I created an instance "petscan-dev" in the "petscan" project on Labs, using the "debian-9.0-stretch (experimental)" image.
ssh'ing into the instance fails with "Permission denied (publickey)."
My old instance "petscan2", in the same project, works fine.
I then created a new machine identical to the "stretch" one, but using the "ubuntu-14.04-trusty" image.
That one works fine as well.
Maybe keys don't get copied to the "stretch"-based VM?
I will use the Ubuntu VM.
I left the "stretch" VM running for your debugging pleasure. You can nuke it when you are done with it.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
@Magnus can you try ssh'ing to this machine again just to see if you can still reproduce the ssh auth failure? The instance seems to be up to date with puppet runs and I can query the needed LDAP information from a root shell there.
I do see old log messages like:
Jun 7 08:04:48 petscan-dev sshd[10814]: Failed publickey for magnus from 10.68.17.232 port 42586 ssh2: RSA SHA256:F3OMj/3VUzAI5hsDeVnGY322PJ1nx/GPVJCoNkMm5Bs Jun 7 08:15:27 petscan-dev sshd[11682]: Failed publickey for magnus from 10.68.17.232 port 44336 ssh2: RSA SHA256:F3OMj/3VUzAI5hsDeVnGY322PJ1nx/GPVJCoNkMm5Bs Jun 7 08:15:34 petscan-dev sshd[11685]: Failed publickey for magnus from 10.68.17.232 port 44378 ssh2: RSA SHA256:F3OMj/3VUzAI5hsDeVnGY322PJ1nx/GPVJCoNkMm5Bs Jun 7 08:28:34 petscan-dev sshd[11751]: Failed publickey for magnus from 10.68.17.232 port 46872 ssh2: RSA SHA256:F3OMj/3VUzAI5hsDeVnGY322PJ1nx/GPVJCoNkMm5Bs Jun 7 08:32:18 petscan-dev sshd[11770]: Failed publickey for magnus from 10.68.17.232 port 47366 ssh2: RSA SHA256:F3OMj/3VUzAI5hsDeVnGY322PJ1nx/GPVJCoNkMm5Bs
Comment Actions
ssh magnus@petscan-dev.petscan.eqiad.wmflabs Permission denied (publickey). Killed by signal 1.
Comment Actions
Logs from the last attempt by @Magnus:
Jun 19 08:04:44 petscan-dev sshd[1268]: Connection from 10.68.17.232 port 39748 on 10.68.20.123 port 22 Jun 19 08:04:45 petscan-dev sshd[1268]: reprocess config line 44: Deprecated option RSAAuthentication Jun 19 08:04:45 petscan-dev sshd[1268]: reprocess config line 54: Deprecated option RhostsRSAAuthentication Jun 19 08:04:45 petscan-dev sshd[1268]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] Jun 19 08:04:45 petscan-dev sshd[1268]: Failed publickey for magnus from 10.68.17.232 port 39748 ssh2: RSA SHA256:F3OMj/3VUzAI5hsDeVnGY322PJ1nx/GPVJCoNkMm5Bs Jun 19 08:04:46 petscan-dev sshd[1268]: Connection closed by 10.68.17.232 port 39748 [preauth]
I think this is telling us that the SSH key @Magnus is using is a DSA SSH key ('dss' is the standard that DSA is from) and the stretch ssh server is not configured to accept it.
The stretch VM has openssh 7.4 installed vs the openssh 6.9 that is used on our trusty boxes (and 6.7 on jessie apparently?). Openssh 7.0 has stopped accepting DSA keys by default. So either @Magnus and other users who are still using DSA keys need to generate and upload new keys or we need to add the PubkeyAcceptedKeyTypes=+ssh-dss configuration for jessie ssh servers to allow the deprecated key type.
Comment Actions
Closing in favor of T168433: Deprecate DSA (ssh-dss) SSH keys for Cloud VPS and Toolforge users after a short discussion with @faidon on irc. Affected users should generate new ssh keys, upload them in wikitech or toolsadmin, and stop using their old DSA keys.