Https://github.com/hashicorp/terraform/issues/32754

salecharohit · March 6, 2023, 11:18am

Terraform Version

Terraform v1.3.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.54.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Terraform Configuration Files

variable "key_name" {
  description = "SSH Key Name For Authentication"
  type        = string
  default     = "ubuntu"
}

resource "tls_private_key" "ubuntu" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "aws_key_pair" "generated_key" {
  key_name   = var.key_name
  public_key = tls_private_key.ubuntu.public_key_openssh

}

data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}


resource "aws_instance" "ubuntu" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = var.instance_type
  key_name      = aws_key_pair.generated_key.key_name

  network_interface {
    network_interface_id = aws_network_interface.ubuntu.id
    device_index         = 0
  }

  metadata_options {
    http_endpoint = "disabled"
  }

  connection {
    user        = "ubuntu"
    type        = "ssh"
    host        = self.public_ip
    private_key = tls_private_key.ubuntu.private_key_pem
    timeout     = "1m"
  }

  provisioner "remote-exec" {
    inline = [
      "apt get update -y"
    ]
  }

  depends_on = [
    aws_key_pair.generated_key
  ]
}

Debug Output

gist.github.com

https://gist.github.com/salecharohit/c3c7dfb5d024bcdb950b2858c639e555

gistfile1.txt

[0m[1mdata.aws_availability_zones.availability_zones: Reading...[0m[0m
[0m[1mdata.aws_ami.ubuntu: Reading...[0m[0m
[0m[1mdata.aws_availability_zones.availability_zones: Read complete after 1s [id=us-east-1][0m
[0m[1mdata.aws_ami.ubuntu: Read complete after 1s [id=ami-07dc2dd8e0efbc46a][0m

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  [32m+[0m create
[0m
Terraform will perform the following actions:

This file has been truncated. show original

Expected Behavior

Terraform Apply should work through fine and remote_exec should connect and execute

Actual Behavior

Throws an error as shown which is an SSH error when remote_exec tries to connect.

╷
│ Error: file provisioner error
│
│   with aws_instance.web-template,
│   on ec2.tf line 51, in resource "aws_instance" "web-template":
│   51:   provisioner "file" {
│
│ timeout - last error: SSH authentication failed (ubuntu@35.175.205.156:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported
│ methods remain
╵

However, If I disable the following lines , it all works smoothly, terraform apply works and remote_exec connects and executes the script.

  metadata_options {
    http_endpoint = "disabled"
  }

Additonally, the SSH key generated is unable to connect and throws the same error.

Steps to Reproduce

terraform init
terraform apply

Additional Context

I need to build a bastion host with IMDS disabled by default as a security requirement and hence I need to use the following metadata configuration in the aws_instance resource

metadata_options {
   http_endpoint = "disabled"
 }

What I fail to understand is why or rather how is this step/feature interfering with SSH communications ? Why does remote_exec need to contact IMDS service when all it really needs is an SSH private key which is being provided.

