Bazaar

bzr dies with unhelpful error message instead of showing prompt for ssh key pass phrase

Bug #806094 reported by Florian Rathgeber on 2011-07-05

This bug report is a duplicate of: Bug #436745: unclear error message when external ssh fails. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bazaar	Incomplete	Undecided	Unassigned

Bug Description

Tested on various bzr versions (2.2.1 to latest) on ubuntu maverick and natty.

bzr cannot handle unlocking ssh keys protected by a pass phrase for connections via bzr+ssh://

Instead of showing a prompt to enter the pass phrase it dies with an unhelpful error message in 2 flavors (backtraces attached):

1) for lp:* urls:
Permission denied (publickey).
bzr: ERROR: bzrlib.errors.ConnectionReset: Connection closed: Unexpected end of message. Please check connectivity and permissions, and report a bug if problems persist.

2) for bzr+ssh:// urls not pointing to launchpad (even worse, since the server *does* support the protocol):
Server does not understand Bazaar network protocol 3, reconnecting. (Upgrade the server to avoid this.)
bzr: ERROR: bzrlib.errors.ConnectionReset: Connection closed: Unexpected end of message. Please check connectivity and permissions, and report a bug if problems persist.

Reproducible: always

Steps to reproduce:
1) create an ssh key pair protected with a pass phrase
2) set up ~/.ssh/config to use *this* ssh key for launchpad
3) do *not* add the key to ssh-agent (or do anything else which makes it unnecessary to unlock the key with the pass phrase)
4) any bzr command with a lp url will die with the error message above
Similar steps for your own bzr remote server will produce the other error message above

Expected result: prompt for the pass phrase

Workaround: add the key to ssh-agent (or anything else which allows ssh to use the key without authentication)

I think this is a real show stopper since this error is really hard to debug. It has the potential to make even experienced users turn away from bzr.

Related bugs:
https://bugs.launchpad.net/bzr/+bug/436745
https://bugs.launchpad.net/bzr/+bug/607969

See original description

Tags:

Revision history for this message

Florian Rathgeber (florian-rathgeber) wrote on 2011-07-05:

bzr info -Derror -Dauth -Dhpss lp:bzr Edit (3.4 KiB, text/plain)

Revision history for this message

Florian Rathgeber (florian-rathgeber) wrote on 2011-07-05:

bzr info -Derror -Dauth -Dhpss bzr+ssh://myserver/myrepo Edit (3.4 KiB, text/plain)

description:

updated

Revision history for this message

Martin Pool (mbp) wrote on 2011-07-08:

I can't reproduce this: when I run 'bzr pull lp:bzr' with no ssh agent, I'm prompted to enter the passphrase for the key, and when i do things work normally.

Does 'ssh bazaar.launchpad.net' ask you to enter the passphrase? Do you perhaps have ssh configured not to prompt, or perhaps you have a broken ssh-agent?

Martin Pool (mbp) on 2011-07-08

Changed in bzr:
status:	New → Incomplete

Revision history for this message

Florian Rathgeber (florian-rathgeber) wrote on 2011-07-09:

Indeed the problem seems to be related to a (very complex) SSH configuration issue in combination with ssh-agent. My configuration (with SSH key and launchpad user name) wasn't picked up by bzr for lp urls as I now found out.

The following 3 factors play a role as to whether the error occurs:
=======================================================
1) whether you configured bzr lauchpad-login (a) or not (b)
2) whether you configured ssh which key to use for bazaar.launchpad.net (provided it is not id_dsa or id_rsa) (a) or not (b)
3) whether that key is on your keychain (a) or not (b)

Their combination leads to very different behaviour:
============================================
* for 1b the error never occurs since lp urls are translated to http urls and no authentication is necessary (of course any write operation will fail)
in the following we assume 1a
* 2a+3a -> no problem (as expected)
* 2b+3a -> no problem either (since SSH tries all the keys on its key chain and only the key registered on launchpad is accepted)
* 2a+3b -> there is a prompt for the pass phrase as you describe (since SSH knows which key to use and it's not on the key chain)
* 2b+3b -> the error I described (since SSH tries all the keys on its key chain and the launchpad key isn't one of them)

In summary, the error message is probably accurate (if not very helpful) and probably I was running in a fringe case which few users might see.

---

The other case with our own server was even more peculiar:

Our VCS server is set up for different VCSes and access is via locked-down authorized_keys (for bzr via bzr_ssh_path_limiter, for svn via svnserve -t etc.) i.e. a separate key is needed for each VCS.

Now the problem I saw was due to ssh not having the key I had configured for bzr access on the key chain. Instead of prompting for a pass phrase for that key now, SSH offered the first key on the key chain which happened to be the one that was locked down for SVN access. The key was accepted and now bzr tried to communicate with svnserve, which of course didn't work and led to the error message I described.

To summarise: I was bitten by SSH and ssh-agent not acting as expected in our very particular setup. It seems there is little bzr could do about that.

In summary, the error message is probably accurate (if not very helpful) and probably I was running in a fringe case which few users might see.

---

The other case with our own server was even more peculiar:

Our VCS server is set up for different VCSes and access is via locked-down authorized_keys (for bzr via bzr_ssh_path_limiter, for svn via svnserve -t etc.) i.e. a separate key is needed for each VCS.

To summarise: I was bitten by SSH and ssh-agent not acting as expected in our very particular setup. It seems there is little bzr could do about that.