[one-users] ssh password less login not function

Amier Anis mymabma at gmail.com
Wed Oct 2 02:02:10 PDT 2013 

I don't think that selinux is the issue as I can ssh with password-less
without issue if no opennebula installed.
I also has tried using "setenforce 0" and still have same issue. (i try
diffrent machine)

[oneadmin at mnode lib]$ /usr/sbin/sestatus
SELinux status:                 disabled


I has tried both let the opennebula-common created the user or i manually
created. same issue.
This is how I install opennebula and the component:-

yum -y install opennebula-server opennebula-sunstone opennebula-ozones
opennebula-gate opennebula-flow opennebula-node-kvm


Yes, i have all the file in the ~/.ssh

[oneadmin at mnode .ssh]$ ls -l
total 16
-rw------- 1 oneadmin oneadmin  406 Oct  2 10:19 authorized_keys
-rw------- 1 oneadmin oneadmin   61 Oct  2 03:08 config
-rw------- 1 oneadmin oneadmin 1675 Oct  2 10:19 id_rsa
-rw------- 1 oneadmin oneadmin  406 Oct  2 10:19 id_rsa.pub

​I try to ssh -v node01 ... this error come out. however, this error not
appear at the first place.

-bash-4.1$ ssh -v 10.86.3.101

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

debug1: Reading configuration data /var/lib/one/.ssh/config

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to 10.86.3.101 [10.86.3.101] port 22.

debug1: Connection established.

debug1: identity file /var/lib/one/.ssh/identity type -1

debug1: identity file /var/lib/one/.ssh/id_rsa type 1

debug1: identity file /var/lib/one/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '10.86.3.101' is known and matches the RSA host key.

debug1: Found key in /var/lib/one/.ssh/known_hosts:1

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure.  Minor code may provide more information

Bad format in credentials cache

debug1: Unspecified GSS failure.  Minor code may provide more information

Bad format in credentials cache

debug1: Unspecified GSS failure.  Minor code may provide more information

debug1: Unspecified GSS failure.  Minor code may provide more information

Bad format in credentials cache

debug1: Next authentication method: publickey

debug1: Trying private key: /var/lib/one/.ssh/identity

debug1: Offering public key: /var/lib/one/.ssh/id_rsa

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Trying private key: /var/lib/one/.ssh/id_dsa

debug1: Next authentication method: password​


Which is better I export /var/lib/one to every workers node or manually
export to each workers?

Thanks you.

Regards & Best Wishes,


*.: Amier Anis :.*
Mobile: +6012-260-0819
On Wed, Oct 2, 2013 at 3:40 PM, Valentin Bud <valentin.bud at gmail.com> wrote:

> Hello Amier,
>
>
> On Wed, Oct 2, 2013 at 10:27 AM, Amier Anis <mymabma at gmail.com> wrote:
>
>> Hi valentin,
>>
>> Yes, I'm using packaging from opennebula repo and no error during install
>> either i created the oneadmin first before install or automatic created by
>> the installer.
>>
>> yum -y install opennebula-server opennebula-sunstone opennebula-ozones
>> opennebula-gate opennebula-flow opennebula-node-kvm
>>
>>
> The opennebula-common package provides the user oneadmin so no need to
> create it manually. The opennebula-common is required by
> opennebula-server so no need to install it manually.
>
>
>>
>> I also has remove selinux from the system.
>>>>>>>>
>> yum -y remove selinux-policy
>>
>>
> Have you rebooted you system afterwards?
>
>
>>
>> Yes, I already configure
>> ~/.ssh/config
>>
>> [oneadmin at mnode]$ vi ~/.ssh/config
>>  Host *
>>         StrictHostKeyChecking no
>>         UserKnownHostsFile /dev/null
>>   ControlMaster auto
>> ControlPath /tmp/%r@%h:%p
>>
>
> This looks OK.
>
> I suggest you remove the packages yum -y remove opennebula-\* and remove
> the oneadmin user, rm -rf /var/lib/one, reboot the machine and start
> from scratch. Let the packages deal with user creation. After that on
> mnode you should have the oneadmin public/private keys in
> ~/.ssh and the public key in ~/.ssh/authorized_keys. You can config ssh
> and try to ssh localhost.
>
> WARNING: don't remove the /var/lib/one directory if you have precious data
> in there.
>
> If that doesn't work config sshd to LogLevel DEBUG3 and watch what the
> logs say. Also take a look at /var/log/audit/audit.log.
> It might shed some light.
>
> Good Will,
>
>
>>
>> Thanks you.
>>
>> *.: Amier Anis :.*
>> Mobile: +6012-260-0819
>>
>> On Wed, Oct 2, 2013 at 2:58 PM, Valentin Bud <valentin.bud at gmail.com>wrote:
>>
>>> Hello Amier,
>>>
>>>
>>> On Wed, Oct 2, 2013 at 9:16 AM, Amier Anis <mymabma at gmail.com> wrote:
>>>
>>>> *Hi Guys,*
>>>>
>>>> I'm having issue with ssh password less login not function correctly.
>>>> It's work with fresh install CentOS 6.4 before install opennebula. Once
>>>> opennebula started, it doesn't work any more. The workers node can login
>>>> with less password without any issue but management node can't login to
>>>> worker nodes.
>>>>
>>>
>>> I see you're using CentOS as OS. Have you installed OpenNebula from
>>> packages [1]? Have you configured SSH as
>>> pointed in [1]. I mean the
>>> ~/.ssh/config part.
>>>
>>> Another important aspect is SELINUX. Is it on or off? If it on check the
>>> /var/lib/one/.ssh context, it should have ssh_home_t as label.
>>> You can accomplish that using
>>> chcon -R -t ssh_home_t /var/lib/one/.ssh as either oneadmin or root.
>>>
>>>
>>>>
>>>> At first attempt, I install opennebula then setup the ssh-keygen to
>>>> oneadmin (created during installation) and I also hv tried to create
>>>> oneadmin first then install opennebula but both failed
>>>>
>>>
>>>> If the mgmt server can ssh with password less to workers then the mgmt
>>>> server can't ssh to itself as the mgmt server also have the vm.
>>>>
>>>
>>> I suggest you install OpenNebula from packages and work your way up from
>>> there. Don't forget to check the SELINUX context of oneadmin's ~/.ssh and
>>> either SSH to
>>> hosts in advance or configure SSH via ~/.ssh/config to allow connections
>>> without StrictHostKeyChecking.
>>>
>>>
>>>>
>>>> *My Setup*
>>>>
>>>>    1. I only export and share /var/lib/one/datastores to every workers
>>>>    2. authorized_keys has been export to every wokers vice versa.
>>>>    3. declared every hostname in /etc/hosts
>>>>
>>>> Is there any issue or things that i need to look into it.
>>>>
>>>> Thanks you.
>>>>
>>> If you need more help in the future be sure to come back and ask for it
>>> :). Enjoy.
>>>
>>>
>>>>
>>>>
>>>>
>>>> *.: Amier Anis :.*
>>>> Mobile: +6012-260-0819
>>>>
>>>
>>> [1]:
>>> http://opennebula.org/documentation:rel4.2:ignc#centos_platform_notes
>>>
>>>
>>> Good Will,
>>> --
>>> Valentin Bud
>>> http://databus.pro | valentin at databus.pro
>>>
>>
>>
>
>
> --
> Valentin Bud
> http://databus.pro | valentin at databus.pro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20131002/582abf2c/attachment-0002.htm>

More information about the Users mailing list