ssh-deploy icon indicating copy to clipboard operation
ssh-deploy copied to clipboard
verified publisher icon easingthemes

Deployment Failed, Permission denied (publickey,password).

Open ItsYasser opened this issue 2 years ago • 16 comments

while doing GitHub actions to link with my digital ocean server im getting this error

Run easingthemes/[email protected] [general] GITHUB_WORKSPACE: /home/runner/work/laravelTest/laravelTest [SSH] Creating /home/runner/.ssh dir in /home/runner/work/laravelTest/laravelTest ✅ [SSH] dir created. [SSH] Creating /home/runner/.ssh/known_hosts file in /home/runner/work/laravelTest/laravelTest ✅ [SSH] file created. ✅ Ssh key added to .ssh` dir /home/runner/.ssh/deploy_key [Rsync] Starting Rsync Action: /home/runner/work/laravelTest/laravelTest/ to @:*** [Rsync] exluding folders ⚠️ [Rsync] error: rsync exited with code 255 ⚠️ [Rsync] stderr: Warning: Permanently added '***' (ED25519) to the list of known hosts. Load key "/home/runner/.ssh/deploy_key": error in libcrypto Permission denied, please try again. Permission denied, please try again. @: Permission denied (publickey,password). rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(231) [sender=3.2.7]

⚠️ [Rsync] stdout:
⚠️ [Rsync] cmd: rsync /home/runner/work/laravelTest/laravelTest/ @:*** --rsh "ssh -p 22 -i /home/runner/.ssh/deploy_key -o StrictHostKeyChecking=no" --recursive --exclude= -rltgoDzvO 1: 0xb090e0 node::Abort() [/home/runner/runners/2.311.0/externals/node16/bin/node] 2: 0xb79379 [/home/runner/runners/2.311.0/externals/node16/bin/node] 3: 0xd3df8e [/home/runner/runners/2.311.0/externals/node16/bin/node] 4: 0xd3f3af v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [/home/runner/runners/2.311.0/externals/node16/bin/node]`

  1. I verified my private ssh key
  2. I added the public key to the authorized keys
  3. I added the key identity to the config file (IdentityFile)
  4. I gave the permissions to the target dir file
  5. I installed and upgraded the rsync
  6. I verified the username and the host ip
  7. Ssh key is in RSA format
  8. I Enabled Password Authentication
  9. tried to add space at the end of the private key

ItsYasser avatar Nov 05 '23 14:11 ItsYasser

same issue :( PLEASE HELP

AmineZeroual avatar Nov 05 '23 14:11 AmineZeroual

we are having the same problem

QwiriTech avatar Nov 05 '23 14:11 QwiriTech

Same issue, solved it by adding a new line at the end of private key.

davyxx3 avatar Nov 22 '23 21:11 davyxx3

Same issue, solved it by adding a new line at the end of private key.

me too

lzm0x219 avatar Nov 24 '23 07:11 lzm0x219

Same issue, solved it by adding a new line at the end of private key.

it works for me

heavenmei avatar Dec 02 '23 09:12 heavenmei

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jan 02 '24 01:01 github-actions[bot]

Reopened, since it still require manual workaround.

easingthemes avatar Jan 18 '24 20:01 easingthemes

in my webhost hetzner is working but in 1&1 webhost getting error

Should we consider making some adjustments to our server?

premisson denied to change sshd_config however ...

1&1 ( ionos ) cat /etc/ssh/sshd_config 

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0

# 2007-11-05 cg: kein SSHv1 mehr (HOST.342)
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Compression yes

# 2015-12-09  TECCM-11090 :: 2 ssh client alive options
ClientAliveInterval 600
ClientAliveCountMax 3

# This NEEDS to be LOCAL0
SyslogFacility LOCAL0

LogLevel VERBOSE

# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
AllowGroups ftpusers

PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
TCPKeepAlive yes
PermitUserEnvironment no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Notes for subsystem sftp: We need to fulfill the constraint given by
#   rssh that the executable MUST READ /usr/lib/openssh/sftp-server
#   exactly, and therefore cannot be prepended with fakechroot
#   directly.  Therefore, we do all the details (fakechroot, ...) in a
#   wrapper script.  See package ui-infong-openssh-fakechroot-wrapper
#   for details.
#
Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Hide comment part of the version string: show `SSH-2.0-OpenSSH_7.9p1'
# instead of `SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u1~ui10+2`.
DebianBanner no

in 1&1 (ionos) : cd ~/.ssh -bash: cd: /kunden/homepages/8/xxxx/htdocs/.ssh: Permission denied

in hetzner : going to /ssh if you need more info let me please know

javidnikoo avatar Jan 21 '24 23:01 javidnikoo

Same issue, solved it by adding a new line at the end of private key.

Is this a bug? Why we need an extra line after -----END OPENSSH PRIVATE KEY----- ? Could this be maybe mentioned at the docs? I struggled 1 week because of this anomaly. Thanks for the right hint @davyxx3 👍

vajda-media avatar Jan 29 '24 19:01 vajda-media

Can you try SCRIPT_BEFORE param, eg SCRIPT_BEFORE: ls. This will force known_hosts update, adding your host via ssh-keyscan.

Added info into REDME. Screenshot 2024-01-31 at 02 03 13.

Probably the same issue: https://github.com/easingthemes/ssh-deploy/issues/143

easingthemes avatar Jan 31 '24 01:01 easingthemes

i got the same error Deployment Failed, Permission denied (publickey). All of the solutions presented above have failed. i tried "ssh-keygen -t rsa -b 4096" to generate a key pair and it worked out. but "ssh-keygen -m PEM -t rsa -b 4096" still not works for me.

chungyeong avatar Feb 22 '24 07:02 chungyeong

@chungyeong in my case none of the solutions worked and also changing the key from PEM to RSA also didn't work :( My host: Ubuntu 22

tecnologiaflashcardsconcursos avatar Apr 22 '24 01:04 tecnologiaflashcardsconcursos

I solved the authorisation failure problem by first adding a new line at the end of the private key, after which I also needed to run cat id_rsa.pub >> authorized_keys on the server.

The reason why this is needed, I thought ssh-deploy must be going password free login with the help of a private key, I tried to log in to the server on my computer via the private key as well, and expected this error, so I checked the relevant error messages, and finally I found out that I need to copy the public key paired with the private key to authorized_keys to open up the authorisation.

supuwoerc avatar May 24 '24 08:05 supuwoerc

I solved the authorisation failure problem by first adding a new line at the end of the private key, after which I also needed to run cat id_rsa.pub >> authorized_keys on the server.我首先在私钥末尾添加了一个新行,然后还需要在服务器上运行 cat id_rsa.pub >> authorized_keys ,从而解决了授权失败问题。

The reason why this is needed, I thought ssh-deploy must be going password free login with the help of a private key, I tried to log in to the server on my computer via the private key as well, and expected this error, so I checked the relevant error messages, and finally I found out that I need to copy the public key paired with the private key to authorized_keys to open up the authorisation.之所以需要这个,我以为ssh-deploy一定是在私钥的帮助下去免密码登录,我也尝试通过私钥登录到我电脑上的服务器,并预料到这个错误,所以我检查了相关的错误信息,最后我发现我需要复制与私钥配对的公钥才能authorized_keys打开授权。

@easingthemes @chungyeong @tecnologiaflashcardsconcursos

supuwoerc avatar May 24 '24 08:05 supuwoerc

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Aug 23 '24 01:08 github-actions[bot]