Develop Reference

Cannot push Vue CLI app to github.io after build - Permission denied (publickey)

I've troubleshooted https://help.github.com/en/github/authenticating-to-github/error-permission-denied-publickey
Should the sudo command be used with Git?
I'm not using sudo together with my git commands
Check that you are connecting to the correct server
Running $ ssh -vT git#github.com makes the connection on port 22 and returns You've successfully authenticated
Always use the "git" user
I've used the set-url command to change the repo to use the SSH protocol and ssh -T git#github.com returns:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [140.82.118.4] port 22.
debug1: Connection established.
debug1: identity file /home/warwick/.ssh/id_rsa type 0
debug1: identity file /home/warwick/.ssh/id_rsa-cert type -1
debug1: identity file /home/warwick/.ssh/id_dsa type -1
debug1: identity file /home/warwick/.ssh/id_dsa-cert type -1
debug1: identity file /home/warwick/.ssh/id_ecdsa type -1
debug1: identity file /home/warwick/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/warwick/.ssh/id_ed25519 type -1
debug1: identity file /home/warwick/.ssh/id_ed25519-cert type -1
debug1: identity file /home/warwick/.ssh/id_xmss type -1
debug1: identity file /home/warwick/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0p1 Ubuntu-6build1
debug1: Remote protocol version 2.0, remote software version babeld-17f81433
debug1: no match: babeld-17f81433
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/warwick/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/warwick/.ssh/id_rsa RSA SHA256:XUyMmE8J489MaD9Ix/1xJdilSU4aH/F27hdhQubMQL4
debug1: Will attempt key: /home/warwick/.ssh/id_dsa
debug1: Will attempt key: /home/warwick/.ssh/id_ecdsa
debug1: Will attempt key: /home/warwick/.ssh/id_ed25519
debug1: Will attempt key: /home/warwick/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/warwick/.ssh/id_rsa RSA SHA256:XUyMmE8J489MaD9Ix/1xJdilSU4aH/F27hdhQubMQL4
debug1: Server accepts key: /home/warwick/.ssh/id_rsa RSA SHA256:XUyMmE8J489MaD9Ix/1xJdilSU4aH/F27hdhQubMQL4
Enter passphrase for key '/home/warwick/.ssh/id_rsa':
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([140.82.118.4]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = en_ZA.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi WNortier! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3452, received 2484 bytes, in 0.5 seconds
Bytes per second: sent 6930.1, received 4986.7
debug1: Exit status 1
Make sure you have a key that is being used
I've created a new public/private key combination as per https://help.github.com/en/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account
Identity added: /home/warwick/.ssh/id_rsa (myemail#gmail.com)
There is a problem here:
Starting eval "$(ssh-agent -s)" in the terminal and running ssh-add -l is returning The agent has no identities. even though I just added it?
Pushing changes made to the project src files to github does not prompt me for my password and when I check my github settings I see the key is used. So the key appears to be working
I run into Permission denied (publickey) every time I try to run build and push. I created a .deploy.sh file as per this guide on the Vue documentation and uncommented and added my username on the line intended for a github.io push https://cli.vuejs.org/guide/deployment.html#github-pages
set -e
npm run build
cd dist
git init
git add -A
git commit -m "deploy"
git push -f git#github.com:wnortier/wnortier.github.io.git master
cd -
but when I run it with sh .deploy.sh it returns
DONE Compiled successfully in 2175ms 15:40:48
File Size Gzipped
dist/js/chunk-vendors.c4d3d4de.js 114.27 KiB 40.31 KiB
dist/js/app.8b5fd9c9.js 6.99 KiB 2.90 KiB
dist/css/app.35dcd38a.css 0.27 KiB 0.21 KiB
Images and other types of assets omitted.
DONE Build complete. The dist directory is ready to be deployed.
INFO Check out deployment instructions at https://cli.vuejs.org/guide/deployment.html
Initialized empty Git repository in /home/warwick/Projects/wnortier.github.io/dist/.git/
[master (root-commit) 74551eb] deploy
8 files changed, 14 insertions(+)
create mode 100644 css/app.35dcd38a.css
create mode 100644 favicon.ico
create mode 100644 img/logo.82b9c7a5.png
create mode 100644 index.html
create mode 100644 js/app.8b5fd9c9.js
create mode 100644 js/app.8b5fd9c9.js.map
create mode 100644 js/chunk-vendors.c4d3d4de.js
create mode 100644 js/chunk-vendors.c4d3d4de.js.map
git#github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
git config is as follows:
user.email=warwick.nortier#gmail.com
user.name=warwick
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://github.com/WNortier/wnortier.github.io.git
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.master.remote=origin
branch.master.merge=refs/heads/master
user.name=warwick
user.email=warwick.nortier#gmail.com
Please could anyone assist me?

