recipe repository ssh authentication error #477

New Issue

Closed

opened 2023-07-31 21:48:46 +00:00 by moritz · 8 comments

moritz commented 2023-07-31 21:48:46 +00:00

Member

Copy Link

When I run ./abra app new authentik I got the following error:
FATA[0000] unable to fetch tags in ~/.abra/recipes/authentik: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

This is only the case for recipe repositories that have a ssh remote origin. But this had never been a problem before. Inside ~/.abra/recipes/authentik I can run git pull without any problems.

The error appears since 949510d4c3
This commit only adds the functionality to fetch the repository tags before creating the app. The ssh authentication bug hides anywhere else.

Edit:
A workaround is to use the https repository url as main origin and add the ssh url as second origin.
But then I discovered another problem. If I want to create a new app from an unstaged repository I got this error:
FATA[0000] authentik has locally unstaged changes and if I create a commit but don't push it I get this error:
FATA[0000] unable to fetch tags in /home/user/.abra/recipes/authentik: some refs were not updated

This makes it impossible at the moment to test the app creation for recipe changes/updates.

When I run `./abra app new authentik` I got the following error: `FATA[0000] unable to fetch tags in ~/.abra/recipes/authentik: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain` This is only the case for recipe repositories that have a ssh remote origin. But this had never been a problem before. Inside `~/.abra/recipes/authentik` I can run `git pull` without any problems. The error appears since https://git.coopcloud.tech/coop-cloud/abra/commit/949510d4c39114fe698ecfc5d3e76870ae1e3224 This commit only adds the functionality to fetch the repository tags before creating the app. The ssh authentication bug hides anywhere else. Edit: A workaround is to use the https repository url as main origin and add the ssh url as second origin. But then I discovered another problem. If I want to create a new app from an unstaged repository I got this error: `FATA[0000] authentik has locally unstaged changes` and if I create a commit but don't push it I get this error: `FATA[0000] unable to fetch tags in /home/user/.abra/recipes/authentik: some refs were not updated` This makes it impossible at the moment to test the app creation for recipe changes/updates.

👀 1

moritz added the

bug

label 2023-07-31 21:48:46 +00:00

decentral1se commented 2023-08-01 08:27:09 +00:00

Owner

Copy Link

Oh shiet, will try to get to this today 👍 Thanks for the report!

(EDIT: asking fedi friends if this can be moved to the critical fixes budget)

Oh shiet, will try to get to this today 👍 Thanks for the report! (EDIT: asking fedi friends if this can be moved to the [critical fixes budget](https://git.coopcloud.tech/coop-cloud/organising/projects/24))

decentral1se added the

abra

label 2023-08-01 17:45:50 +00:00

decentral1se referenced this issue from coop-cloud/abra 2023-08-01 19:53:07 +00:00

fix: skip recipe clone / up to date sync for some commands #336

decentral1se commented 2023-08-01 20:15:51 +00:00

Owner

Copy Link

@moritz

FATA[0000] unable to fetch tags in <...cut...>

I was able to reproduce this when I 1. had an ssh:// remote origin 2. did not configure my ssh-agent correctly (killed it and didn't run ssh-add for the key I needed to access gitea). The error of "unable to fetch tags" is turning up because it is the first time abra tries to make a remote connection via SSH and runs into the authentication issue. If you ssh-add your key, it works or? I don't think it's a bug since you wouldn't be able to make an SSH connection anyway?

A workaround is to use the https repository url as main origin and add the ssh url as second origin.
But then I discovered another problem. If I want to create a new app from an unstaged repository I got this error:
FATA[0000] authentik has locally unstaged changes and if I create a commit but don't push it I get this error:
FATA[0000] unable to fetch tags in /home/user/.abra/recipes/authentik: some refs were not updated

