To verify scap behavior and error messaging when it cannot find the specified keyholder key, and to confirm if scap retries all available keys in the keyholder.d, I tested the scenarios regarding the scap keyholder. Here are the results:

Tested with no ssh key in the keyfolder.d and the output is:

{"name": "deploy", "msg": "Unable to find keyholder key for %s", "args": ["scap_deploy"], "levelno": 10, "filename": "cli.py", "exc_text": null, "lineno": 152, "funcName": "get_keyholder_key", "created": 1715803062.4578805, "msecs": 457.88049697875977, "relativeCreated": 1282.752513885498, "host": "deploy"}

Description: scap fails to find the keyholder key and attempts SSH without a key.

Tested with different key in keyholder.d

{"name": "deploy", "msg": "Unable to find keyholder key for %s", "args": ["scap_deploy"], "levelno": 10, "filename": "cli.py", "exc_text": null, "lineno": 152, "funcName": "get_keyholder_key", "created": 1715809119.1792183, "msecs": 179.21829223632812, "relativeCreated": 1296.0443496704102, "host": "deploy"}

Description: Even with a different key, scap searches for the specified key in scap.cfg, fails, and attempts SSH without a key.

Deleted keyholder_key Parameter from /etc/scap.cfg:

• Output: Same as above.
• Description: scap looks for the key specified in the project’s scap.cfg (e.g., phabricator), fails to find it, and attempts SSH without a key.

Removed keyholder_key Parameter from project/scap.cfg:

• Output: Same as above.
• Description: scap defaults to key_safe_name based on ssh_user, fails to find it, and attempts SSH without a key.

@brennen In all scenarios, scap did not retry all available keys, It Looks like it performs as expected. Please confirm if this is the correct behavior. If so, can we close the story?

Mentioned in SAL (#wikimedia-releng) [2024-05-16T17:52:12Z] <brennen> running a no-op test deployment to phab2002 to reproduce errors for T313624

Mentioned in SAL (#wikimedia-operations) [2024-05-16T17:52:47Z] <brennen@deploy1002> Started deploy [phabricator/deployment@7d858df]: test scap deployment with keyholder key misconfigured for T313624

Mentioned in SAL (#wikimedia-operations) [2024-05-16T17:53:25Z] <brennen@deploy1002> Finished deploy [phabricator/deployment@7d858df]: test scap deployment with keyholder key misconfigured for T313624 (duration: 00m 38s)

A full log of the discussion that led to this task is here:

https://wm-bot.wmcloud.org/browser/index.php?start=07%2F22%2F2022&end=07%2F22%2F2022&display=%23wikimedia-releng

See also: 8a7d4bf15d900d47da6dea78d59171f83ab33a3f

The original problem was that if scap doesn't find a key, you wind up with Too many authentication failures, which is confusing to the deployer.

This still happens - I just reproduced on deploy1002:

Received disconnect from [host] port 22:2: Too many authentication failures                                                                                            
Disconnected from [host] port 22

See P62533 for a detailed log.

@hashar's idea was that scap should abort on not finding a key:

<hasharAway> if we can't find a keyholder key using the ssh_user  or the keyholder_key config value if it is set
<hasharAway> then I think scap should abort entirely

I still think that seems reasonable.

One additional question: Are there any deployment repos currently where scap does not find a key, but the deployment succeeds because a key in keyholder works before MaxAuthTries is reached? If so, those might need fixed.

@brennen In my case on Scap3-dev env if Scap doesn't find a key it tries to do ssh without a key, and yes it succeeding the deployment. Do you think we need a code change for this behavior?

sandeeps opened https://gitlab.wikimedia.org/repos/releng/scap/-/merge_requests/328

deploy.py: Handle missing keyholder key with clear error logging