Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH Communicator fails when using signed key for bastion connection #136

Open
cfmw3 opened this issue Oct 24, 2022 · 0 comments
Open

SSH Communicator fails when using signed key for bastion connection #136

cfmw3 opened this issue Oct 24, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@cfmw3
Copy link

cfmw3 commented Oct 24, 2022

Overview of the Issue

When using a key signing strategy via Vault (https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#client-key-signing) Packer is unable to connect to bastion hosts.

Reproduction Steps

Assume bastion username bastion-user and bastion host bastion-host

Sign key with Vault CA:

  ssh-keygen -t rsa -b 2048 -f id_rsa -q -N ""
  vault write -field=signed_key ssh/sign/{role_in_vault} public_key=@./id_rsa.pub > id_rsa-cert.pub

Configure Packer HCL:

  source "amazon-ebs" "test" {
    ssh_bastion_username = "bastion-user"
    ssh_bastion_host = "bastion-host"
    ssh_bastion_private_key_file = "id_rsa"
    ssh_bastion_certificate_file = "id_rsa-cert.pub"
  // ..... rest of code
  }

Execute Packer:

  packer build -debug rhel_base.pkr.hcl

Note that I have tried these other configurations:

No certificate:

  source "amazon-ebs" "test" {
    ssh_bastion_username = "bastion-user"
    ssh_bastion_host = "bastion-host"
    ssh_bastion_private_key_file = "id_rsa"
  // ..... rest of code
  }

Agent configuration:

  ❯ ssh-add id_rsa
  Identity added: id_rsa ([redacted])
  Certificate added: id_rsa-cert.pub (vault-[redacted])

  source "amazon-ebs" "test" {
    ssh_bastion_username = "bastion-user"
    ssh_bastion_host = "bastion-host"
    ssh_bastion_agent_auth = true
  // ..... rest of code
  }

Note also that with -debug set I can auth as normal with the ephemeral SSH key that Packer spits out (ec2_test):

  ❯ ssh -J bastion-user@bastion-host -i ec2_test.pem ec2-user@{packer-instance-ip} 
  // works normally...

Packer Plugin SDK version

0.3.2
Packer 1.8.4 (compiled from source at hashicorp/packer@35496e5)

Operating system and Environment details

Assume reasonably up to date utilities (ssh, etc.) per Ubuntu 20 LTS.

Log Fragments and crash.log files

With PACKER_LOG=1 and -debug set.

  2022/10/20 17:32:54 ui: �[1;32m==> siem-rhel.amazon-ebs.siem-rhel: Using SSH communicator to connect: 172.35.4.231�[0m
  2022/10/20 17:32:54 packer-plugin-amazon_v1.1.5_x5.0_linux_amd64 plugin: 2022/10/20 17:32:54 [INFO] Waiting for SSH, up to timeout: 5m0s
  2022/10/20 17:32:54 ui: �[1;32m==> siem-rhel.amazon-ebs.siem-rhel: Waiting for SSH to become available...�[0m
  2022/10/20 17:32:54 packer-plugin-amazon_v1.1.5_x5.0_linux_amd64 plugin: 2022/10/20 17:32:54 Using host value: 172.35.4.231
  2022/10/20 17:32:56 packer-plugin-amazon_v1.1.5_x5.0_linux_amd64 plugin: 2022/10/20 17:32:56 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
  2022/10/20 17:33:10 packer-provisioner-shell plugin: Received interrupt signal (count: 1). Ignoring.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cfmw3