coop-cloud/abra#336 fixes this

@moritz > FATA[0000] unable to fetch tags in <...cut...> I was able to reproduce this when I 1. had an `ssh://` remote origin 2. did not configure my `ssh-agent` correctly (killed it and didn't run `ssh-add` for the key I needed to access gitea). The error of "unable to fetch tags" is turning up because it is the first time `abra` tries to make a remote connection via SSH and runs into the authentication issue. If you `ssh-add` your key, it works or? I don't think it's a bug since you wouldn't be able to make an SSH connection anyway? > A workaround is to use the https repository url as main origin and add the ssh url as second origin. But then I discovered another problem. If I want to create a new app from an unstaged repository I got this error: FATA[0000] authentik has locally unstaged changes and if I create a commit but don't push it I get this error: FATA[0000] unable to fetch tags in /home/user/.abra/recipes/authentik: some refs were not updated https://git.coopcloud.tech/coop-cloud/abra/pulls/336 fixes this

decentral1se referenced this issue from coop-cloud/abra 2023-08-02 08:50:54 +00:00

WIP: automated integration tests #338

decentral1se added this to the Critical fixes project 2023-08-02 15:57:24 +00:00

moritz commented 2023-08-09 14:53:58 +00:00

Author

Member

Copy Link

After 63d419caae this issue doesn't appear anymore, because the tags are note pulled automatically. But it does not really solve the ssh issue.

Using 179b66d65c the ssh issue can still be reproduced.
I can access the authentik ssh repository with git and I can ssh git@git.coopcloud.tech -p 2222, both without ssh-agent. So I wonder why abra can't access it. Even when I run ssh-agent I get the same error. I assume that abra is not recognizing/accessing my publickey.

After https://git.coopcloud.tech/coop-cloud/abra/commit/63d419caae51ddc314f4db93dfd5c82499b1e89a this issue doesn't appear anymore, because the tags are note pulled automatically. But it does not really solve the ssh issue. Using https://git.coopcloud.tech/coop-cloud/abra/commit/179b66d65c2694fbf29a47b5f37d12022cee7bc9 the ssh issue can still be reproduced. I can access the authentik ssh repository with git and I can `ssh git@git.coopcloud.tech -p 2222`, both without `ssh-agent`. So I wonder why abra can't access it. Even when I run `ssh-agent` I get the same error. I assume that abra is not recognizing/accessing my publickey.

decentral1se referenced this issue from a commit 2023-08-13 12:06:46 +00:00

fix: don't specify refs when pulling tags

decentral1se referenced this issue from coop-cloud/abra 2023-08-13 12:07:02 +00:00

fix: don't specify refs when pulling tags #343

decentral1se referenced this issue from a commit 2023-08-13 12:07:39 +00:00

fix: don't specify refs when pulling tags

decentral1se commented 2023-08-13 12:12:03 +00:00

Owner

Copy Link

FATA[0000] unable to fetch tags in /home/user/.abra/recipes/authentik: some refs were not updated

I think this is fixed by coop-cloud/abra#343 😬

I can access the authentik ssh repository with git and I can ssh git@git.coopcloud.tech -p 2222, both without ssh-agent. So I wonder why abra can't access it. Even when I run ssh-agent I get the same error. I assume that abra is not recognizing/accessing my publickey.

@moritz thanks for checking! maybe 60c0e55e3d/pkg/ssh/ssh.go (L30-L66) is broken? Does ssh -G <hostname> have a <hostname> which matches a Host in your~/.ssh/config? And is there an IdentityFile` there?

> FATA[0000] unable to fetch tags in /home/user/.abra/recipes/authentik: some refs were not updated I think this is fixed by https://git.coopcloud.tech/coop-cloud/abra/pulls/343 😬 > I can access the authentik ssh repository with git and I can ssh git@git.coopcloud.tech -p 2222, both without ssh-agent. So I wonder why abra can't access it. Even when I run ssh-agent I get the same error. I assume that abra is not recognizing/accessing my publickey. @moritz thanks for checking! maybe https://git.coopcloud.tech/coop-cloud/abra/src/commit/60c0e55e3d1feb7dc4231066fcdbf755b61e70e8/pkg/ssh/ssh.go#L30-L66 is broken? Does `ssh -G <hostname>` have a `<hostname>` which matches a Host <hostname>` in your `~/.ssh/config`? And is there an `IdentityFile` there?

moritz commented 2023-08-14 15:03:23 +00:00

Author

Member

Copy Link

It's not easy to reproduce it anymore. In 179b66d65c I run abra app new authentik and it executes EnsureUpToDate so I run into this error but 63d419caae (diff-94c1e19451212ceecf657163bdb4ddee2f17bb30) disables the execution of EnsureUpToDate. This fix doesn't make sense for me. Why it deactivates EnsureUpToDate completely? Something like a cli flag is missing here I think.

