Expected behavior:
Streisand should not need a public key for existing server if connection via private key succeeds.
It should rather check remote server's ~/.ssh/authorized_keys and pull the public keys from there.
Actual Behavior:
Existing server connection fails.
Steps to Reproduce:
Set up an existing server.
Set up certificate authentication for SSH logon.
Run server provisioning.
Installation fails because id_rsa.pub is missing.
[ contents of streisand-diagnostics.md here ]
Additional Details:
Log output from Ansible or other relevant services (link to Gist for longer output):
PLAY [Perform global variables validation] *************************
TASK [validation : Stat the Streisand SSH private key] *********************
ok: [localhost]
TASK [validation : Fail if the Streisand SSH private key file doesn't exist] *************
skipping: [localhost]
TASK [validation : Stat the Streisand SSH public key] **********************
ok: [localhost]
TASK [validation : Fail if the Streisand SSH public key file doesn't exist] **************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "The Streisand SSH public key \"~/.ssh/id_rsa.pub\" does not exist."}
TASK [validation : fail] *******************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Ensure you specified an existing SSH private key file (not public).\n Try using `ssh-keygen -f ~/.ssh/id_rsa to generate your key if it does not exist\n"}
to retry, use: --limit @/home/lexy/streisand/playbooks/validate.retry
PLAY RECAP ***********************************
localhost : ok=2 changed=0 unreachable=0 failed=2
Target Cloud Provider:
custom
Operating System of target host:
Ubuntu 16.04
Operating System of client:
Linux Mint 18.3
Version of Ansible, using ansible --version :
ansible 2.5.1
config file = /home/lexy/streisand/ansible.cfg
configured module search path = [u'/home/lexy/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible-2.5.1-py2.7.egg/ansible
executable location = /usr/local/bin/ansible
python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609]
Output from git rev-parse HEAD in your Streisand directory :
0ab3ab9248e3903205e8d2f04527af3defb57778
Hi @lexy2,
Streisand's SSH key handling code needs the private key filepath in order to set the https://github.com/StreisandEffect/streisand/blob/ca22ac975017ec697816faf1bf852e7c25c4f62c/playbooks/ssh-setup.yml#L7 to instruct Ansible to use the right private key when connecting to the instance.
If you're aware of another way to accomplish this that works with both your existing server configuration and all of the supported cloud providers please submit a PR.
Thank you!
Hi @cpu,
I am specifying SSH private key to Ansible and it is able to use it. The issue is that Ansible asks for the public key which is not really required for it to connect to the instance.
Thank you!
Hi @Lexy2,
I apologize, I misread your original issue and thought you were talking about the private key.
The issue is that Ansible asks for the public key which is not really required for it to connect to the instance.
Agreed, in this case it isn't needed. It is needed for the cloud providers where Streisand uses an API to create a cloud instance. In this case it needs to know the SSH public key in order to register it with the API during provisioning.
I suspect that there is probably some engineering work that could be done to avoid needing the public key for an existing/localhost server deploy. Are you interested in submitting a PR for that? If it isn't a significant complication of the existing code we could merge it.
I'll reopen and retitle this issue now that I understand better. Thanks for explaining!
Thank you, @cpu , I'll work on a PR for this.
This was fixed by https://github.com/StreisandEffect/streisand/pull/1306.
Thanks again @Lexy2 !
Most helpful comment
Thank you, @cpu , I'll work on a PR for this.