References

Other similar issues I looked at prior to filing this error

github.com/hashicorp/terraform

aws instance remote-exec ssh handshake failed

opened 05:46PM - 29 May 22 UTC

closed 08:04AM - 31 May 22 UTC

gray380

bug new

### Terraform Version ``` Terraform v1.1.2 on linux_amd64 + provider reg…istry.terraform.io/hashicorp/aws v4.16.0 ``` ### Terraform Configuration Files ```terraform resource "aws_instance" "swarm-manager" { count = "${var.swarm_managers}" ami = "${var.swarm_ami_id}" instance_type = "${var.swarm_instance_type}" tags = { Name = "swarm-manager" } vpc_security_group_ids = [ "${aws_security_group.docker.id}" ] key_name = "devops21" connection { type = "ssh" user = "ubuntu" private_key = file(var.privatekeypath) host = self.public_ip timeout = "2m" } provisioner "remote-exec" { inline = [ "if ${var.swarm_init}; then docker swarm init --advertise-addr ${self.private_ip}; fi", "if ! ${var.swarm_init}; then docker swarm join --token ${var.swarm_manager_token} --advertise-addr ${self.private_ip} ${var.swarm_manager_ip}:2377; fi" ] } } ``` ### Debug Output IP is differ, because I've collected `debug` output from the next try to apply. ``` [INFO] using private key for authentication [DEBUG] Connecting to 3.69.156.72:22 for SSH [ERROR] connection error: dial tcp 3.69.156.72:22: connect: connection refused [WARN] retryable error: dial tcp 3.69.156.72:22: connect: connection refused [DEBUG] Connecting to 3.69.156.72:22 for SSH [DEBUG] Connection established. Handshaking for user ubuntu [WARN] SSH authentication failed (ubuntu@3.69.156.72:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain [WARN] retryable error: SSH authentication failed (ubuntu@3.69.156.72:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain [WARN] Errors while provisioning aws_instance.swarm-manager[0] with "remote-exec", so aborting [ERROR] vertex "aws_instance.swarm-manager[0]" error: remote-exec provisioner error [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing" [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/4.16.0/linux_amd64/terraform-provider-aws_v4.16.0_x5 pid=486858 2022-05-30T09:49:52.758+0300 [DEBUG] provider: plugin exited ``` ### Expected Behavior ec2 instance with docker swarm ### Actual Behavior While appling: ``` aws_instance.swarm-manager[0] (remote-exec): Connecting to remote host via SSH... aws_instance.swarm-manager[0] (remote-exec): Host: 18.184.14.73 aws_instance.swarm-manager[0] (remote-exec): User: ubuntu aws_instance.swarm-manager[0] (remote-exec): Password: false aws_instance.swarm-manager[0] (remote-exec): Private key: true aws_instance.swarm-manager[0] (remote-exec): Certificate: false aws_instance.swarm-manager[0] (remote-exec): SSH Agent: true aws_instance.swarm-manager[0] (remote-exec): Checking Host Key: false aws_instance.swarm-manager[0] (remote-exec): Target Platform: unix ``` At the end: ``` Error: remote-exec provisioner error with aws_instance.swarm-manager[0], on swarm.tf line 21, in resource "aws_instance" "swarm-manager": 21: provisioner "remote-exec" { timeout - last error: SSH authentication failed (ubuntu@18.184.14.73:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain ``` But I can successfully open ssh-session to the instance: ``` $ ssh -i ~/.ssh/devops21.pem ubuntu@18.184.14.73 The authenticity of host '18.184.14.73 (18.184.14.73)' can't be established. ED25519 key fingerprint is SHA256:+ECy1hKKPM9neykXBHCkHZ5p5ceqohVxc1h8BvW2GLw. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '18.184.14.73' (ED25519) to the list of known hosts. Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-1008-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sun May 29 17:42:16 UTC 2022 System load: 0.080078125 Processes: 104 Usage of /: 27.7% of 7.58GB Users logged in: 0 Memory usage: 28% IPv4 address for docker0: 172.17.0.1 Swap usage: 0% IPv4 address for eth0: 172.31.44.233 0 updates can be applied immediately. ubuntu@ip-172-31-44-233:~$ ``` The `key_name` name is correct: ``` $ aws ec2 describe-key-pairs --key-names devops21 { "KeyPairs": [ { "KeyPairId": "key-0c9ae318a43621a13", "KeyFingerprint": "e7:31:85:fb:ba:e6:09:dc:56:30:31:52:9f:7b:25:77:68:2f:7f:cf", "KeyName": "devops21", "KeyType": "rsa", "Tags": [], "CreateTime": "2022-05-29T15:57:30+00:00" } ] } ``` ### Steps to Reproduce 1. `terraform init` 2. `terraform apply -target aws_instance.swarm-manager -var swarm_init=true -var swarm_managers=1` ### Additional Context ### References