It turns out my ssh key was setup correctly all along.
I've managed to solve the problem by running the following command: sudo chown -R $USERNAME /home/<myusername>
It allowed me to run the deploy script without [sudo].

Set the GIT_SSH_COMMAND in your session (as you, not root)
export GIT_SSH_COMMAND='ssh -Tv'
And run your script.
You will see the same kind of debug log you have in your question.
If not, that means the script is not running with your profile environment settings, which could explain why it works in command-line when done manually, and not through said script.

Can't clone on windows but can clone on linux from Gitlab server

I am trying to clone a repository from a remote Gitlab server over SSH. I am using Gitlab CE version 9.3.9 755bb71 and TortoiseGIT version 2.5.0 and git (for windows) version 2.14.0
SSH Keys are installed correctly as I have tested the authentication using
ssh -vT git#192.168.100.100 -i /path/to/.ssh/key
I get the following message for authentication success using the above key
OpenSSH_7.5p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.100.100 [192.168.100.100] port 22.
debug1: Connection established.
debug1: identity file /path/to/.ssh/key type 1
debug1: key_load_public: No such file or directory
debug1: identity file /path/to/.ssh/key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to 192.168.100.100:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:fEztD+bNxKRs24poXJMlP0GBAP6Q1dZT80OhQAtDQJE
debug1: Host '192.168.100.100' is known and matches the ECDSA host key.
debug1: Found key in /path/to/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /path/to/.ssh/key
debug1: Server accepts key: pkalg ssh-rsa blen 535
Enter passphrase for key '/path/to/.ssh/key':
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.100.100 ([192.168.100.100]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
Welcome to GitLab, John Doe!
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow#openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3476, received 3264 bytes, in 2.2 seconds
Bytes per second: sent 1574.0, received 1478.0
debug1: Exit status 0
When I use TortoiseGit on windows to clone a repository I get the following error on the client
Cloning into 'C:\path\folder'...
GitLab: Disallowed command
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
On the gitlab server, in the gitlab-shell.log I get the following warning message
WARN -- : gitlab-shell: Attempt to execute disallowed command <git upload-pack '/path/to/repo.git'> by user with key key-1.
But when I try git clone from another linux machine with a different SSH key it's successfull and I get the following info message in gitlab-shell.logon the gitlab server
INFO -- : gitlab-shell: executing git command <gitaly-upload-pack {"repository":{"path":"/very/long/path/to/repo.git"},"gl_id":"key-2"}> for user with key key-2.
I have spent more than 10 hours trying to debug everything and I am not sure what's the difference or where exactly is the problem. I have also tried adding the following in my local .gitconfig file for TortoiseGit but that doesn't change anything.
[remote "origin"]
uploadpack = git-upload-pack
Finally, cloning the same repository over HTTPS works fine, without any problem using a username / password.

Note: I just upgrade to Git 2.14.0 for Windows... and none of the ssh url are working:
> git ls-remote
GitLab: Disallowed command
fatal: Could not read from remote repository.
(with origin being an ssh url)
Another side effect: git-for-windows/git issue 1258
fatal: protocol error: bad line length character: Not
It looks as if BitBucket looks at argv[0] (typically git-upload-pack, with the regression git) to determine whether it is a permitted command.
So I think it is by design that git is rejected while git-upload-pack is not.
Same kind on error on GitLab: gitlab-ce issue 36028.
The pending merge request explicitly restore git-xxx when it detects a git xxx command.
See gitlab_shell.rb#parse_cmd(args)
def parse_cmd(args)
# Handle Git for Windows 2.14 using "git upload-pack" instead of git-upload-pack
if args.length == 3 && args.first == 'git'
#command = "git-#{args[1]}"
args = [#command, args.last]
else
#command = args.first
end
At the Git for Windows side, a fix is in progress: see commit 0f33428
Revert "git_connect: prefer Git's builtins over dashed form"
It would appear that this change (which was intended to fix tests
interacting with local repositories when git-upload-pack was not in the
PATH) regresses on SSH access.
A Git for Windows 2.14.0(2) is in the work and was just released (2017-08-07T11:05:34Z UTC) 30 minutes ago at the time of this edit.
Original answer
If key1 is the same as your /path/to/.ssh/key and does identify John Doe, that should mean John Doe does not have access to that repo (as in here).
Check that key2 is associated with a different user.
If both keys reference the same user, then it is more a local configuration issue (as in this answer).
Check also that your TortoiseGit does use the same key as in your test:
set "GIT_COMMAND_SSH=ssh -v"
# launch TortoiseGit from that CMD session
You will then see what TortoiseGit is using when cloning the repo with an ssh url. You might need to define an .ssh/config file.

