recipe repository ssh authentication error #477
Labels
No Label
abra
abra-gandi
awaiting-feedback
backups
bug
build
ci/cd
community organising
contributing
coopcloud.tech
democracy
design
documentation
duplicate
enhancement
finance
funding
good first issue
help wanted
installer
kadabra
performance
proposal
question
recipes.coopcloud.tech
security
test
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: coop-cloud/organising#477
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
When I run
./abra app new authentik
I got the following error:FATA[0000] unable to fetch tags in ~/.abra/recipes/authentik: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
This is only the case for recipe repositories that have a ssh remote origin. But this had never been a problem before. Inside
~/.abra/recipes/authentik
I can rungit pull
without any problems.The error appears since
949510d4c3
This commit only adds the functionality to fetch the repository tags before creating the app. The ssh authentication bug hides anywhere else.
Edit:
A workaround is to use the https repository url as main origin and add the ssh url as second origin.
But then I discovered another problem. If I want to create a new app from an unstaged repository I got this error:
FATA[0000] authentik has locally unstaged changes
and if I create a commit but don't push it I get this error:FATA[0000] unable to fetch tags in /home/user/.abra/recipes/authentik: some refs were not updated
This makes it impossible at the moment to test the app creation for recipe changes/updates.
Oh shiet, will try to get to this today 👍 Thanks for the report!
(EDIT: asking fedi friends if this can be moved to the critical fixes budget)
@moritz
I was able to reproduce this when I 1. had an
ssh://
remote origin 2. did not configure myssh-agent
correctly (killed it and didn't runssh-add
for the key I needed to access gitea). The error of "unable to fetch tags" is turning up because it is the first timeabra
tries to make a remote connection via SSH and runs into the authentication issue. If youssh-add
your key, it works or? I don't think it's a bug since you wouldn't be able to make an SSH connection anyway?coop-cloud/abra#336 fixes this
After
63d419caae
this issue doesn't appear anymore, because the tags are note pulled automatically. But it does not really solve the ssh issue.Using
179b66d65c
the ssh issue can still be reproduced.I can access the authentik ssh repository with git and I can
ssh git@git.coopcloud.tech -p 2222
, both withoutssh-agent
. So I wonder why abra can't access it. Even when I runssh-agent
I get the same error. I assume that abra is not recognizing/accessing my publickey.I think this is fixed by coop-cloud/abra#343 😬
@moritz thanks for checking! maybe
60c0e55e3d/pkg/ssh/ssh.go (L30-L66)
is broken? Doesssh -G <hostname>
have a<hostname>
which matches a Hostin your
~/.ssh/config? And is there an
IdentityFile` there?It's not easy to reproduce it anymore. In
179b66d65c
I runabra app new authentik
and it executesEnsureUpToDate
so I run into this error but63d419caae (diff-94c1e19451212ceecf657163bdb4ddee2f17bb30)
disables the execution ofEnsureUpToDate
. This fix doesn't make sense for me. Why it deactivatesEnsureUpToDate
completely? Something like a cli flag is missing here I think.With this patch I can reproduce the error:
The hostname
git.coopcloud.tech
is not in my~/.ssh/config
. SSH uses my default ssh key for this. Maybe this is the problem. Can abra handle default public keys?Update: running
ssh-add
resolves this issue. But this seems more like a workaround, because I have to run this command after each reboot and normally ssh doesn't need it to make an ssh connection.@moritz
abra
just invokesssh -G <hostname>
which when it doesn't find a match it generates defaults 🙃 I think we take the first default... sossh -G DoesntExist | grep identity
givesidentityfile ~/.ssh/id_rsa
. I usually setIdentityFile
myself for each host...The recipe validation logic does too much... but basically when you do
recipe new <recipe>
, you don't want to check that<recipe>
is up to date because you haven't uploaded it togit.coopcloud.tech
yet.I run
ssh-add
each time I turn on my machine (have a script to do it). I can'tgit clone
repos with assh://
without it. Can you explain more what "ssh doesn't need it to make an ssh connection." means? If you have ideas for a fix here, I'll do my best to implement them.Doing some issue gardening. I'm going to close this off but please re-open if there is more to do. Thanks!