#2854 Unable to scp to fedorahostedt.org using FAS pubkey
Closed: Fixed None Opened 12 years ago by jcwillia.

= phenomenon =

Unable to upload mock tarballs using FAQ method:

$ scp mock-1.1.11.tar.gz jcwillia@fedorahosted.org:mock
Permission denied (publickey).
lost connection

First few attempts were done with incorrect login (my RH account: williams) but after clearing that up and making sure to use my FAS account (jcwillia) I'm still seeing Permission denied messages. I even generated a new ssh keypair and uploaded the new RSA pub info to my FAS account, but saw no change in behavior.

$ ssh-add -l
1024 c3:38:81:75:37:89:1f:d3:8d:a1:b4:83:4b:85:45:38 Public Key (RSA1)
2048 d9:ea:1f:21:e3:46:e8:e8:1d:13:82:b6:54:40:7f:67 williams@redhat.com (DSA)
2048 b7:7f:93:8d:c2:eb:bc:ca:b8:fd:53:53:c5:1d:a6:68 williams@riff (RSA)
2048 3b:bf:6f:cb:0f:3a:6e:59:f2:f3:2a:68:cb:0e:1d:04 williams@torg (RSA)
2048 43:49:4c:3f:3d:71:b1:c3:69:68:8e:f0:88:8c:af:30 /home/williams/.ssh/id_rsa (RSA)
2048 d9:ea:1f:21:e3:46:e8:e8:1d:13:82:b6:54:40:7f:67 /home/williams/.ssh/id_dsa (DSA)
2048 b7:7f:93:8d:c2:eb:bc:ca:b8:fd:53:53:c5:1d:a6:68 /home/williams/.ssh/fedora_fas (RSA)
2048 43:49:4c:3f:3d:71:b1:c3:69:68:8e:f0:88:8c:af:30 williams@redhat.com (RSA)

Note the fedora_fas entry.


I think we narrowed this down to an issue on the client end... and you found at least a workaround?

Please re-open/let us know if there is anything more we can do from here.

The problem here is that the FAS publickey is the seventh one on the list in his SSH agent. The SSH server on fedorahosted has MaxAuthTries = 6, which means that it disconnects the user after they send six incorrect keys.

This is one of the less-intelligent things that openssh does, but it doesn't have a way to challenge you with the correct pubkey.

As a client-side workaround, you can do:
{{{
SSH_AUTH_SOCK= scp -i /home/williams/.ssh/fedora_fas <file> fedorahosted.org:
}}}

This temporarily disables the access to your SSH agent and tells it to use a specific key instead.

They can use the .ssh/config option IdentityFile as well, to not have to enter it on the command line all the time.

Host fedorahosted.org
IdentityFile /home/mdomsch/.ssh/id_dsa

This was not in fact the issue here. ;)

I thought so at first too, but it was not printing the error it does when hitting this in secure, and trying JUST that one key with IdentitiesOnly yes, etc didn't help any either. ;)

Login to comment on this ticket.

Metadata