With this patch I can reproduce the error:

diff --git a/cli/app/new.go b/cli/app/new.go
index ac8e194..e53b0ca 100644
--- a/cli/app/new.go
+++ b/cli/app/new.go
@@ -60,7 +60,7 @@ var appNewCommand = cli.Command{
        Action: func(c *cli.Context) error {
                conf := runtime.New(
                        runtime.WithOffline(internal.Offline),
-                       runtime.WithEnsureRecipeUpToDate(false),
+                       runtime.WithEnsureRecipeUpToDate(true),
                )
 
                recipe := internal.ValidateRecipeWithPrompt(c, conf)

@moritz thanks for checking! maybe 60c0e55e3d/pkg/ssh/ssh.go (L30-L66) is broken? Does ssh -G <hostname> have a <hostname> which matches a Host in your~/.ssh/config? And is there an IdentityFile` there?

The hostname git.coopcloud.tech is not in my ~/.ssh/config. SSH uses my default ssh key for this. Maybe this is the problem. Can abra handle default public keys?

It's not easy to reproduce it anymore. In https://git.coopcloud.tech/coop-cloud/abra/commit/179b66d65c2694fbf29a47b5f37d12022cee7bc9 I run `abra app new authentik` and it executes `EnsureUpToDate` so I run into this error but https://git.coopcloud.tech/coop-cloud/abra/commit/63d419caae51ddc314f4db93dfd5c82499b1e89a#diff-94c1e19451212ceecf657163bdb4ddee2f17bb30 disables the execution of `EnsureUpToDate`. This fix doesn't make sense for me. Why it deactivates `EnsureUpToDate` completely? Something like a cli flag is missing here I think. With this patch I can reproduce the error: ``` diff --git a/cli/app/new.go b/cli/app/new.go index ac8e194..e53b0ca 100644 --- a/cli/app/new.go +++ b/cli/app/new.go @@ -60,7 +60,7 @@ var appNewCommand = cli.Command{ Action: func(c *cli.Context) error { conf := runtime.New( runtime.WithOffline(internal.Offline), - runtime.WithEnsureRecipeUpToDate(false), + runtime.WithEnsureRecipeUpToDate(true), ) recipe := internal.ValidateRecipeWithPrompt(c, conf) ``` > @moritz thanks for checking! maybe https://git.coopcloud.tech/coop-cloud/abra/src/commit/60c0e55e3d1feb7dc4231066fcdbf755b61e70e8/pkg/ssh/ssh.go#L30-L66 is broken? Does `ssh -G <hostname>` have a `<hostname>` which matches a Host <hostname>` in your `~/.ssh/config`? And is there an `IdentityFile` there? The hostname `git.coopcloud.tech` is not in my `~/.ssh/config`. SSH uses my default ssh key for this. Maybe this is the problem. Can abra handle default public keys?

moritz commented 2023-08-14 15:20:39 +00:00

Author

Member

Copy Link

I was able to reproduce this when I 1. had an ssh:// remote origin 2. did not configure my ssh-agent correctly (killed it and didn't run ssh-add for the key I needed to access gitea). The error of "unable to fetch tags" is turning up because it is the first time abra tries to make a remote connection via SSH and runs into the authentication issue. If you ssh-add your key, it works or? I don't think it's a bug since you wouldn't be able to make an SSH connection anyway?

Update: running ssh-add resolves this issue. But this seems more like a workaround, because I have to run this command after each reboot and normally ssh doesn't need it to make an ssh connection.

