1

For context, I am trying to create a deploy script on my local machine (A) to deploy my code to a remote server (B). I don't have root access on B.

Here are the contents of my bash script pertaining to this:

ssh $SSH_ENDPOINT /bin/bash << EOF
cd ~/$PROJECT
git pull

I can ssh in successfully, then cd into the directory. However, git pull fails with:

Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

On both A and B, I have set up SSH with GitHub and it works fine, I can push and pull without having to enter any passphrase or anything of the sort.

I'm not completely sure why this error is being thrown as both public keys should work.

EDIT: Doing -vv with ssh gives:

debug2: channel 0: rcvd ext data 32
Permission denied (publickey).
debug2: channel 0: written 32 to efd 6
debug2: channel 0: rcvd ext data 126
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Not quite sure how to proceed from here.

Improve this question
5
  • 1
    One difference is that your ssh command starts a noninteractive shell, which means that your ordinary configuration files (.bash_profile or .bashrc, e.g.) won't be sourced. That might affect ... something. Commented Jun 17, 2022 at 13:30
  • And with ssh-issues the usual recommendation is to run the failing command with -vv (add more v's depending on the needed level of detail). Commented Jun 17, 2022 at 17:53
  • Sorry I'm not entirely sure I follow here. I'm not sure what publickey I'm missing, and I'm not sure where it's being read from. I added -vv to ssh and the only thing extra printed is as per my edited post. Commented Jun 17, 2022 at 20:49
  • 1
    There should be lines in the ssh -vv output about which public key is being offered to the remote ssh daemon, like this: debug1: Offering public key: <...> Commented Jun 18, 2022 at 3:11
  • To avoid putting a passphrase-less key on the remote server you could consider adding the key on server A to your ssh-agent (with ssh-add ~/.ssh/yourkey) and then using ssh -A to forward the authentication agent to server B. Commented Jun 18, 2022 at 23:00

2 Answers 2

Reset to default
1

I can ssh in successfully, then cd into the directory

But with which user?
If you ssh, and try the failed git pull, try it after (in your interactive SSH testing session) a

export GIT_SSH_COMMAND='ssh -Tv'

That way, you will see which user/keys are considered for any Git operation involving SSH.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

With this, now I see that the public key being offered is from my remote server but I get the following error: debug1: read_passphrase: can't open /dev/tty: No such device or address. I don't have root access, I am logged in as a regular user. This is a containerized system so I don't have root access.
As a bandaid fix, I just removed the passphrase for the key. Then it works perfectly fine. I'm not sure how else to do it, I tried the solutions in this thread stackoverflow.com/questions/21095054/… but none of them persist having the passphrase stored across logins when done manually.
@AjayPillay Any chance to run the ssh-agent service?
0

Based on your comments under VonC's answer, the issue occurs once you're running commands on machine $SSH_ENDPOINT. The Git command run there, which uses the ssh program installed there, needs to read a passphrase to decrypt the keys on machine $SSH_ENDPOINT.

There are two methods to handle that issue:

  • don't use a passphrase-encrypted key; or
  • do use an ssh agent, and have the agent do a pass-through (see -A agent forwarding in the ssh manual).

In the latter case, you don't need to store the private key on machine $SSH_ENDPOINT at all. Just create the .ssh directory with the proper public key, if you need to select a particular public key with Identity and/or IdentitiesOnly lines. (If there's only one key to use you may not need any of this, but in the setups I've used in the past, I always had multiple public keys and needed ssh to select the right one from them.)

Note that the agent will be running on your local machine ("machine A" in your question). There will be a pass-through running on machine B that obtains the private key from machine A on demand. If the key on machine A needs a passphrase, you may have to supply it at that time.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.