Bazaar

Can't commit as my ssh key seems to be not recognized

Asked by Didier Roche-Tolomelli

Hi,

I try to follow the launchpad guide with gnuhello project test.
When i try to push the code, I received this error;

$ bzr push bzr+ssh://<email address hidden>/~didrocks/gnuhello/mine
Permission denied (publickey).
bzr: ERROR: Connection closed: please check connectivity and permissions (and try -Dhpss if further diagnosis is required)

But my public ssh key (stored in ~/.ssh/id_dsa.pub) is the right one, corresponding to the one registered on launchpad (The passphrase as already been unlock as I use also it to authentificate to others servers).

I tried also to connect directly to launchpad ssh server:
$ ssh -vvv <email address hidden>/
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
ssh: bazaar.launchpad.net/: Name or service not known

Do you have any idea about this issue ?
Thanks

Question information

Language:
English Edit question
Status:
Solved
For:
Bazaar Edit question
Assignee:
No assignee Edit question
Solved by:
Didier Roche-Tolomelli
Solved:
Last query:
Last reply:
Revision history for this message
John A Meinel (jameinel) said : 		#1

To test direct connections, you need to use:
ssh -vvv <email address hidden>

(no trailing slash)

Because this is a DSA key, it is possible that LP no longer accepts that key. There was a recent vulnerability for ssh keys generated with certain versions of openssh (mostly debian based ones.)

Also, LP probably won't let you ssh in directly, but you could try "sftp <email address hidden>".

My guess is that you need to generate an 'rsa' key (using ssh-keygen), and add that to your ssh keys

I *do* see a key listed here:
https://edge.launchpad.net/%7Edidrocks/+sshkeys

So it might be something else.

Revision history for this message
Didier Roche-Tolomelli (didrocks) said : 		#2

Hi, and thank for your answer.

My dsa key has been regenerated after the debian OpenSSL vulnerability and corresponds to the one you show in the link, so I think my key is not backlisted.
Do you thing that LP doesn't take DSA key, even it is not specified?

I tried a direct test connection again:
$ ssh -vvv <email address hidden>
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to bazaar.launchpad.net [91.189.94.254] port 22.
debug1: Connection established.
debug1: identity file /home/didrocks/.ssh/identity type -1
debug1: identity file /home/didrocks/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /home/didrocks/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/didrocks/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version Twisted
debug1: no match: Twisted
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,<email address hidden>,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,<email address hidden>,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc
debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 502/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /home/didrocks/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 6
debug3: check_host_in_hostfile: filename /home/didrocks/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 7
debug1: Host 'bazaar.launchpad.net' is known and matches the RSA host key.
debug1: Found key in /home/didrocks/.ssh/known_hosts:6
debug2: bits set: 531/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/didrocks/.ssh/id_dsa (0xb7fbb320)
debug2: key: /home/didrocks/.ssh/identity ((nil))
debug2: key: /home/didrocks/.ssh/id_rsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/didrocks/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/didrocks/.ssh/identity
debug3: no such identity: /home/didrocks/.ssh/identity
debug1: Trying private key: /home/didrocks/.ssh/id_rsa
debug3: no such identity: /home/didrocks/.ssh/id_rsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

So, it seems to find the dsa key...

Another test :
$ sftp <email address hidden>
Connecting to bazaar.launchpad.net...
Permission denied (publickey).
Couldn't read packet: Connection reset by peer

Same error... Do you have an idea of what's going wrong?

Revision history for this message
John A Meinel (jameinel) said : 		#3

I know that Canonical's other machines have chosen to deny all DSA keys. They may have done the same for Launchpad. My understanding is that they cannot tell whether a DSA key is vulnerable or not, and that if you connected to a vulnerable host with a DSA key, then your key could be compromised.

Looking at the verbose connection, I can see that it is *not* trying your DSA key. It tries:

debug1: Next authentication method: publickey
debug1: Offering public key: /home/didrocks/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/didrocks/.ssh/identity
debug3: no such identity: /home/didrocks/.ssh/identity
debug1: Trying private key: /home/didrocks/.ssh/id_rsa
debug3: no such identity: /home/didrocks/.ssh/id_rsa

but it is not accepted.

So it looks like you need to create an RSA key, after all.

Revision history for this message
Didier Roche-Tolomelli (didrocks) said : 		#4

That's right, the RSA key finally work :)

Revision history for this message
Antoine Pairet (b-ly) said : 		#5

Hi !
I have a similar problem. Here's the output of "ssh -vvv <email address hidden>"

OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to bazaar.launchpad.net [91.189.90.11] port 22.
debug1: Connection established.
debug1: identity file /home/antoine/.ssh/identity type -1
debug1: identity file /home/antoine/.ssh/id_rsa type -1
debug1: identity file /home/antoine/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version Twisted
debug1: no match: Twisted
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,<email address hidden>,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,<email address hidden>,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc
debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 501/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /home/antoine/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /home/antoine/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'bazaar.launchpad.net' is known and matches the RSA host key.
debug1: Found key in /home/antoine/.ssh/known_hosts:2
debug2: bits set: 523/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/antoine/.ssh/identity ((nil))
debug2: key: /home/antoine/.ssh/id_rsa ((nil))
debug2: key: /home/antoine/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/antoine/.ssh/identity
debug3: no such identity: /home/antoine/.ssh/identity
debug1: Trying private key: /home/antoine/.ssh/id_rsa
debug3: no such identity: /home/antoine/.ssh/id_rsa
debug1: Trying private key: /home/antoine/.ssh/id_dsa
debug3: no such identity: /home/antoine/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

Is it a problem of email address? I have two registred emails on launchpad antoine AT pairet DOT be and lists AT pairet DOT be.

Revision history for this message
John A Meinel (jameinel) said : 		#6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antoine Pairet wrote:
> Question #36322 on Bazaar changed:
> https://answers.launchpad.net/bzr/+question/36322
>
> Antoine Pairet posted a new comment:
> Hi !
> I have a similar problem. Here's the output of "ssh -vvv <email address hidden>"

You seem to have one key registered here:
https://edge.launchpad.net/~b-ly/+sshkeys

...

> debug1: identity file /home/antoine/.ssh/identity type -1
> debug1: identity file /home/antoine/.ssh/id_rsa type -1
> debug1: identity file /home/antoine/.ssh/id_dsa type -1

^- Does this mean that these files don't exist?

> debug2: key: /home/antoine/.ssh/identity ((nil))
> debug2: key: /home/antoine/.ssh/id_rsa ((nil))
> debug2: key: /home/antoine/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue: publickey
> debug3: start over, passed a different list publickey
> debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/antoine/.ssh/identity
> debug3: no such identity: /home/antoine/.ssh/identity
> debug1: Trying private key: /home/antoine/.ssh/id_rsa
> debug3: no such identity: /home/antoine/.ssh/id_rsa
> debug1: Trying private key: /home/antoine/.ssh/id_dsa
> debug3: no such identity: /home/antoine/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey).
>
> Is it a problem of email address? I have two registred emails on
> launchpad antoine AT pairet DOT be and lists AT pairet DOT be.
>

If I read that correctly, you don't have any ssh private keys locally. I
don't know what ssh-key you *do* have registered.

Perhaps you should use "ssh-keygen" to generate a new key, and then
upload the corresponding ~/.ssh/id_rsa.pub file, so that the new key is
also authorized to access your launchpad account.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmR/qcACgkQJdeBCYSNAAOywwCfUeYvVsrQZqR777VigpdhakZY
Tv8An169VvBJk7bkPG9nGH+Os5e8j6wg
=5QEx
-----END PGP SIGNATURE-----

Revision history for this message
Antoine Pairet (b-ly) said : 		#7

Great! Thank you, you solved my problem.

Here's the content of my .ssh folder before creating a new ssh key:

-rw------- 1 antoine antoine 0 2009-02-10 23:03 authorized_keys
-rw------- 1 antoine antoine 1743 2008-11-05 02:00 key
-rw-r--r-- 1 antoine antoine 397 2008-11-05 02:00 key.pub
-rw-r--r-- 1 antoine antoine 1793 2008-11-08 11:21 known_hosts
-rw------- 1 antoine antoine 396 2009-02-10 23:03 other_keys.seahorse

After running ssh-keygen, two new files are created. I uploaded ~/.ssh/id_rsa.pub on Launchpad and I now able use its bazaar infrastructure.

Thanks a lot!