> I was able to reproduce this when I 1. had an `ssh://` remote origin 2. did not configure my `ssh-agent` correctly (killed it and didn't run `ssh-add` for the key I needed to access gitea). The error of "unable to fetch tags" is turning up because it is the first time `abra` tries to make a remote connection via SSH and runs into the authentication issue. If you `ssh-add` your key, it works or? I don't think it's a bug since you wouldn't be able to make an SSH connection anyway? Update: running `ssh-add` resolves this issue. But this seems more like a workaround, because I have to run this command after each reboot and normally ssh doesn't need it to make an ssh connection.

decentral1se commented 2023-08-16 15:12:08 +00:00

Owner

Copy Link

@moritz

Can abra handle default public keys?

abra just invokes ssh -G <hostname> which when it doesn't find a match it generates defaults 🙃 I think we take the first default... so ssh -G DoesntExist | grep identity gives identityfile ~/.ssh/id_rsa. I usually set IdentityFile myself for each host...

This fix doesn't make sense for me. Why it deactivates EnsureUpToDate completely? Something like a cli flag is missing here I think.

The recipe validation logic does too much... but basically when you do recipe new <recipe>, you don't want to check that <recipe> is up to date because you haven't uploaded it to git.coopcloud.tech yet.

Update: running ssh-add resolves this issue. But this seems more like a workaround, because I have to run this command after each reboot and normally ssh doesn't need it to make an ssh connection.

I run ssh-add each time I turn on my machine (have a script to do it). I can't git clone repos with a ssh:// without it. Can you explain more what "ssh doesn't need it to make an ssh connection." means? If you have ideas for a fix here, I'll do my best to implement them.

@moritz > Can abra handle default public keys? `abra` just invokes `ssh -G <hostname>` which when it doesn't find a match it generates defaults 🙃 I think we take the first default... so `ssh -G DoesntExist | grep identity` gives `identityfile ~/.ssh/id_rsa`. I usually set `IdentityFile` myself for each host... > This fix doesn't make sense for me. Why it deactivates EnsureUpToDate completely? Something like a cli flag is missing here I think. The recipe validation logic does too much... but basically when you do `recipe new <recipe>`, you don't want to check that `<recipe>` is up to date because you haven't uploaded it to `git.coopcloud.tech` yet. > Update: running ssh-add resolves this issue. But this seems more like a workaround, because I have to run this command after each reboot and normally ssh doesn't need it to make an ssh connection. I run `ssh-add` each time I turn on my machine (have a script to do it). I can't `git clone` repos with a `ssh://` without it. Can you explain more what "ssh doesn't need it to make an ssh connection." means? If you have ideas for a fix here, I'll do my best to implement them.

decentral1se commented 2023-09-05 11:12:05 +00:00

Owner

Copy Link

Doing some issue gardening. I'm going to close this off but please re-open if there is more to do. Thanks!

Doing some issue gardening. I'm going to close this off but please re-open if there is more to do. Thanks!

decentral1se closed this issue 2023-09-05 11:12:14 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

Labels

Clear labels   

abra

Everything to do with abra

  

abra-gandi

Abra Gandi plugin

  

awaiting-feedback

Ping/pong on comms

  

backups

  

bug

Something is not working

  

build

Go build related issues

  

ci/cd

Getting the robots into the mix

  

community organising

Opening this thing up

  

contributing

Contributors stuff

  

coopcloud.tech

Our main website

  

democracy

Democratic decision making

  

design

Design thinking required

  

documentation

Let's write things together

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

finance

Money things

  

funding

Anything related to grant funding

  

good first issue

Easy start with development

  

help wanted

Need some help

  

installer

Installation related issues

  

kadabra

  

performance

Performance related

  

proposal

Large change which requires feedback & decisin making

  

question

More information is needed

  

recipes.coopcloud.tech

Our recipes catalogue

  

security

Securing our shit

  

test

Unit or integration test suite

  

wontfix

This won't be fixed

No Label

abra

abra-gandi

awaiting-feedback

backups

bug

build

ci/cd

community organising

contributing

coopcloud.tech

democracy

design

documentation

duplicate

enhancement

finance

funding

good first issue

help wanted

installer

kadabra

performance

proposal

question

recipes.coopcloud.tech

security

test

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Critical fixes

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/organising#477

No description provided.