CO

/claim #7724

Summary

This PR fixes the sporadic SSH ‘Permission denied (publickey,password)’ errors that occur when Coolify sends the wrong SSH key.

Root Causes Identified

  1. SSH key file validation was inadequate: The validateSshKey method only checked if the key file existed, not whether its content matched the database. If a key was updated in the database but the file was not refreshed, stale/wrong keys would be used.

  2. Server key change did not invalidate multiplexing: When a servers private_key_id was changed to point to a different key, the existing SSH multiplexed connection was not closed. The old connection would continue using the old (now invalid) key.

  3. No key tracking in mux metadata: The multiplexing metadata only tracked connection age, not which SSH key was used. This made it impossible to detect when a connection should be refreshed due to key changes.

Changes Made

app/Helpers/SshMultiplexingHelper.php

  • validateSshKey: Now compares file content with database content and refreshes the key file if there is a mismatch
  • storeConnectionMetadata: Now also stores the SSH key fingerprint used for the connection
  • clearConnectionMetadata: Now also clears the key fingerprint cache
  • isKeyMismatch: New method to detect when the servers current key differs from the one used to establish the multiplexed connection
  • ensureMultiplexedConnection: Now checks for key mismatches before reusing an existing connection

app/Models/Server.php

  • saved event: Now also invalidates the SSH mux connection when private_key_id changes (not just when key content changes)

How This Fixes the Bug

  1. When a user changes a servers SSH key, the multiplexed connection is immediately invalidated
  2. Before reusing any multiplexed connection, we verify the key fingerprint matches
  3. Before using any SSH key file, we verify its content matches the database
  4. Added logging to help diagnose any future SSH key issues

Testing

  • Test changing a servers SSH key and verify connections work immediately
  • Test updating a private keys content and verify all servers using it get fresh connections
  • Test concurrent SSH operations during key changes

Fixes #7724

Claim

Total prize pool $250
Total paid $0
Status Pending
Submitted February 02, 2026
Last updated February 02, 2026

Contributors

ER

Erdogan Kervanli

@erdogan98

 100%

Sponsors

ZA

Zach Latta

@zachlatta

$250