Can't ssh from a Powershell deploy script
Hello,
I'm trying to use ssh from a Powershell deploy script, and I'm encountering 2 issues.
-
Without doing anything out of the ordinary, just trying to ssh to a server I control using this script:
echo "Before ssh" ssh [email blocked] echo "After ssh"
Build logs: https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50066316
Trying the same command from a Powershell shell on my local machine gives the expected result:
[email blocked]: Permission denied (publickey).
For the sake of testing, I tried to print the content of the known_hosts file, and it doesn't help me understand this issue: https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50063440 -
After that, I tried to remove the known_hosts file using this deploy script:
rm ~.ssh\known_hosts echo "Before ssh" ssh [email blocked] echo "After ssh"
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by brliron on 21 Jun, 2024 11:43 AM
I forgot to say that I'm using the "Visual Studio 2019" build worker image.
Support Staff 2 Posted by Owen McDonnell on 21 Jun, 2024 10:28 PM
Is this a new issue, by which i mean was your configuration with an ssh call working before?
I'm far from an SSH guru, but have you tried to add the host with an
ssh-keyscan
command?3 Posted by brliron on 23 Jun, 2024 08:50 AM
I've never tried using ssh from AppVeyor before so I can't comment on whether it's a new issue or not.
I tried adding the host by running
ssh-keyscan
on my local machine and adding the output to theknown_hosts
file with anecho
command, it didn't change anything: https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50063512 .On the other hand, I didn't try running the
ssh-keyscan
command directly from the deploy script because it should have the same output, but just to be sure, I'm going to try it anyway.After trying, it didn't help. Here is a build with
ssh-keyscan kosuzu.thpatch.net >> ~\.ssh\known_hosts
being run before the ssh command: https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50073307And another one where I tried to remove the
known_hosts
file and then to add our server key withssh-keyscan
: https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50073397 . In the same scenario, I also got a timeout fromssh
instead of it being stuck: https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50073383In both cases, the behavior is the same as without the
ssh-keyscan
command.Support Staff 4 Posted by Owen McDonnell on 25 Jun, 2024 06:12 PM
When you ssh to this server from your local machine, you are being prompted for credentials or you are using ssh keys?
5 Posted by brliron on 25 Jun, 2024 10:20 PM
The server is configured to use ssh keys for authentication. On the machine I use for local testing, I don't have any ssh key in ~/.ssh, so I'm getting this error (which is expected):
And specifying the key on the command line withssh [email blocked] -i .\id_ed25519
results in this:(the SSH server is configured to execute a script when connecting with this user instead of opening a shell, which for now only displays "Hello world!" but will take care of the deployment at some point).
I tried to use the ssh key from the deploy script on AppVeyor, without success. The behavior on AppVeyor is the same with or without specifying the ssh key (for example, this job https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50063512 uses an ssh key and this job https://ci.appveyor.com/project/brliron/thcrap-dev/builds/50073307 doesn't).
Support Staff 6 Posted by Owen McDonnell on 26 Jun, 2024 10:49 PM
Regarding your first example that uses the ssh key - when i run that locally I get the same
Pseudo-terminal will not be allocated..
message. If i add-T
flag (i.e.ssh -T [email blocked] -i .\id_ed25519
) then the command runs without that error, instead returning a bash error about the echo command.You also mentioned a timeout on some build. That may be due to the ssh server attempting to detect an interactive terminal.
7 Posted by brliron on 01 Jul, 2024 03:32 PM
After a lot more testing and remembering that
ssh -vvv
is a thing, I think I found a way to fix the 2 problems I encountered - one of them would be on my end, and one of them would be on your end.The timeout
That one is the one I need to fix on my end (if you're curious, you can read, if you don't care, you can skip to the next section "wrong host key"). This one seems to happen when I don't have a known_hosts file. I guess that it tries to display this message:
And then it gets stuck waiting for an answer. The weird thing is that this message isn't displayed in the AppVeyor build logs, but that's my only guess.But, you suggested me to add the server key to the file, which I tried, why didn't it fix this problem? Because the command I used for that,
ssh-keyscan kosuzu.thpatch.net > ~\.ssh\known_hosts
, saves the file in UTF-16, while ssh expects UTF-8. Because of that, the file gets ignored and it's like if it wasn't there.The fix is for me to use this command instead:
ssh-keyscan kosuzu.thpatch.net | Set-Content -Encoding utf8 ~\.ssh\known_hosts
Wrong key host
The timeout issue happens after I remove the known_hosts file pre-installed on the instance. With the default known_hosts file, I had another error:
I believe that this one is caused by an error in the pre-installed known_hosts file. A normal line in this file can look like these:But the 3 last lines are this:
These lines were written assuming that the 1st field of each line was in the format "hostname,ip", using
*
to say "match any IP from gitlab.com". But the documentation (the section "SSH_KNOWN_HOSTS FILE FORMAT" in the sshd man page https://linux.die.net/man/8/sshd ) says this about this field:The fix would be to change the pre-installed file on the AppVeyor instance, to either replace the 3
*
wildcards with a pattern unique to Gitlab's IP addresses, or just to remove the wildcard and keep onlygitlab.com
in the Hostnames field.In the meanwhile, I can work around this issue on my end by removing the pre-installed known_hosts file.
Support Staff 8 Posted by Owen McDonnell on 04 Jul, 2024 08:44 PM
Thanks for all the clarifications and glad to hear you've been able to work around it. This is not an area of expertise for me ; )
I've added modification of the
known_hosts
file to our next image update. You can watch it hereFeodor Fitsner closed this discussion on 03 Sep, 2024 09:03 PM.