I'm using org/x/crypto/ssh package to build a cli application to ssh through bastion to a server using ssh certs. Basic workflow is; cli tool gets the users public key and get it signed from vault ssh ca, and that resulting cert is used to authenticate the user to the servers. It worked fine.
configure := &ssh.ClientConfig{
User: "ec2-user",
Auth: []ssh.AuthMethod{
// Use the PublicKeys method for remote authentication.
ssh.PublicKeys(certSigner),
},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
//log.Println(config.bastionserver.publicIP)
// Connect to the remote server and perform the SSH handshake.
proxyClient, err := ssh.Dial("tcp", net.JoinHostPort(config.bastion.publicIP, "22"), configure)
if err != nil {
log.Fatalln(err)
}
session, err := proxyClient.NewSession()
if err != nil {
log.Fatalln(err)
}
defer session.Close()
if err = session.Shell(); err != nil {
log.Fatalln(err)
}
session.Wait()
I made some changes and reverted back to the code and I started getting the following error. I used git to revert.
ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain
So I reduced the complexity and tried the following block to try to connect just to the bastion through the cli app I'm building.
cmd := exec.Command("ssh", "-i", signedKeyPath, "-i", privateKeyPath, "ec2-user@host")
fmt.Println(cmd.String())
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err = cmd.Run()
if err != nil {
log.Fatalln(err)
}
still it exits with
/usr/bin/ssh -i /home/rochana/.ssh/id_rsa-cert.pub -i /home/rochana/.ssh/id_rsa ec2-user@host ec2-user@host: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 2020-02-17 11:01:25.168548 I | exit status 255.
I tried compiling and running it on a different PC and I get the same results. I tried saving the cert to disk and giving the path.
but if I run the same command on terminal. It works fine and connects to the instance.
ssh -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa ec2-user@host
or just copy and paste cmd.String() output
/usr/bin/ssh -i /home/rochana/.ssh/id_rsa-cert.pub -i /home/rochana/.ssh/id_rsa ec2-user@host
everything works fine when I run directly on terminal but not with exec command
signedKeyPath- are you sure it is the same file name that you pass to ssh directly? (It should really have a file extension of .key or something.) You could try changing the perms +rx on all the files. Also you could try using absolute path names to make sure you are finding the right files. – Andrew W. Phillipserr = ioutil.WriteFile(expandPath("~/.ssh/id_rsa-cert.pub"), []byte(signedKey), 0644)this is the how i save the signed cert file. i even tried 0777 – Rochana Atapattucmd := exec.Command("ssh", "-i", privateKeyPath, "-vv", "user@address")```. Note I added-vv``to provide some diagnostic info because my first attempt failed. The issue turned out to be a space in front of the username; this got me thinking so I added a space to the start of the certificate filename and gotPermission denied (publickey)(copying that command to the console would have worked). So check for any stray spaces and see if the info provided by-vhelps. – Brits