RFE: support ssh-agent with ssh communications

[mblakele]

When using the null builder, especially for test cases, it's inconvenient and insecure to supply a password-less private key file or password for ssh communication. Most devops or sysops users should already be using ssh-agent to securely manage their ssh keys, and many environments won't allow ssh passwords at all.

If the environment variable SSH_AUTH_SOCK is defined, it's safe to assume that an ssh-agent is available. In that case it should be sufficient to supply a username.

[rickard-von-essen]

Duplicates #2782. This should work.

[mblakele]

Here are more details: the first two commands show that I have ssh keys loaded and that they admit me to localhost.

$ ssh-add -l | wc -l
       3
$ ssh localhost uname
Darwin
$ packer --version
0.10.1

Simple test json:

{
  "variables": {
    "ssh_username": "{{env `USER`}}"
  },
  "builders": [{
    "type": "null",
    "ssh_host": "localhost",
    "ssh_username": "{{user `ssh_username`}}"
  }]
}

$ packer build 3602.json 
null output will be in this color.

1 error(s) occurred:

* one of ssh_password and ssh_private_key_file must be specified

Password auth is turned off in the sshd_config, but let's provide a password anyway and see if it'll use the agent keys.

{
  "variables": {
    "ssh_username": "{{env `USER`}}"
  },
  "builders": [{
    "type": "null",
    "ssh_host": "localhost",
    "ssh_password": "{{user `ssh_password`}}",
    "ssh_username": "{{user `ssh_username`}}"
  }]
}

$ PACKER_LOG=1 packer build -var ssh_password=fubar 3602.json
2016/06/08 13:56:34 [INFO] Packer version: 0.10.1
2016/06/08 13:56:34 Packer Target OS/Arch: darwin amd64
2016/06/08 13:56:34 Built with Go Version: go1.6.2
[...]
2016/06/08 13:56:34 Waiting on builds to complete...
2016/06/08 13:56:34 Starting build run: null
2016/06/08 13:56:34 Running builder: null
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 [INFO] Waiting for SSH, up to timeout: 5m0s
2016/06/08 13:56:34 ui: ==> null: Waiting for SSH to become available...
==> null: Waiting for SSH to become available...
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 [INFO] Attempting SSH connection...
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 reconnecting to TCP connection for SSH
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 handshaking with SSH
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 Keyboard interactive challenge:
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 -- User:
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 -- Instructions:
2016/06/08 13:56:34 packer: 2016/06/08 13:56:34 -- Question 1: Password:
2016/06/08 13:56:35 packer: 2016/06/08 13:56:35 handshake error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none keyboard-interactive], no supported methods remain
2016/06/08 13:56:35 packer: 2016/06/08 13:56:35 [DEBUG] SSH handshake err: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none keyboard-interactive], no supported methods remain
2016/06/08 13:56:35 packer: 2016/06/08 13:56:35 [DEBUG] Detected authentication error. Increasing handshake attempts.
[...]

It just goes on like that until I cancel it. As far as I can see it doesn't attempt to use the keys that should be available through my ssh-agent.

[defn]

This does not duplicate #2782 because #2782 deals with forwarding the ssh-agent to the guest. You can forward the ssh-agent without using it to authenticate.

This issue is about using the ssh-agent on the packer host for authentication to the guest, to avoid using passwords or plain-text ssh keys.

[SwampDragons]

This issue has been resolved. Example config:

{
    "builders": [
        {
            "ami_name": "packer-whee",
            "force_deregister": true,
            "instance_type": "t2.micro",
            "source_ami_filter": {
              "filters": {
                "virtualization-type": "hvm",
                "name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
                "root-device-type": "ebs"
              },
              "owners": ["099720109477"],
              "most_recent": true
            },
            "region": "us-west-2",
            "ssh_username": "ubuntu",
            "ssh_keypair_name": "example_keypair",
            "ssh_agent_auth": true,
            "type": "amazon-ebs"
        }
    ],
  "provisioners": [
    {
        "type": "shell-local",
        "inline": ["echo successfully connected using agent"]
    }
  ]
}

If the private key file from example_keypair is loaded into your ssh agent, you can connect. You will need to set the template option ssh_agent_auth to make this work.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.