EBS builder - ssh only authenticating with 1 key

624 views
Skip to first unread message

notmyrealname

unread,
Feb 22, 2017, 2:11:16 PM2/22/17
to Packer

Packer v0.12.2
Mac OS X 10.11.6

As suggested, I've moved this from the Github issues page to here as this is probably the best place for it.

Here are my 2 AWS key pairs on the host machine with sensible permissions:

ls -l ~/.ssh | grep key
-rw-------@ server_key.pem
-rw-r--r--  server_key.pub
-rw-------@ aws-key.pem
-rw-r--r--  aws-key.pub

Here they are existing in AWS:

aws ec2 describe-key-pairs
{
    "KeyPairs": [
        {
            "KeyName": "server_key", 
            "KeyFingerprint": "xxxxxxxxxx"
        }, 
        {
            "KeyName": "aws-key", 
            "KeyFingerprint": "xxxxxxxxxx"
        }
    ]
}

The build part of my packer.json. The ami is stock ubuntu.

{
  "variables": {
    "env": null
  },
  "builders": [{
    "type": "amazon-ebs",
    "region": "eu-west-1",
    "source_ami": "ami-98ecb7fe",
    "instance_type": "t2.micro",
    "ssh_username": "ubuntu",
    "ssh_agent_auth": true,
    "ssh_keypair_name": "aws-key",
    "ami_name": "{{user `env`}}-server-{{isotime \"2006-01-02_15-04-05\"}}",
    "run_tags": {"Name": "{{user `env`}}-server"},
    "run_volume_tags": {"Name": "{{user `env`}}-server"}
  }]
}

Everything runs fine when I set "ssh_keypair_name": "aws-key" (full log)

2017/02/21 19:54:04 ui: ==> amazon-ebs: Using SSH Agent for existing key pair aws-key
==> amazon-ebs: Using SSH Agent for existing key pair aws-key
2017/02/21 19:54:04 ui: ==> amazon-ebs: Creating temporary security group for this instance...
...
...
2017/02/21 19:54:21 ui: ==> amazon-ebs: Waiting for SSH to become available...
==> amazon-ebs: Waiting for SSH to become available...
2017/02/21 19:54:36 packer: 2017/02/21 19:54:36 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 34.249.20.107:22: i/o timeout
2017/02/21 19:54:41 packer: 2017/02/21 19:54:41 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 34.249.20.107:22: getsockopt: connection refused
2017/02/21 19:54:46 packer: 2017/02/21 19:54:46 [INFO] Attempting SSH connection...
2017/02/21 19:54:46 packer: 2017/02/21 19:54:46 reconnecting to TCP connection for SSH
2017/02/21 19:54:46 packer: 2017/02/21 19:54:46 handshaking with SSH
2017/02/21 19:54:46 packer: 2017/02/21 19:54:46 handshake complete!
2017/02/21 19:54:46 packer: 2017/02/21 19:54:46 opening new ssh session
2017/02/21 19:54:47 packer: 2017/02/21 19:54:47 [INFO] agent forwarding enabled
2017/02/21 19:54:47 ui: ==> amazon-ebs: Connected to SSH!

However, for any new keys that I create and then set as my "ssh_keypair_name" (in this case "server_key"), I get the following ssh authentication error: (full log)