Both Bitbucket Server and Gogs are seeing similar problems.
It appears that something changed in git 2.14.0 (possibly only on Windows) that requires either an update to the products or a fix to git.

Cant ssh to a cygwin server

Its getting stuck as you can see.
Below is what verbose connection shows.
[ftpuser#eu9sacovn48 ~]$ ssh -v gmrsops#uscasaciccx82
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to uscasaciccx82 [113.130.154.54] port 22.
debug1: Connection established.
debug1: identity file /cpmapps/ftpuser/.ssh/identity type -1
debug1: identity file /cpmapps/ftpuser/.ssh/id_rsa type 1
debug1: identity file /cpmapps/ftpuser/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'uscasaciccx82' is known and matches the RSA host key.
debug1: Found key in /cpmapps/ftpuser/.ssh/known_hosts:7
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /cpmapps/ftpuser/.ssh/identity
debug1: Offering public key: /cpmapps/ftpuser/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
I tried connecting to the server without a key but its still not working.
[ftpuser#eu9sacovn48 ~]$ ssh -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no gmrsops#USCASACICCX82
gmrsops#uscasaciccx82's password:
I can login to cygwin just fine while on local server.

Here's what fixed the issue for me.
Run sshd in debug mode using below command
/usr/sbin/sshd.exe -D -dd
This gave me the below warnings
$ /usr/sbin/sshd.exe -D -dd debug2: load_server_config: filename
/etc/sshd_config debug2: load_server_config: done config len = 285
debug2: parse_server_config: config /etc/sshd_config len 285 debug1:
sshd version OpenSSH_7.5, OpenSSL 1.0.2k 26 Jan 2017
########################################################### #
WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0770 for '/etc/ssh_host_rsa_key' are too open. It is
required that your private key files are NOT accessible by others.
This private key will be ignored. key_load_private: bad permissions
Could not load host key: /etc/ssh_host_rsa_key
########################################################### #
WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0770 for '/etc/ssh_host_dsa_key' are too open. It is
required that your private key files are NOT accessible by others.
This private key will be ignored. key_load_private: bad permissions
Could not load host key: /etc/ssh_host_dsa_key
########################################################### #
WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0770 for '/etc/ssh_host_ecdsa_key' are too open. It is
required that your private key files are NOT accessible by others.
This private key will be ignored. key_load_private: bad permissions
Could not load host key: /etc/ssh_host_ecdsa_key
########################################################### #
WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0770 for '/etc/ssh_host_ed25519_key' are too open. It is
required that your private key files are NOT accessible by others.
This private key will be ignored. key_load_private: bad permissions
Could not load host key: /etc/ssh_host_ed25519_key sshd: no hostkeys
available -- exiting.
So I changed the permissions of the above files to 600
$ chmod 0600 /etc/ssh_host*
Then the debug command again.
SHA256:4yqAb/GiMfMJPmIXfKz+Zw4fWOCVN7E6vUDHEtokdHk /var/empty must be owned by root and not group or world-writable.
Then change the permission of this folder to 600.
$ chmod 600 /var/empty
This fixed the issue.

Since you're trying to connect to a Windows machine, you may not have an SSH server installed/enabled. Check to make sure SSH is installed and properly configured in your cygwin environment. It is part of the OpenSSH package. More info here.
Edit: See this post where someone had the exact same error.

Git clone via SSH issue

I want to clone a git repository to my ubuntu through ssh, but I'm getting the following error:
Permission denied (publickey). fatal: Could not read from remote
repository.
My public key is added in the agent and I have used it already on Windows but when I tried it on Linux it didn't work.

