fix: Failed to create ssh client to the server

[pythoninthegrass]

Hi @MightyMoud !

Having some difficulties getting this running on both Ubuntu 24.04.1 directly and from my laptop running macOS 12.7.4 (21H1123).

On both I'm getting this error:

Please enter the IPv4 Address of your VPS: 192.168.8.75
Please enter an email for use with TLS certs: 4097471+pythoninthegrass@users.noreply.github.com
Please enter your docker registery: ghcr.io
Please enter your docker username for the registery: pythoninthegrass
Are you logged in to the docker registery? [Yes/no]: yes

2024/09/23 06:59:58 Failed to create ssh client to the server: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

On ubuntu I had to setup the ssh-agent and add a key manually to get SSH_AUTH_SOCK working as expected.

Didn't do anything special on macos and got the same result when connecting to the same box.

Reading your summary, it says sidekick logs in as root. Not a fan of this approach from a security perspective; would prefer to log in as a non-root user with sudo privileges to create the sidekick user.

Sidenote: it would be nice to read an .env or toml file to fill in the same info. If you're interested, I can open an issue and/or PR for that.

[MightyMoud]

Hi @pythoninthegrass<

I like the idea of reading information directly from a file. Currently, Sidekick will create a global config file ~/.config/sidekick/default.yaml and put the stuff in after you complete the setup. I think also with next release we will require far less info, IP address and an email; assuming root user too.

I get your point about not logging in as root even on first connection. I think in all my testing, I have been setting up out of the box VPS from DO; so I always log in as root to start with. I also made Sidekick with the vision of taking care of everything for you. So it will setup your VPS from the ground up. Including making the new sidekick user and disabling the login for root user. I think it makes sense. Might be an overkill to make a new user give it sudo privileges first then try to run Sidekick. What do you think?

Back to the error, I can't tell if it's because you disabled login with root or is it because of another issue?

[pythoninthegrass]

Appreciate the quick response @MightyMoud!

Those are good points all around. I'll see if I can spin up a brand new VM with the absolute bare minimum including root login and get back to you.

Re: the .env file, I refactored the init.go file last night and it would be fairly trivial to remove required input when the amount of info is pared down to just the IP address and email.

I'll open a direct issue and PR with the latter being a dialogue where I'm happy to make changes based on your feedback.

[pythoninthegrass]

Related #20

[adampresley]

I am having the same issue. The hosting provider is IONOS. It is a Ubuntu 24 VPS, has a root user, and my default key (id_rsa) is set up on the server. I can confirm that I can run ssh root@<my IP here> without issue. I can also confirm that I see the IP to my server in the known hosts file, which, based on your code, it looks like you are reading.

Sidekick was installed via Homebrew. I don't see any version information or a flag to display, so I don't know if that is relevant. I also setup my ~/.ssh/config for an entry with my host both by name and IP to point to the correct SSH key.

[adampresley]

After pulling down your code, and much debugging, it turns out that even though I could run ssh root@<myip> successfully, I needed to run ssh-add --apple-use-keychain ~/.ssh/id_rsa. This resolved my issue. Perhaps a small blurb in your README for MacOS folks can help mitigate this issue.

[MightyMoud]

@adampresley Thanks for reporting this. I think I need to improve this. We don't use the default key; Sidekick will query the agent and try the keys we get from there instead. We should try the default key first. I'll add that to my list.
Meanwhile an addition to the README will do.

Funny enough I am on a mac too and I did run the ssh-add command but like it was a month ago, so I forgot to add it as part of the setup.

Also that looks like an outdated version on brew. I'll work on updating that today
Cheers

[adampresley]

No problem @MightyMoud. I also noticed on line 36 of cmd/utils/stages.go that you are disabling root SSH access. It might be worth calling that out in the README as well as a side effect. I didn't know that was going to happen and I thought I messed something up on my VPS, so I re-imaged it. Then it happened again so I decided to look over the code and found that line.

[semics-tech]

@MightyMoud just to let you know, I tried running sidekick init on a brand new digitalocean Ubuntu 24.04 server, before I created another user other than root and I hit this error, it locked me out of the server (couldn't access via the DigitalOcean console either). I had to recreate the server.

[TLINDEN]

btw - I had the same issue under Linux (ubuntu as well). After adding the default ssh key to the agent, sidekick init worked.

[mrwyndham]

Not working for me where am I going wrong:

MacOS Client: Generate a new key under the ~/.ssh/y
MacOS Client: Add a ~/.ssh/config file with IdentityFile ~/.ssh/y
MacOS Client: restart ssh-agent
MacOS Client: connect via ssh@{IP_ADDRESS} it works and asks for SSH key
MacOS Client: sidekick init -> Failed to create ssh client to the server: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

also got the same issue running on linux except it said SSH_SOCK

[dirad]

Not sure if to tack on here or create a separate issue.

After adding key with ssh-add, i was able to login and start kickstart init process. -- [+1 to be able to pass this key as an argument, like -i mykeyfile ]
But the process fails on traefik

[STDERR]  traefik-service Pulling
panic: error running command - cd sidekick-traefik && sudo docker compose -p sidekick -f docker-compose.traefik.yml up -d: -  traefik-service Pulling

goroutine 1 [running]:
github.com/mightymoud/sidekick/cmd.init.func4(0xc0001a8900?, {0x85bb3d?, 0x4?, 0x85bb41?})
        /home/user/go/pkg/mod/github.com/mightymoud/sidekick@v0.6.0/cmd/init.go:144 +0x1cb9

Now i am left with a machine that wont let me login as root [it was open before]
and sidekick init also fails to start - since it cannot login as root either...

[MightyMoud]

@dirad Try to ssh using sidekick as user. You should be able to login with the new user named sidekick instead of root. I'll plan to add the flag to tell which key to use as well. It's a good improvements.

[MightyMoud]

Hey guys,

The issue with attempted methods [none publickey], no supported methods remain is a problem with the key lookup priority Sidekick goes through. I'll fix that in next release and let you guys know.

I love working on Sidekick. But I work on it after my full-time job. So progress will be slow. So bear with me guys.

Thanks for reporting those issues nonetheless.
There is still a ton of work to do till Sidekick is where I envision it. We will get there. Slowly.

Cheers.

[MightyMoud]

@adampresley Thanks for pointing this out. I have added it on the readme

sidekick/README.md

Line 86 in a206447

* Disable login with `root` user - security best practice

[dirad]

@dirad Try to ssh using sidekick as user. You should be able to login with the new user named sidekick instead of root. I'll plan to add the flag to tell which key to use as well. It's a good improvements.

sure, i tried that, i can login using sidekick, but sidekick itself fails.
it would be best if there was a way for sidekick to get back to what it was about to do, and failed; resuming the init process.
But for sure, you need some way to run it again after it failed, at least from the beginning, otherwise so we're left with kind of one leg..