Operation not permitted
appserver_1  | Running command docker-php-entrypoint php-fpm
appserver_1  | [23-Mar-2018 16:05:47] NOTICE: fpm is running, pid 57
appserver_1  | [23-Mar-2018 16:05:47] NOTICE: ready to handle connections

Findings: Permissions for the ~/.ssh/config were not permitted


Part 3: Viewing the permission of the ~/.ssh/ contents

> lando ssh -c "ls -lsa /user/.ssh"
total 28
 0 drwxrwxr-x  6 www-data www-data   192 Mar 12 14:25 .
 0 drwxrwxr-x 70 root     root      2240 Mar 23 16:04 ..
 4 -rwx------  1 www-data www-data   171 Mar 12 14:26 config
 4 -rwx------  1 www-data www-data  3243 Sep  1  2017 id_rsa
 4 -rwxrwxr-x  1 www-data www-data   750 Sep  1  2017 id_rsa.pub
16 -rwxrwxr-x  1 www-data www-data 15314 Mar 22 15:58 known_hosts

Findings: Permissions appear correct for the app container.


Part 4: List all the files in the /var/www/.ssh/ directory of the appserver

> lando ssh -c "ls -lsa /var/www/.ssh"
total 8
4 drwxr-xr-x 2 www-data www-data 4096 Mar 23 16:05 .
4 drwxr-xr-x 1 www-data www-data 4096 Mar 23 16:05 ..
0 lrwxrwxrwx 1 www-data www-data   22 Mar 23 16:05 known_hosts -> /user/.ssh/known_hosts

Findings: Symlink appears to be correct on the appserver


Part 5: Listing the contents of ~/.ssh/ with user permissions shown

> ls -lsa ~/.ssh

# non-passphrase prompt machine
total 32
0 drwx------@  6 user1  staff   192 Mar 23 11:30 .
0 drwxr-xr-x+ 51 user1  staff  1632 Mar  4 16:17 ..
8 -rw-------@  1 user1  staff  1766 May 26  2014 github_rsa
8 -rw-r--r--@  1 user1  staff   403 May 26  2014 github_rsa.pub
8 -rwx------@  1 user1  staff  1679 Nov  5  2016 id_rsa
8 -rw-r--r--@  1 user1  staff   392 Nov  5  2016 id_rsa.pub

# passphrase prompt machine
total 56
 0 drwxrwxr-x@  6 user2  staff    192 Mar 12 10:25 .
 0 drwxrwxr-x+ 70 user2  staff   2240 Mar 23 12:04 ..
 8 -rwx------   1 700    staff    171 Mar 12 10:26 config
 8 -rwx------@  1 user2  staff   3243 Sep  1  2017 id_rsa
 8 -rwxrwxr-x@  1 user2  staff    750 Sep  1  2017 id_rsa.pub
32 -rwxrwxr-x@  1 user2  staff  15314 Mar 22 11:58 known_hosts

Findings: The machine that is persistently prompting for a passphrase has a config document, whereas the machine that is not, does not contain one.

@jodriscoll

This comment has been minimized.

Copy link
Author

jodriscoll commented Mar 23, 2018

I'm going to close this as @pirog is helping through slack and it technically isn't an "issue" :)

@jodriscoll jodriscoll closed this Mar 23, 2018

@jodriscoll

This comment has been minimized.

Copy link
Author

jodriscoll commented Mar 23, 2018

Contents of the ~/.ssh/config document from the machine with the password prompt.

Host *
  AddKeysToAgent yes
  UseKeychain yes

Host github.com
  HostName github.com
  User [redacted]
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

@pirog pirog reopened this Mar 23, 2018

@twfahey1

This comment has been minimized.

Copy link
Contributor

twfahey1 commented Nov 14, 2018

I was running into this issue, and for my case, I finally found a solution - The issue for me was my SSH key was password protected. I had to enable the global "Load PP protected ssh keys" config in my config.yml per the instructions here. Once I did that, and rebuild my app, my container properly forwarded the PP ssh key, and unfortunately still have to type my PW every time I pull since there is no SSH agent, but at least the pull is now possible.

@stale

This comment has been minimized.

Copy link

stale bot commented Jan 31, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions and please check out this if you are wondering why we auto close issues.

@stale stale bot added the wontfix label Jan 31, 2019

@pirog pirog added this to the 3.0.0-rc.3 milestone Feb 1, 2019

@stale stale bot removed the wontfix label Feb 1, 2019

@pirog pirog self-assigned this Feb 2, 2019

pirog added a commit that referenced this issue Feb 2, 2019

@pirog pirog closed this Feb 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment