I have 15 instances running with same security group, however I can SSH into some of them but not the others. I received "Permission denied (publickey)" message for those instances. I also confirm that all instances are using the same public key and I try to ssh into all of them with the same private key.
What do I miss?
Thank you for helping out!
If you are getting "Permission denied (publickey)", it is not a security group issue. It is most likely one of the following:
You didn't specify the public key to use when launching some of the instances.
There was a problem with the metadata service on some of the instances which meant that cloud-init was unable to retrieve the public key.
You are using the wrong credentials; e.g. the admin account name is different on the different instances. (The default is OS dependent.)
You have multiple keys in your ~/.ssh directory and they are being tried in the wrong order. If you have fail2ban set up on the server side, each time that the client supplies a key counts as a login attempt. You can hit the limit before you tried the key that is going to work.
If you look at the respective instance's console log from their first boot, you can see which public keys were actually used. This can be used to diagnose 1 and 2.
For 3, check the OS documentation.
For 4, try using the ssh command's -i option to specify the path to the private key file.
There are other possibilities; e.g. if you launched instances from a non-pristine image / snaphot.
Reference:
Troubleshooting SSH access to a NeCTAR instance
Related
When I am using paramiko 2.4.0, I continue to receive errors like this:
SSHException: not a valid OPENSSH private key file
While I can use the key to ssh to the machine, and the remote is reachable.
The key is generated by:
ssh-keygen -t rsa
Then I copy the public key to the remote machine:(the path can be private key, too, it is the same)
ssh-copy-id -i /path/to/public/key root#remote_host
Why?
It turns out that the mechanism of detecting key errors in paramiko is... too simple, sometimes naive. As indicated by #340 and #387, there are some known issues.
At last it turned out that it is not the problem of the key; the message is confusing. It is problem of username/permission/duplication.
paramiko will try to login with the user you use in the key, because it assumes that user also exists on the remote machine. But I think this logic is wrong, because basically when you use cryptography login, you don't need a username; you have the private key and the server has the public key, and that's all what it requires.
Imagine this scenario: you generate a key with Windows, and you are john here, your public key will have john#myhost in the authorized_keys file. When you connect() without username, you actually are login with john in another Linux machine, which may not have this user. If you are on a Linux, it is better, because if you generate the key with root, in another machine it has root, too, and root may have the correct permission on the public key file.
So, at last, I was able to solve the problem by:
in the remote machine, examine authorized_keys file to eliminate any duplicated lines of same user#host.
after generating the public key, change it so that user in it is a valid user on remote machine. Yes it seems strange, but it is how paramiko works. Then copy it to remote.
when calling connect(), pass in the username arg to be the same username you put in the public key.
make sure the user you used in public key has right permission on the authorized_keys file, and its parent .ssh folder. At least r permission.
During vm creation in openstack, one can specify a keypair name, so that the specified public key get injected to the newly created vm.
I would like to know in which state of machine the key injection is done, completely? Given the machine is in ACTIVE state, does that guarantee that the key injection is completed?
Details:
I have a limited quota for the key pairs and I would like to delete each keypair from openstack immediately after they get injected to the target machine. I have only access to openstack ReST API and NOT to the target vm.
UPDATE
Looking at nova instances table, I can see that "key name" and "key data" are existing there too. I think the key is copied to this table and then the original key is not referenced any more. So deleting the key shouldn't cause any issue. am I wrong?
What you can do is try a ssh connection and once that succeeds, proceed to delete the keypair.
To answer your question directly, the key is added via the cloud-init. You can grep for ssh in /var/log/cloud-init.log to see when exactly it happens. (It happens pretty early in the cloud-init process).
I don't think there is any API way of figuring out when exactly the key injection happens. Machine in ACTIVE state is not a guarantee that cloud-init part of key injection is done (though for practical purposes, it does happen pretty early).
You could try checking it via nova console-log. Though the output of console-log has limited buffer, so it may overshoot the key addition part and hence you may not see it in console log.
So, I think checking via actual ssh connection is the only sure shot way.
i have a Cloudstack 4.2.1 here and would like my VMs to boot from time and shutdown at a scheduled time.
Hence i was thinking if i could integrate Cloudmonkey with CronTab together.
Firstly by creating a Cloudmonkey Script or API call then using crontab to run it at a specific time.
However i have problems creating a Cloudmonkey script/API call...
i haved googled and found this link
http://dlafferty.blogspot.sg/2013/07/using-cloudmonkey-to-automate.html
and had a result of
apiresult=cloudmonkey api stop virtualmachine id="'e10bdf21-2d5c-4277-9d8d-791b82b9e3be'"
unfortunately when i entered this command, nothing happened. If anyone could have an alternative suggestion or rather my API call command is wrong, please correct me and help
Thank you.
CloudMonkey requires some setup before it works (e.g. setting your API key).
Check [1] for the documentation for CloudMoney and follow through the Usage section to setup your environment.
Once your setup is complete and you can interact with CloudStack via CloudMonkey, you should take into account that the VM ids might change, so before you issue a command for a VM, you should first find the correct id, by listing the VMs and picking the right one.
Also, if you run into trouble, post the relevant log from CLoudStack management server (typically in /var/log/cloudstack/management/management-server.log).
[1] - https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+cloudmonkey+CLI
Edit: If you have a working connection via CloudMonkey to CloudStack, you need to configure CloudMonkey in the same way in your shell script. For instance when you configured CloudMonkey you probably set a host, a port and your api and secret keys. So for your scrip to work you need to provide the same configuration to CloudMonkey prior to issuing the commands. My best guess is to use the -c option and provide a config file to set all the relevant parameters (e.g. api an secret key). cloudmonkey -c CONFIG_FILE ....
Edit2: You don't actually need to re-configure cloudmonkey in your script because it will remember your config from the interactive session. I would still advise you to do it, because your script gets more reliable. I've just made an example script like this:
#! /bin/bash
result=$(cloudmonkey list users)
echo $result
Result:
> ./tmp.sh
count = 1 user: id = 678e3a24-082c-11e4-86de-acbdb2423647 account = admin accountid = 678dffe6-082c-11e4-86de-acbdb2423647 accounttype = 1 apikey = T6sDBIpytyJ4_PMgNXYi8YgjMtwTiiDjijbXNB1J78EAZq2foKhCoGKjgJnej5tMaHM0LUvejgTddkhVU63wdw created = 2014-07-10T16:19:13+0200 domain = ROOT domainid = 678dd7b4-082c-11e4-86de-acbdb2423647 email = admin#mailprovider.com firstname = Admin iscallerchilddomain = False isdefault = True lastname = User secretkey = dzOPRecI5vvEVK7Vie2D0tDsQGXunUnpIAczbXnPI3sfMwQ-upWL_bPOisEYg4C-nXi-ldQno2KVZbVR-5NmVw state = enabled username = admin
Maybe you forgot to echothe result?
I'm trying to add a new user to my Ubuntu system and give them SSH access, using public/private key to log in. But I can't seem to get it to work.
Used putty gen to generate a public / private key pair. Then copied the public key into their homedir/.ssh/authorized_keys. But when I load the private key into Pageant in my windows session and try to use putty to get in, I am getting "Disconnected: No supported authentication methods available".
The funny thing is, If i put the same public key in the existing user's ./.ssh/authorized_keys file, I can log on using that user. This was set up by someone before me who I can't contact now though, so I don't know what the difference is.
If I check the etc/ssh/sshd_config file, the AuthorizedKeysFile line is commented out.
#AuthorizedKeysFile %h/.ssh/authorized_keys
BUt even if I put it back in and restart ssh service it still doesn't work (though I didn't think would solve it because why would the current user work)
Is there anything I can do?
Read the sshd daemon's error messages in your system log (auth.log or security.log or some such).
My guess would be that the directory and/or file permissions on .ssh or .ssh/authorized_keys are too permissive (insecure) in the new user's home. This should fix it if this is the problem:
chmod 700 .ssh
chmod 644 .ssh/authorized_keys
I am getting this error while connecting to IBM MQ. I know that this is because of privileges, but is there any way just to check the connection with IBM MQ?
Please suggest.
The 2035 suggests that your connection is getting to the QMgr. If you had the wrong channel name, host or port you would get back a 2059. The 2035 means that the connection made it to the listener, found a channel of the name that was requested and attempted a connection.
If you want to test past this point it will be necessary to either authorize the ID that you are using to connect or to put an authorized ID in the MCAUSER attribute of the channel.
For a detailed explanation of how the WMQ security works on client channels, see the WMQ Base Hardening presentation at http://t-rob.net/links.
If you enable authorization messages then the 2035 will show up in the event queue. Then you can look at the message and see what ID was used to connect and what options were used too. The 2035 might be because you asked for set authority on the queue manager or something else you aren't supposed to have. The authorization messages wil show you that.
You can also resolve this By setting mcauser('mqm') .. i was able to overcome 2035 error.
Define channel (channel1) chltype (svrconn) trptype (tcp) mcauser(‘mqm’)
Esp thanx to my SENIOR Bilal Ahmad (PSE)
You have to check the privileges with an MQ administrator.
You can use dspmqaut to check the grant.
Below is the sample to give user poc access to Queue Manager QM1 and Queue LQ1
# check the access right of user POC to QM1
dspmqaut -m QM1 -n LQ1 -t q -p poc
# if you want to give access, you should use
setmqaut -m QM1 -n LQ1 -t q -p poc <access Types>
# eg (put everything - in the real live scenario, choose only what you want to grant) :
setmqaut -m QM1 -n LQ1 -t q -p poc +put +get +browse +inq +set +crt +dlt +chg +dsp +passid +setid +setall +clr
Then dont forget to restart QM1 with
endmqm -i QM1
strmqm QM1
Finally, you should be able to proceed without error 2035.
I have been struggling with this for ages too. Eventually I found this solution. (If you can call turning off authentication a solution.)
I am using version
- IBM Websphere 9.1.0.201807091223
From IBM's website they advise turning connection authentication off!!!
Resolving the problem Disable channel authentication
You will need to disable connection authentication, at least
temporarily. There are known issues in FTM for Check with regard to
using MQ connection authorization. These problems are actively being
addressed and fixes will appear in a future fix pack. The target is
fixpack 3.0.0.8.
Steps to disable connection authentication: Open MQ command console
and type runmqsc ALTER
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS)
CHCKCLNT(NONE) CHCKLOCL(NONE) Restart the queue manager for this
change to take effect.
Source http://www-01.ibm.com/support/docview.wss?uid=swg21962081
On this topic if you are using MQSeries 9.1 in a test or development environment you can disable channel authentication with the following approach :
. Launch MQ command line utility with the following :
runmqsc (for example runmqsc QM1)
. Disable authentication for all channels with the following command
ALTER QMGR CHLAUTH (DISABLED)
For a Q/Q-manager running on Windows, you may have to create the user on the Q/Q-manager machine [i.e. create a user on the Q-machine to match the user on the Q-client machine], and then add that user to the 'mqm' group on that machine.
Steps:
Ensure that the domain user that is being used to create the Q CLIENT [i.e. the user that the Q-client app is running under] also exists on the box with the Q/Q-manager. You may be able to just create a local user on the Q/Q-manager box [, or you may have to do some more complicated creation of an Active Directory user - I can't help you there].
On the Q/Q-manager box, add the user you have just created [or the existing one, if it already exists] to the mqm group. [On a Windows server box you will need to use the Microsoft Management Console (1. 'mmc' from the command line, 2. File > Add/Remove SnapOn > Local Users & Groups, 3. add user to group)]. The 'mqm' group should already exist on the Q/Q-manager machine.
Error MQRC 2035 basically means that your application has been able to connect to the queue manager, however due to certain absence of permissions/authorizations, it was unable to put/get/publish/subscribe messages.
To resolve this, at first, try these steps in order to disable the authorizations from queue manager and channel. Use this only if it isn't a production queue manager.
Always check the queue manager logs. It tells you exactly where you need to look into, and resolve the issue.
In this case, generally, you can issue the following commands after doing a runmqsc on the queue manager :
ALTER QMGR CHLAUTH(DISABLED)
Then set the chckclnt object(under authinfo) to optional
DISPLAY QMGR CONNAUTH
DISPLAY AUTHINFO(name-from-above) ALL //name from the first commands
ALTER AUTHINFO(name-from-above) AUTHTYPE(IDPWOS) ADOPTCTX(YES)
ALTER AUTHINFO(name-from-above) AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
SET CHLAUTH('*') TYPE(BLOCKUSER) ACTION(REMOVEALL)
This helps remove any blocks that the channel is creating against any user.
SET CHLAUTH(your channel name) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL)
This should resolve your issue, since we have disabled every authorization that an application has to pass in order to do anything on a queue manager.
Now, in case you are using a production queue manager, NEVER remove authorizations.
Go, and right click on any QM that you have configured in your MQ explorer. Go to the QM authority, and authority records. Click on create new user, and give the same name as the username your application is using. Select all the checkboxes, then copy from the space below all the commands that are given. Namely, setmqaut. Edit with your queue manager name, and issue them!
----Never give up, the answer is where you have not looked yet--------