github.com/hashicorp/terraform

SSH communicator does not send SHA2 signatures

opened 04:28PM - 13 Feb 21 UTC

closed 03:33PM - 13 Dec 21 UTC

ecky-l

bug upstream provisioner/file provisioner/remote-exec

Hello, with the most recent version of CoreOS, 33.20210117.3.2, I cannot use …the terraform ssh connection provisioner anymore. It used to work in prior versions. Problem is that a SSH connection cannot be established by means of the tf connector, but it works with a simple “ssh core@”. Here are two log entries from the hosts syslog, acquired with journalctl while trying to login with either method: When trying with terraform connector (failure): ``` Feb 13 14:27:10 k1.local.vlan audit[18899]: USER_LOGIN pid=18899 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="core" exe="/usr/sbin/sshd" hostname=? addr=192.168.56.1 terminal=ssh res=failed' ``` When trying with “ssh core@…” (success): ``` Feb 13 14:29:00 k1.local.vlan audit[20006]: USER_LOGIN pid=20006 uid=0 auid=1000 ses=12 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=192.168.56.1 terminal=/dev/pts/1 res=success' ``` The user is in both cases the same (core) and authentication is to be performed via RSA pub key from ssh-agent. Here is a simple terraform module to reproduce the case: ``` resource "null_resource" "copy" { connection { type = "ssh" host = "<some coreos host>" user = "core" timeout = "10m" agent = true } provisioner "file" { content = "blabla" destination = "ttt" } } ``` when running “terraform init” and “terraform apply”, the apply hangs and dies. It works for any other host, which is not CoreOS. When setting the TF_LOG to TRACE, there is a related message: ``` SSH authentication failed (core@k1.local.vlan:22): ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain ``` Some more context is below under "debug output". There is some more info on the host's syslog, when I try to connect via the terraform connector: ``` userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth] USER_ERR pid=4191 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=192.168.56.1 addr=192.168.56.1 terminal=ssh res=failed' ``` But I suspect that this is not fully relevant, since the simple ssh command works with the same key on that host, while the terraform connector doesn't. I suspect it is related to the concrete invocation of ssh from terraform in combination with the particular sshd configuration on this fedora coreos version... ### Terraform Version ``` 0.14 ``` ### Debug Output (relevant parts only) ``` 2021-02-13T16:44:20.301+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:20 [INFO] sleeping for 1s 2021-02-13T16:44:21.305+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:21 [DEBUG] Connecting to k1.local.vlan:22 for SSH 2021-02-13T16:44:21.305+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:21 [DEBUG] Connection established. Handshaking for user core 2021-02-13T16:44:21.346+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:21 [WARN] SSH authentication failed (core@k1.local.vlan:22): ssh: handshake failed: s sh: unable to authenticate, attempted methods [none publickey], no supported methods remain 2021-02-13T16:44:21.346+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:21 [WARN] retryable error: SSH authentication failed (core@k1.local.vlan:22): ssh: ha ndshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain 2021-02-13T16:44:21.346+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:21 [INFO] sleeping for 2s 2021-02-13T16:44:23.350+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:23 [DEBUG] Connecting to k1.local.vlan:22 for SSH 2021-02-13T16:44:23.351+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:23 [DEBUG] Connection established. Handshaking for user core 2021-02-13T16:44:23.394+0100 [DEBUG] plugin.terraform: file-provisioner (internal) 2021/02/13 16:44:23 [WARN] SSH authentication failed (core@k1.local.vlan:22): ssh: handshake failed: s sh: unable to authenticate, attempted methods [none publickey], no supported methods remain ``` ### Expected Behavior It should be possible to connect to coreos hosts with terraform ssh connection and file provisioner (or any other provisioner respectively) ### Actual Behavior ssh connection is not possible with terraform connector, while it is possible by simple ssh command. ### Steps to Reproduce copy the code above into a main.tf, setup a simple coreos VM somewhere, then run 1. `terraform init` 2. `terraform apply` ### References See also my [related forum post at Fedora Discussions](https://discussion.fedoraproject.org/t/cannot-login-per-ssh-via-terraform-connection/26976).

Topic		Replies	Views
Terraform remote-exec provisioner not working Terraform	1	2413	March 9, 2022
TCP SSH timeout while running remote_exec on AWS instance Terraform	3	3143	June 20, 2025
Terraform apply fails in remote-exec failed to read ssh private key, no key found Terraform	1	662	January 17, 2024
File provisioner error Terraform	1	1020	September 26, 2023
How to do remote-exec operation if i am using terraform cloud HCP Terraform	7	3949	March 19, 2022