podman: Unable to authenticate with podman-remote over ssh to drive remote podman.sock

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Trying to run Podman on a remote machine and use the podman-remote client to drive it.

Following instructions here: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md

Podman on the remote machine seems to be working fine, but it cannot be driven by the local podman because the local Podman fails to authenticate properly over SSH.

Steps to reproduce the issue:

Setup podman on remote machine per: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md
Ensure correct SSH key is in ssh agent
Add remote connection to podman: podman system connection add test ssh://192.168.122.1/run/user/1000/podman/podman.sock
Attempt to drive remote podman from local machine: podman-remote ps

Describe the results you received:

Authentication error:

Error: Failed to create sshClient: Connection to bastion host (ssh://ben@192.168.2.186:22/run/user/1000/podman/podman.sock) failed.: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

Describe the results you expected:

I expected podman-remote ps to behave normally, outputting something like this:

[ben@benssystem76 ~]$ podman ps
CONTAINER ID  IMAGE   COMMAND  CREATED  STATUS  PORTS   NAMES

Additional information you deem important (e.g. issue happens only occasionally):

I also tried adding the connection with an explicit identity file instead of relying on the SSH agent:

podman system connection add test2 --identity /home/ben/.ssh/id_rsa ssh://192.168.122.1/run/user/1000/podman/podman.sock

When running podman-remote ps with that connection, I am prompted for the passphrase for the SSH key (as I would expect) but I get the same error message indicating that authentication failed, I think because podman didn’t do the SSH handshake properly or something:

I also checked to make sure that /run/user/1000/podman/podman.sock existed on the remote machine, and it did. Remote user id is 1000 as expected.

Output of podman version:

[ben@benssystem76 config-files]$ podman version
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.14.9
Built:        Wed Sep 30 13:31:11 2020
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.16.1
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.21-2.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: 81d18b6c3ffc266abdef7ca94c1450e669a6a388'
  cpus: 8
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: journald
  hostname: benssystem76
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.8.18-200.fc32.x86_64
  linkmode: dynamic
  memFree: 1297784832
  memTotal: 33637113856
  ociRuntime:
    name: crun
    package: crun-0.15-5.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.15
      commit: 56ca95e61639510c7dbd39ff512f80f626404969
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.4-1.fc32.x86_64
    version: |-
      slirp4netns version 1.1.4
      commit: b66ffa8e262507e37fca689822d23430f3357fe8
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 2
  swapFree: 16869486592
  swapTotal: 16869486592
  uptime: 30h 0m 31.03s (Approximately 1.25 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/ben/.config/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 0
    stopped: 5
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.2.0-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /home/ben/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 601
  runRoot: /run/user/1000/containers
  volumePath: /home/ben/.local/share/containers/storage/volumes
version:
  APIVersion: 2.0.0
  Built: 1601494271
  BuiltTime: Wed Sep 30 13:31:11 2020
  GitCommit: ""
  GoVersion: go1.14.9
  OsArch: linux/amd64
  Version: 2.1.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.1.1-7.fc32.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Remote podman is the same latest version (2.1.1), running on an F33 Server that is in a KVM VM on a Dell R620 host. Local podman version 2.1.1 is on an F32 Workstation with Gnome 3, and a nice photo of my family as the wallpaper background and screensaver.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 11
Comments: 30 (14 by maintainers)

Most upvoted comments

I would like to confirm the above, saw the same issue (Fedora 34 host, Big Sur 11.3.1 Mac, podman 3.1.2 at both ends). By generating an ed25519 key this worked perfectly after a frustrating 30 minutes with my old rsa key.

tonykay on May 6, 2021

hi, did you run his command.I have same error on my macOS big sure I did it with “https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md”, then I found error

$ podman ps
Error: failed to create sshClient: dial unix /private/tmp/com.apple.launchd.zFwQB0vrnx/Listeners: connect: no such file or directory
FAIL: 125

I think it is ssh-client or system config question, after I run that command , it was solved.

eval "$(ssh-agent -s)"

Talbot3 on Dec 28, 2020

Ah! Fedora by default rejects rsa keys, if you use an ed25519 key, this works properly. Closing now, If this is still an issue, please re-open.

ashley-cui on Apr 5, 2021

@rhatdan @ashley-cui I think forcing people to regenerate keys here is a pretty poor user experience.

I’m also concerned that the actual issue is that podman/go are using SHA1 for the key exchange protocol for RSA keys and that’s actually what is causing issues in some cases. When I tried using an RSA key on a CentOS Stream 9 machine to copy an image to a different CentOS 9 Stream machine, it keeps failing even though normal ssh between the machines with the same key works fine. If that’s actually the case, then having podman use a different encryption for the key exchange should allow RSA keys to work.

jwboyer on Apr 8, 2022

TBH, I find very annoying that I need to run podman machine start every time after a reboot. I wish it was a way to either configure podman to start the machine on demand or automatically at login. Probably on demand would a better approach as it would not drain the battery or hog the cpu when not really needed.

ssbarnea on Apr 20, 2022

@jwhonce Interesting, it could be related. When I tried podman-remote without the key in my SSH agent I was prompted me for my passphrase, but it then after entering the passphrase it failed to authenticate in the same way. I can try some of these things a bit later, tomorrow for sure.

FreedomBen on Dec 2, 2020