1

For context, I am trying to create a deploy script on my local machine (A) to deploy my code to a remote server (B). I don't have root access on B.

Here are the contents of my bash script pertaining to this:

ssh $SSH_ENDPOINT /bin/bash << EOF
cd ~/$PROJECT
git pull

I can ssh in successfully, then cd into the directory. However, git pull fails with:

Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

On both A and B, I have set up SSH with GitHub and it works fine, I can push and pull without having to enter any passphrase or anything of the sort.

I'm not completely sure why this error is being thrown as both public keys should work.

EDIT: Doing -vv with ssh gives:

debug2: channel 0: rcvd ext data 32
Permission denied (publickey).
debug2: channel 0: written 32 to efd 6
debug2: channel 0: rcvd ext data 126
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Not quite sure how to proceed from here.

torek
  • 448,244
  • 59
  • 642
  • 775
Ajay Pillay
  • 163
  • 1
  • 2
  • 15
  • 1
    One difference is that your `ssh` command starts a *noninteractive* shell, which means that your ordinary configuration files (`.bash_profile` or `.bashrc`, e.g.) won't be sourced. That might affect ... something. – chepner Jun 17 '22 at 13:30
  • And with ssh-issues the usual recommendation is to run the failing command with `-vv` (add more v's depending on the needed level of detail). – tink Jun 17 '22 at 17:53
  • Sorry I'm not entirely sure I follow here. I'm not sure what publickey I'm missing, and I'm not sure where it's being read from. I added `-vv` to `ssh` and the only thing extra printed is as per my edited post. – Ajay Pillay Jun 17 '22 at 20:49
  • 1
    There should be lines in the `ssh -vv` output about which public key is being offered to the remote ssh daemon, like this: `debug1: Offering public key: <...>` – Erwin Jun 18 '22 at 03:11
  • To avoid putting a passphrase-less key on the remote server you could consider adding the key on server A to your ssh-agent (with `ssh-add ~/.ssh/yourkey`) and then using `ssh -A` to forward the authentication agent to server B. – Erwin Jun 18 '22 at 23:00

2 Answers2

1

I can ssh in successfully, then cd into the directory

But with which user?
If you ssh, and try the failed git pull, try it after (in your interactive SSH testing session) a

export GIT_SSH_COMMAND='ssh -Tv'

That way, you will see which user/keys are considered for any Git operation involving SSH.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • With this, now I see that the public key being offered is from my remote server but I get the following error: debug1: read_passphrase: can't open /dev/tty: No such device or address. I don't have root access, I am logged in as a regular user. This is a containerized system so I don't have root access. – Ajay Pillay Jun 18 '22 at 08:54
  • As a bandaid fix, I just removed the passphrase for the key. Then it works perfectly fine. I'm not sure how else to do it, I tried the solutions in this thread https://stackoverflow.com/questions/21095054/ssh-key-still-asking-for-password-and-passphrase but none of them persist having the passphrase stored across logins when done manually. – Ajay Pillay Jun 18 '22 at 09:51
  • @AjayPillay Any chance to run the [ssh-agent service](https://stackoverflow.com/a/68386656/6309)? – VonC Jun 18 '22 at 16:37
0

Based on your comments under VonC's answer, the issue occurs once you're running commands on machine $SSH_ENDPOINT. The Git command run there, which uses the ssh program installed there, needs to read a passphrase to decrypt the keys on machine $SSH_ENDPOINT.

There are two methods to handle that issue:

  • don't use a passphrase-encrypted key; or
  • do use an ssh agent, and have the agent do a pass-through (see -A agent forwarding in the ssh manual).

In the latter case, you don't need to store the private key on machine $SSH_ENDPOINT at all. Just create the .ssh directory with the proper public key, if you need to select a particular public key with Identity and/or IdentitiesOnly lines. (If there's only one key to use you may not need any of this, but in the setups I've used in the past, I always had multiple public keys and needed ssh to select the right one from them.)

Note that the agent will be running on your local machine ("machine A" in your question). There will be a pass-through running on machine B that obtains the private key from machine A on demand. If the key on machine A needs a passphrase, you may have to supply it at that time.

torek
  • 448,244
  • 59
  • 642
  • 775