Every remote git repo is associated with some login that will be performed on the remote system in order to gain access to the repo directory. This login attempt is failing, because (a) your SSH key is not being recognized (or, is not being correctly served by an SSH-agent on your computer), and (b) password-login is not an alternative.
To help diagnose the problem, remove git from the picture. Use git remote -v to find the user/host that is being attempted, and try a direct ssh login to that account. (It will fail.) Diagnose the problem as you would for any similar ssh-only issue. Once you are able to log-in, you will be able to clone.

Git does it's thing over ssh (in your case) or https. It's generally better to debug connection problems using the underlying command and not through Git, you'll get better diagnostics and can use normal ssh debugging techniques.
Try connecting to the same remote just using ssh -v (ssh in verbose mode). If it's git clone git#github.com:schwern/dotfiles.git then try ssh -v git#github.com. Just the user and host. And yes, the user should be git, Github identifies you by your ssh key.
You should get something like this...
$ ssh -v git#github.com
OpenSSH_7.2p1, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /Users/schwern/.ssh/config
debug1: Reading configuration data /opt/local/etc/ssh/ssh_config
debug1: Connecting to github.com [192.30.253.113] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/schwern/.ssh/id_rsa type -1
...a whole lot of ssh looking for your ssh keys...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/schwern/.ssh/github
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/schwern/.ssh/id_rsa
debug1: Trying private key: /Users/schwern/.ssh/id_dsa
...a whole lot of trying ssh keys...
debug1: No more authentication methods to try.
Permission denied (publickey).
The important parts are where it looks for and offers keys. If you don't see your Github key in there, then you need to figure out why. If you do see your Github key in there, then you should check that it is what Github thinks is your key.
What you want to see is this.
$ ssh -v git#github.com
OpenSSH_7.2p1, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /Users/schwern/.ssh/config
debug1: Reading configuration data /opt/local/etc/ssh/ssh_config
debug1: Connecting to github.com [192.30.253.113] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/schwern/.ssh/id_rsa type -1
...ssh finding your keys...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/schwern/.ssh/github
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([192.30.253.113]:22).
...Yay! You're in!...
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Requesting authentication agent forwarding.
PTY allocation request failed on channel 0
Hi schwern! You've successfully authenticated, but GitHub does not provide shell access.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to github.com closed.
Transferred: sent 2936, received 1796 bytes, in 0.2 seconds
Bytes per second: sent 13380.7, received 8185.2
debug1: Exit status 1

SSH from Docker image using Drone

I've been trying for far too long to get an SSH command working from Drone, which runs in a Docker container called bb. I've added RUN echo " IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config in my Dockerfile per some recommendations in other threads.
I've used docker run -it bb /bin/bash to check that SSH keys are there, and I can successfully SSH into a remote host using that interactive terminal.
However, when I try to do the same command using the .drone.yml build script like this:
image: bb
script:
- whoami
- ssh -vvv -t -t 192.0.2.1 "whoami"
...I get "Permission denied" errors after being bumped down to password-based identification. (The whoami runs inside the container, outputs root, and continues to the ssh command.)
I've boiled down the verbose output to this relevant piece:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp f2:...
debug3: sign_and_send_pubkey: RSA f2:...
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
...where it clearly says "we did not send a packet, disable method". I've checked the key's fingerprint with ssh-keygen -lf /root/.ssh/id_rsa and it matches the one in the output.
I then watched the auth logs (/var/log/auth.log) on the remote host and I can see my successful tests, but when Drone runs its container the logs report that `RSA_public_decrypt failed'. Here are the logs.
Successful (interactive container) login:
Accepted publickey for root from 192.0.2.1 port 59472 ssh2: RSA f2:...
pam_unix(sshd:session): session opened for user root by (uid=0)
Received disconnect from 192.0.2.1: 11: disconnected by user
pam_unix(sshd:session): session closed for user root
Failed (Drone container) login:
error: RSA_public_decrypt failed: error:04067084:lib(4):func(103):reason(132)
Failed password for root from 192.0.2.1 port 54172 ssh2
Failed password for root from 192.0.2.1 port 54172 ssh2
Connection closed by 192.0.2.1 [preauth]
So it looks like my key is not sent by the Drone container. I've run whoami in the build script, and it reports that it's running as root, which is what I expect.
How can I get this to work?

GOT IT. While digging around in the settings for that repository, I noticed a "Public Key" field:
I tried adding that to the authorized_keys file, and running my .drone.yml, and what do you know - it worked. Went back and checked the docs - it's nowhere to be found. Undocumented super secret field FTW.