Dear all, in order to get my ssh remotes to work I got on a dvc deep dive I didn't ask for. My setup is such that I have the work-horse system which I want to keep in sync with my local installation behind a ssh proxy. Something like this in the ssh config:
Host workhorse
HostName something.somewhere
User itsame
ProxyCommand ssh -W %h:%p myproxyhost
IdentityFile ~/.ssh/workhorse-key
Host myproxyhost
HostName somethingelse.somewhereelse
User itsameagain
IdentityFile ~/.ssh/myproxyhost-key
In dvc.config I have then something like this:
['remote "workhorse"']
url = ssh://workhorse/path/to/a/dvc-cache/someproject
Nothing exotic I assume and I can ssh and scp to the workhorse without problems, so I was a bit surprised when I got Too many authentication failures from dvc status -r workhorse.
As hinted by the error message I figured that the ssh agent might be involved, and after fiddling with asyncssh for a while I figured that it is indeed the case. The script below reproduces the error if the agent_path=None is removed.
import asyncio, asyncssh, sys
async def run_client() -> None:
async with asyncssh.connect('workhorse', agent_path=None) as conn:
result = await conn.run('hostname', check=True)
print(result.stdout, end='')
try:
asyncio.get_event_loop().run_until_complete(run_client())
except (OSError, asyncssh.Error) as exc:
sys.exit('SSH connection failed: ' + str(exc))Great, so now how do we make dvc-ssh to forget about the agent? Well, there comes the actual bug IMHO. The allow_agent = false in the dvc config is not passed to the asyncssh in any capacity as far as I can tell. Verified by running dvc status --pdb -r workhorse. The only mention of allow_agent I found is in the dvc config schema, no traces in either dvc-ssh, sshfs, or asynssh codebases.
The good news is, that I was able to work around this for now with the help of the SSH_AUTH_SOCK environment variable:
$ SSH_AUTH_SOCK='' dvc status -r daint
Dear all, in order to get my ssh remotes to work I got on a dvc deep dive I didn't ask for. My setup is such that I have the work-horse system which I want to keep in sync with my local installation behind a ssh proxy. Something like this in the ssh config:
In dvc.config I have then something like this:
Nothing exotic I assume and I can
sshandscpto the workhorse without problems, so I was a bit surprised when I gotToo many authentication failuresfromdvc status -r workhorse.As hinted by the error message I figured that the ssh agent might be involved, and after fiddling with
asyncsshfor a while I figured that it is indeed the case. The script below reproduces the error if theagent_path=Noneis removed.Great, so now how do we make dvc-ssh to forget about the agent? Well, there comes the actual bug IMHO. The
allow_agent = falsein the dvc config is not passed to the asyncssh in any capacity as far as I can tell. Verified by runningdvc status --pdb -r workhorse. The only mention ofallow_agentI found is in the dvc config schema, no traces in eitherdvc-ssh,sshfs, orasynsshcodebases.The good news is, that I was able to work around this for now with the help of the
SSH_AUTH_SOCKenvironment variable:$ SSH_AUTH_SOCK='' dvc status -r daint