2017/02/21 19:50:59 ui: ==> amazon-ebs: Using SSH Agent for existing key pair server_key
2017/02/21 19:50:59 ui: ==> amazon-ebs: Creating temporary security group for this instance...
==> amazon-ebs: Using SSH Agent for existing key pair server_key
...
...
2017/02/21 19:51:16 ui: ==> amazon-ebs: Waiting for SSH to become available...
==> amazon-ebs: Waiting for SSH to become available...
2017/02/21 19:51:31 packer: 2017/02/21 19:51:31 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 34.251.38.229:22: i/o timeout
2017/02/21 19:51:39 packer: 2017/02/21 19:51:39 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 34.251.38.229:22: getsockopt: connection refused
2017/02/21 19:51:44 packer: 2017/02/21 19:51:44 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 34.251.38.229:22: getsockopt: connection refused
2017/02/21 19:51:49 packer: 2017/02/21 19:51:49 [INFO] Attempting SSH connection...
2017/02/21 19:51:49 packer: 2017/02/21 19:51:49 reconnecting to TCP connection for SSH
2017/02/21 19:51:49 packer: 2017/02/21 19:51:49 handshaking with SSH
2017/02/21 19:51:50 packer: 2017/02/21 19:51:50 handshake error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain
2017/02/21 19:51:50 packer: 2017/02/21 19:51:50 [DEBUG] SSH handshake err: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain
2017/02/21 19:51:50 packer: 2017/02/21 19:51:50 [DEBUG] Detected authentication error. Increasing handshake attempts.
2017/02/21 19:51:57 packer: 2017/02/21 19:51:57 [INFO] Attempting SSH connection...
2017/02/21 19:51:57 packer: 2017/02/21 19:51:57 reconnecting to TCP connection for SSH
2017/02/21 19:51:57 packer: 2017/02/21 19:51:57 handshaking with SSH
2017/02/21 19:51:57 packer: 2017/02/21 19:51:57 handshake error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2017/02/21 19:51:57 packer: 2017/02/21 19:51:57 [DEBUG] SSH handshake err: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2017/02/21 19:51:57 packer: 2017/02/21 19:51:57 [DEBUG] Detected authentication error. Increasing handshake attempts.


Also, whilst the instance is up, I am able to SSH into it (note that the IP address is different to the above failed log as it was a different failed build):


ssh ubu...@34.250.136.97 -i ~/.ssh/server_key.pem
The authenticity of host '34.250.136.97 (34.250.136.97)' can't be established.
ECDSA key fingerprint is xxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '34.250.136.97' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

Any idea what's going on here or what I could try? 

Thanks.

Rickard von Essen

unread,
Feb 22, 2017, 3:25:48 PM2/22/17
to packe...@googlegroups.com
When you set ssh_keypair_name to server_key you also have to update ssh_private_key_file. But from the logs it looks like you haven't done that.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/fec75b8a-4223-4275-adb7-38dfc22b057a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

notmyrealname

unread,
Feb 22, 2017, 4:04:49 PM2/22/17
to Packer
Hi Rickard. I just ran the build again, this time with ssh_private_key_file set to the location of the key and unfortunately it still failed (see log file). Note that the build works for aws-key even if I don't set ssh_private_key_file.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

Rickard von Essen

unread,
Feb 23, 2017, 3:52:16 AM2/23/17
to packe...@googlegroups.com
Most likely it's because you have the first key loaded in you ssh agent. What's the printout of:

ssh-add -l
aws ec2 describe-key-pairs --output text

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/c7172e5d-4dce-4904-b32c-efd1b7aa981f%40googlegroups.com.

notmyrealname

unread,
Feb 23, 2017, 5:09:53 PM2/23/17
to Packer
Wow! I knew it would be something dumb :-)

Thanks a lot.

notmyrealname

unread,
Feb 23, 2017, 5:13:06 PM2/23/17
to Packer
Quick question, why does it not seem to matter whether I set ssh_private_key_file or not?

rakes...@gmail.com

unread,
Mar 23, 2017, 3:11:04 PM3/23/17
to Packer
I am getting below error. Can you please suggest me what to do to fox this issue.

amazon-ebs output will be in this color.

==> amazon-ebs: Prevalidating AMI Name...
    amazon-ebs: Found Image ID: ami-6d1c2007
==> amazon-ebs: Using SSH Agent with key pair in Source AMI
==> amazon-ebs: Launching a source AWS instance...
    amazon-ebs: Instance ID: i-0ba9189303f694c4f
==> amazon-ebs: Waiting for instance (i-0ba9189303f694c4f) to become ready...
==> amazon-ebs: Adding tags to source instance
==> amazon-ebs: Waiting for SSH to become available...
==> amazon-ebs: Timeout waiting for SSH.
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: Destroying volume (vol-0548b24c3295c3acd)...
Build 'amazon-ebs' errored: Timeout waiting for SSH.

==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Timeout waiting for SSH.

==> Builds finished but no artifacts were created.
sh-3.2#

Thanks,
Rakesh

Rickard von Essen

unread,
Mar 23, 2017, 4:53:12 PM3/23/17
to packe...@googlegroups.com
You couldn't connect to the instance, but without more details it's hard to say why. Could you provide your template? 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/e0e471a1-755b-45aa-8059-787099438fec%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages