[one-users] SSH key exchange failing for InM
Olivier Sallou
olivier.sallou at irisa.fr
Mon Aug 5 03:59:58 PDT 2013
On 08/05/2013 12:40 PM, Pierre Naude wrote:
> Hi Olivier,
>
> No - as per the docs the key is not password protected.
>
> Also neither of the systems are configured to use ssh-agent
> (ForwardAgent is set to no and SSH_AUTH_SOCK never gets set).
>
> From the command line it works whether I force the key or not:
>
> [oneadmin at rtfwops1 ~]$ ssh -v -i /var/lib/one/.ssh/id_dsa
> oneadmin at rtfwops2
> OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to rtfwops2 [xxx.xxx.xxx.138] port 22.
> debug1: Connection established.
> debug1: identity file /var/lib/one/.ssh/id_dsa type 2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
> debug1: match: OpenSSH_5.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'rtfwops2' is known and matches the RSA host key.
> debug1: Found key in /var/lib/one/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug1: Next authentication method: publickey
> debug1: Offering public key: /var/lib/one/.ssh/id_dsa
> debug1: Server accepts key: pkalg ssh-dss blen 434
> debug1: read PEM private key done: type DSA
> debug1: Authentication succeeded (publickey).
> debug1: channel 0: new [client-session]
> debug1: Requesting no-more-sessions at openssh.com
> <mailto:no-more-sessions at openssh.com>
> debug1: Entering interactive session.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Mon Aug 5 11:37:43 2013 from xxx.xxx.xxx.138
> [oneadmin at rtfwops2 ~]$ debug1: client_input_channel_req: channel 0
> rtype exit-status reply 0
> debug1: client_input_channel_req: channel 0 rtype eow at openssh.com
> <mailto:eow at openssh.com> reply 0
> debug1: channel 0: forcing write
> logout
> debug1: channel 0: free: client-session, nchannels 1
> Connection to rtfwops2 closed.
> Transferred: sent 2992, received 3064 bytes, in 25.6 seconds
> Bytes per second: sent 116.7, received 119.5
> debug1: Exit status 0
>
> [oneadmin at rtfwops1 ~]$ ssh -v oneadmin at rtfwops2
> OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to rtfwops2 [xxx.xxx.xxx.138] port 22.
> debug1: Connection established.
> debug1: identity file /var/lib/one/.ssh/identity type -1
> debug1: identity file /var/lib/one/.ssh/id_rsa type -1
> debug1: identity file /var/lib/one/.ssh/id_dsa type 2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
> debug1: match: OpenSSH_5.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'rtfwops2' is known and matches the RSA host key.
This is gine for host match here, but not in your previous log:
"Mon Aug 5 11:48:10 2013 [InM][I]: Host key verification failed."
Could be known_host issue butit should fail via command line too.
> debug1: Found key in /var/lib/one/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /var/lib/one/.ssh/identity
> debug1: Trying private key: /var/lib/one/.ssh/id_rsa
> debug1: Offering public key: /var/lib/one/.ssh/id_dsa
> debug1: Server accepts key: pkalg ssh-dss blen 434
> debug1: read PEM private key done: type DSA
> debug1: Authentication succeeded (publickey).
> debug1: channel 0: new [client-session]
> debug1: Requesting no-more-sessions at openssh.com
> <mailto:no-more-sessions at openssh.com>
> debug1: Entering interactive session.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Mon Aug 5 12:21:57 2013 from xxx.xxx.xxx.137
> [oneadmin at rtfwops2 ~]$
>
> HTH
>
> Pierre
>
>
>
>
> On 5 August 2013 12:19, Olivier Sallou <olivier.sallou at irisa.fr
> <mailto:olivier.sallou at irisa.fr>> wrote:
>
>
> On 08/05/2013 11:59 AM, Pierre Naude wrote:
>> Good Morning,
>>
>> I'm busy setting up a proof-of-concept using ONE and have run
>> into a problem adding hosts to the server.
>>
>> My ONE server is a Centos 6.4 installation, and so is the host
>> I'm adding to the server.
>>
>> I am able to ssh successfully without password from the server to
>> the host as root and oneadmin and vice versa (I have also made
>> sure the servers can connect to themselves without password).
>>
>> The problem is that the one server monitoring process is failing
>> to ssh passwordlessly from the server to the host:
>>
>> Debug from the server:
>>
>> Mon Aug 5 11:48:10 2013 [InM][I]: Monitoring host
>> rtfwops2.rorotika (7)
>> Mon Aug 5 11:48:10 2013 [InM][I]: Command execution fail: 'if [
>> -x "/var/tmp/one/im/run_probes" ]; then
>> /var/tmp/one/im/run_probes kvm 7 rtfwops2.rorotika;
>> else exit 42; fi'
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: Connecting to
>> rtfwops2.rorotika [xxx.xxx.xxx.138] port 22.
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: Connection established.
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: identity file
>> /var/lib/one/.ssh/identity type -1
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: identity file
>> /var/lib/one/.ssh/id_rsa type -1
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: identity file
>> /var/lib/one/.ssh/id_dsa type 2
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: Remote protocol
>> version 2.0, remote software version OpenSSH_5.3
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: match: OpenSSH_5.3 pat
>> OpenSSH*
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: Enabling compatibility
>> mode for protocol 2.0
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: Local version string
>> SSH-2.0-OpenSSH_5.3
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: SSH2_MSG_KEXINIT sent
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: SSH2_MSG_KEXINIT received
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: kex: server->client
>> aes128-ctr hmac-md5 none
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: kex: client->server
>> aes128-ctr hmac-md5 none
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: expecting
>> SSH2_MSG_KEX_DH_GEX_GROUP
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1:
>> SSH2_MSG_KEX_DH_GEX_INIT sent
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: expecting
>> SSH2_MSG_KEX_DH_GEX_REPLY
>> Mon Aug 5 11:48:10 2013 [InM][I]: debug1: read_passphrase: can't
>> open /dev/tty: No such device or address
> It seems it expects to get your passphrase here. I think your key
> is password protected(and this is fine).
> When you made your connection tests, are you sure you used the
> oneadmin user key (and not one loaded via ssh-agent or something
> like that) ?
>
> Olivier
>
>> Mon Aug 5 11:48:10 2013 [InM][I]: Host key verification failed.
>> Mon Aug 5 11:48:10 2013 [InM][I]: ExitCode: 255
>> Mon Aug 5 11:48:10 2013 [ONE][E]: Error monitoring Host
>> rtfwops2.rorotika (7): -
>>
>> Debug from the host:
>>
>> Aug 5 11:48:10 rtfwops2 sshd[2301]: debug1: Forked child 11777.
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: Set
>> /proc/self/oom_score_adj to 0
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: debug1: rexec start in 5
>> out 5 newsock 5 pipe 7 sock 8
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: debug1: inetd sockets after
>> dupping: 3, 3
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: Connection from
>> 172.28.200.137 port 52989
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: debug1: Client protocol
>> version 2.0; client software version Open
>> SSH_5.3
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: debug1: match: OpenSSH_5.3
>> pat OpenSSH*
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: debug1: Enabling
>> compatibility mode for protocol 2.0
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: debug1: Local version
>> string SSH-2.0-OpenSSH_5.3
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1:
>> permanently_set_uid: 74/74
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: list_hostkey_types:
>> ssh-rsa,ssh-dss
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: SSH2_MSG_KEXINIT sent
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: SSH2_MSG_KEXINIT
>> received
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: kex: client->server
>> aes128-ctr hmac-md5 none
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: kex: server->client
>> aes128-ctr hmac-md5 none
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REQUEST received
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1:
>> SSH2_MSG_KEX_DH_GEX_GROUP sent
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: expecting
>> SSH2_MSG_KEX_DH_GEX_INIT
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REPLY sent
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: SSH2_MSG_NEWKEYS sent
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: expecting
>> SSH2_MSG_NEWKEYS
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: Connection closed by
>> xxx.xxx.xxx.137
>> Aug 5 11:48:10 rtfwops2 sshd[11778]: debug1: do_cleanup
>> Aug 5 11:48:10 rtfwops2 sshd[11777]: debug1: do_cleanup
>>
>> When I run a script from onadmin's cron on the server it can also
>> ssh successfully without password - I don't think this is a key
>> issue.
>>
>> Any suggestions?
>>
>> Thanks
>>
>> Pierre
>>
>> --
>> Pierre Naude
>> Rorotika Technologies
>>
>> e-mail: pierre.naude at rorotika.com <mailto:pierre.naude at rorotika.com>
>> Tel.: +27-11-568-0805
>> Cell.: +27-82-901-9609
>> Skype: pierre_naude
>> Google Hangouts: pierre.naude at rorotika.com
>> <mailto:pierre.naude at rorotika.com>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
> --
> Olivier Sallou
> IRISA / University of Rennes 1
> Campus de Beaulieu, 35000 RENNES - FRANCE
> Tel: 02.99.84.71.95
>
> gpg key id: 4096R/326D8438 (keyring.debian.org <http://keyring.debian.org>)
> Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438
>
>
>
>
> --
> Pierre Naude
> Rorotika Technologies
>
> e-mail: pierre.naude at rorotika.com <mailto:pierre.naude at rorotika.com>
> Tel.: +27-11-568-0805
> Cell.: +27-82-901-9609
> Skype: pierre_naude
> Google Hangouts: pierre.naude at rorotika.com
> <mailto:pierre.naude at rorotika.com>
--
Olivier Sallou
IRISA / University of Rennes 1
Campus de Beaulieu, 35000 RENNES - FRANCE
Tel: 02.99.84.71.95
gpg key id: 4096R/326D8438 (keyring.debian.org)
Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130805/90116cf5/attachment-0002.htm>
More information about the Users
mailing list