dmacvicar
Failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
System Information
Linux distribution
Client System: Linux gitlab 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Server: Linux qub4rt 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
Terraform version
Terraform v1.8.2 on linux_amd64
Provider and libvirt versions
+ provider registry.terraform.io/dmacvicar/libvirt v0.7.6
Issue: When attempting to use an SSH URI connector to a remote Linux system, I am authenticating successfully (based on OpenSSH logs), however I am receiving the following error:
Error: failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain │ │ with provider["registry.terraform.io/dmacvicar/libvirt"], │ on test.tf line 9, in provider "libvirt": │ 9: provider "libvirt" { │
The SSH key in use will allow me to successfully authenticate outside of Terraform. I have tried both RSA and ECDSA key types in my Terraform URI statement, neither work
In SSH logs, it appears the client is isssuing a close request at preauth:
May 10 15:46:27 qub4rt sshd[209057]: debug1: /etc/ssh/gitlab-libvirt-authorized_keys:1: matching key found: RSA SHA256:5OJzx6mZZirtqdrTp/0SpUSbPAzy1I70DIOSnvCiIS0 May 10 15:46:27 qub4rt sshd[209057]: debug1: /etc/ssh/gitlab-libvirt-authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding May 10 15:46:27 qub4rt sshd[209057]: Accepted key RSA SHA256:5OJzx6mZZirtqdrTp/0SpUSbPAzy1I70DIOSnvCiIS0 found at /etc/ssh/gitlab-libvirt-authorized_keys:1 May 10 15:46:27 qub4rt sshd[209057]: debug1: restore_uid: 0/0 May 10 15:46:27 qub4rt sshd[209057]: debug1: auth_activate_options: setting new authentication options May 10 15:46:27 qub4rt sshd[209057]: Partial publickey for gitlab-libvirt from 192.168.32.81 port 34246 ssh2: RSA SHA256:5OJzx6mZZirtqdrTp/0SpUSbPAzy1I70DIOSnvCiIS0 May 10 15:46:27 qub4rt sshd[209057]: debug1: auth_activate_options: setting new authentication options [preauth] May 10 15:46:27 qub4rt sshd[209057]: Connection closed by authenticating user gitlab-libvirt 192.168.32.81 port 34246 [preauth] May 10 15:46:27 qub4rt sshd[209057]: debug1: do_cleanup [preauth]
I have tested enabling the following features in OpenSSH, to no avail: PermitTunnel yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes AllowStreamLocalForwarding yes PermitOpen any
If I use the same URI connect string from the command line, I am able to succesfully connect and perform actions.
So this appears to something in the Terraform provider, but I'm unable to determine what.
Example test case;
terraform {
required_providers {
libvirt = {
source = "dmacvicar/libvirt"
}
}
}
provider "libvirt" {
uri = "qemu+ssh://gitlab-libvirt@qub4rt:26/system?sshauth=privkey&keyfile=/home/myuser/.ssh/gitlab-libvirt&no_verify=1"
}
resource "libvirt_pool" "test_pool" {
name = "test_pool"
type = "dir"
path = "/tmp/testpool"
}
Enabling TF_LOG=debug, the only item that stands out is:
2024-05-10T19:56:27.997Z [INFO] provider.terraform-provider-libvirt_v0.7.6: 2024/05/10 19:56:27 [DEBUG] Configuring provider for 'qemu+ssh://gitlab-libvirt@qub4rt:26/system?sshauth=privkey&keyfile=/home/madsara/.ssh/gitlab-libvirt&no_verify=1': &{map[uri:0xc000261cc0]
For auth you need to use not rsa-key Try to use - ecdsa-sha2-nistp256 key And for test purposes put it first or even better only single key in authorized_keys
I was able to resolve this by using a ecdsa-sha2-nistp521 key and adding the following to my sshd configuration for my user "gitlab-libvirt"
Match User gitlab-libvirt AuthorizedKeysFile /etc/ssh/gitlab-libvirt-authorized_keys AuthenticationMethods publickey PasswordAuthentication no PermitTunnel yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes AllowStreamLocalForwarding yes PermitOpen any