The command rke up --ssh-agent-auth doesn't work on Windows with encrypted private keys

[braninl]

RKE version:
1.1.2

Docker version: (docker version,docker info preferred)
19.03.11, but I don't think this actually matters for this issue

Operating system and kernel: (cat /etc/os-release, uname -r preferred)
Windows 10 (10.0.19041.329)

Type/provider of hosts: (VirtualBox/Bare-metal/AWS/GCE/DO)
Ubuntu 18.04 VMs on Hyper-V

cluster.yml file:
nodes:

• address: 192.168.20.21
  port: "22"
  internal_address: ""
  role:
  • controlplane
  • worker
  • etcd
    hostname_override: ""
    user: branin
    docker_socket: /var/run/docker.sock
    ssh_key: ""
    ssh_key_path: c:\users\brani.ssh\id_rsa
    ssh_cert: ""
    ssh_cert_path: ""
    labels: {}
    taints: []
    services:
    etcd:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    external_urls: []
    ca_cert: ""
    cert: ""
    key: ""
    path: ""
    uid: 0
    gid: 0
    snapshot: null
    retention: ""
    creation: ""
    backup_config: null
    kube-api:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    service_cluster_ip_range: 10.43.0.0/16
    service_node_port_range: ""
    pod_security_policy: false
    always_pull_images: false
    secrets_encryption_config: null
    audit_log: null
    admission_configuration: null
    event_rate_limit: null
    kube-controller:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    cluster_cidr: 10.42.0.0/16
    service_cluster_ip_range: 10.43.0.0/16
    scheduler:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    kubelet:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    cluster_domain: cluster.local
    infra_container_image: ""
    cluster_dns_server: 10.43.0.10
    fail_swap_on: false
    generate_serving_certificate: false
    kubeproxy:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    network:
    plugin: canal
    options: {}
    mtu: 0
    node_selector: {}
    update_strategy: null
    authentication:
    strategy: x509
    sans: []
    webhook: null
    addons: ""
    addons_include: []
    ssh_key_path: c:\users\brani.ssh\id_rsa
    ssh_cert_path: ""
    ssh_agent_auth: false
    authorization:
    mode: rbac
    options: {}
    ignore_docker_version: false
    kubernetes_version: "v1.16.10-rancher2-1"
    private_registries: []
    ingress:
    provider: ""
    options: {}
    node_selector: {}
    extra_args: {}
    dns_policy: ""
    extra_envs: []
    extra_volumes: []
    extra_volume_mounts: []
    update_strategy: null
    cluster_name: ""
    cloud_provider:
    name: ""
    prefix_path: ""
    addon_job_timeout: 90
    bastion_host:
    address: ""
    port: ""
    user: ""
    ssh_key: ""
    ssh_key_path: ""
    ssh_cert: ""
    ssh_cert_path: ""
    monitoring:
    provider: ""
    options: {}
    node_selector: {}
    update_strategy: null
    replicas: null
    restore:
    restore: false
    snapshot_name: ""
    dns: null

Steps to Reproduce:

1. Use an OpenSSH private key encrypted with a passphrase in Windows.
2. Run ssh-agent and add the key via ssh-add.
3. Test directly connecting to the host using ssh branin@192.168.20.21 successfully without having to enter the passphrase or password.
4. Run rke up --ssh-agent-auth

Results:
rke doesn't connect to the host, outputting the following error message.

time="2020-06-18T20:12:47-07:00" level=warning msg="Failed to set up SSH tunneling for host [192.168.20.21]: Can't retrieve Docker Info: error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/info: Unable to access node with address [192.168.20.21:22] using SSH. Using encrypted private keys is only supported using ssh-agent. Please configure the option ssh_agent_auth: true in the configuration file or use --ssh-agent-auth as a parameter when running RKE. This will use the SSH_AUTH_SOCK environment variable. Error: Error configuring SSH: ssh: cannot decode encrypted private keys"

Since this is Windows, the SSH_AUTH_SOCK environment variable doesn't exist. Is there another command that can be used with rke? (My workaround currently was to remove the passphrase from my private key, but I'd like to not have that be my long-term solution.)

[petr-motejlek]

BUMP!

[petr-motejlek]

On Windows, I am also seeing a problem where my private key is in the OpenSSH format. All the command line tools (ssh-keygen, ssh, ...) I use on Windows use this format.

rke (I think) does not actually use the command line tools, but instead opts for its own implementation of SSH, and that one seemingly only works with so called SSH2 keys.

So ... to get this working, I had to basically generate a new key pair, ensuring it's in the SSH2 format, for rke to be able to connect to my RancherOS machine(s) :)

[stale]

This issue/PR has been automatically marked as stale because it has not had activity (commit/comment/label) for 60 days. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[Mentat420]

This is still an issue.

[superseb]

@Mentat420 Please provide steps to reproduce (how was the key created/what type of key are you using) so we can use that to reproduce and validate a fix

[stale]

This issue/PR has been automatically marked as stale because it has not had activity (commit/comment/label) for 60 days. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.