So I was setting up Spring Cloud Config for our project. Access your config through a public Git repo seems quite straight forward. And then it wasn’t. This post is about solving the “Auth fail” error when using a public/private keypair.
A basic (server) setup
So the Spring Cloud Config (SCC from here on) server has to have access to your Git repo. If you don’t want to or can’t supply a username password, a public/private keypair is possible.
The promise is simple: generate a public/private keypair, put the public key in Git and the private key with your SCC server. There are several posts around the internet that tell you where to put the private key, but in the end (we’re running it in Kubernetes, so it’s in a Docker image) it’s in
/root/.ssh/id_rsa. Set up the SCC config file to use local ssh settings and you’re good to go:
spring: cloud: config: server: git: uri: email@example.com:awesomecompany/excellentrepo.git ignoreLocalSshSettings: false strictHostKeyChecking: false
Run it and it should work. It did, when my colleague drafted the first version. Then we moved (Kubernetes) clusters and had to regenerate the keypair, because we didn’t save it back then. No biggy.
So when I regenreated the keypair and put it in place and ran it…
Caused by: com.jcraft.jsch.JSchException: Auth fail at com.jcraft.jsch.Session.connect(Session.java:519) ~[jsch-0.1.54.jar:na] at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:136) ~[org.eclipse.jgit-22.214.171.124803080745-r.jar:126.96.36.199803080745-r]
This exception with the sole message “Auth fail”. Could mean anything. So I tried everything. Finally, after some forceful pointing SCC to my private key, it suddenly found my private key to be “invalid”. A lot of debugging into the JSch library (the ssh part of SCC) I found out why JSch would label it invalid.
It seems, last time my colleague who ran the
ssh-keygen to generate the public/private keypair did this on his Windows machine. This time around, I ran the same command line on macOS.
ssh-keygen -f ./id_rsa
And this resulted in an
id_rsa file starting like this:
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
And the debugging showed, that JSch didn’t like the header “BEGIN OPENSSH PRIVATE KEY”. It expects it to read “BEGIN RSA PRIVATE KEY”. Nice going, “Auth fail”! About as helpful as the average person calling a helpdesk.
So the fix is to specify the correct key format (PEM) when generating your keys. You set the PEM format for your keys with
ssh-keygen -m PEM -f ./id_rsa
And then Spring Cloud Config reads it just fine and gets your config from Git.