cmd := exec.Command("ssh", "ec2-user@publicip") exits with Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Question

I'm using org/x/crypto/ssh package to build a cli application to ssh through bastion to a server using ssh certs. Basic workflow is; cli tool gets the users public key and get it signed from vault ssh ca, and that resulting cert is used to authenticate the user to the servers. It worked fine.

configure := &ssh.ClientConfig{
            User: "ec2-user",
            Auth: []ssh.AuthMethod{
                // Use the PublicKeys method for remote authentication.
                ssh.PublicKeys(certSigner),
            },
            HostKeyCallback: ssh.InsecureIgnoreHostKey(),
        }
        //log.Println(config.bastionserver.publicIP)

        // Connect to the remote server and perform the SSH handshake.
        proxyClient, err := ssh.Dial("tcp", net.JoinHostPort(config.bastion.publicIP, "22"), configure)
        if err != nil {
            log.Fatalln(err)
        }

        session, err := proxyClient.NewSession()
        if err != nil {
            log.Fatalln(err)
        }
        defer session.Close()

        if err = session.Shell(); err != nil {
            log.Fatalln(err)
        }

        session.Wait()

I made some changes and reverted back to the code and I started getting the following error. I used git to revert.

ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain

So I reduced the complexity and tried the following block to try to connect just to the bastion through the cli app I'm building.

cmd := exec.Command("ssh", "-i", signedKeyPath, "-i", privateKeyPath, "ec2-user@host")

    fmt.Println(cmd.String())
    cmd.Stdin = os.Stdin
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr
    err = cmd.Run()
    if err != nil {
        log.Fatalln(err)
    }

still it exits with

/usr/bin/ssh -i /home/rochana/.ssh/id_rsa-cert.pub -i /home/rochana/.ssh/id_rsa ec2-user@host ec2-user@host: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 2020-02-17 11:01:25.168548 I | exit status 255.

I tried compiling and running it on a different PC and I get the same results. I tried saving the cert to disk and giving the path.

but if I run the same command on terminal. It works fine and connects to the instance.

ssh -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa ec2-user@host

or just copy and paste cmd.String() output

/usr/bin/ssh -i /home/rochana/.ssh/id_rsa-cert.pub -i /home/rochana/.ssh/id_rsa ec2-user@host

everything works fine when I run directly on terminal but not with exec command

Answer 1

错误是由于 Vault 服务器无法同步其时间。