Unable to ssh into Satellite server from SAM server using SSH key

Latest response

Hi,

I am following the steps outlined on https://access.redhat.com/site/documentation/en-US/Red_Hat_Subscription_Management/1/html/Using_Subscription_Asset_Manager/sam-splice.html and I am at stuck at the part where I ssh into the sat server from the SAM server.

I have created the RSA key on my SAM sever, added the swreport user to the sat server, created the authorized keys file in the .ssh dir of the swreport and set the required file permissions.

The contents of the of the auth key file:
command="/usr/bin/spacewalk-report $SSH_ORIGINAL_COMMAND" \
ssh-rsa (contents of /var/lib/splice/id_rsa-sat from SAM server) swreport@satserver

Any suggestions on what I can do to get this to authenticate with the SSH key and not prompt for a password?

Thanks.

Responses

PREFACE: I have not used SAM.

If you are using SElinux, I would do the following:

# ON Satellite
restorecon -RFvv ~swreport/.ssh
chmod 0600 ~swreport/authorized_keys
# ON SAM
restorecon -Fvv /var/lib/splice/id_rsa-sat

If that does not work, temporarily disable SElinux

setenforce 0

have you tried a simple ssh connection from SAM to Satellite s the swreport user?

ssh -i /var/lib/splice/id_rsa-sat swreport@satserver
# OR
ssh -v -i /var/lib/splice/id_rsa-sat swreport@satserver
# OR
ssh -v -v -i /var/lib/splice/id_rsa-sat swreport@satserver

Hi - thanks for the reply.

I am not using SELinux and I am able to SSH into the Sat frm the SAM server but it still asks me for a password.

I would make one recommendation, which is in line with the Doc you linked with a slight difference.
On your SAM server:

su - splice
echo | ssh-keygen -t rsa -f /var/lib/splice/id_rsa-sat -N ''
ssh-copy-id -i /var/lib/splice/id_rsa-sat swreport@satserver
ssh -i /var/lib/splice/id_rsa-sat swreport@satserver

NOTE: The ssh-keygen will overwrite the old ssh-key you created on your SAM box for the splice user
The ssh-copy-id will then push the key (identified by -i) to the satserver for the swreport user.
The final step just confirms that it worked.

Please let us know how those steps go.

Gary,

Certainly see the other good tips from James above... another thing to keep in mind for ssh...

I have seen ssh keys not work if a user's permissions for their drive are more open than 755 (home drives typically ought to be 700). I've seen where a user had their home drive set to 777 (that is a bad practice if it exists) and their ssh keys would not work until their home drive was at minimum 755 (I'd recommend 700 because it is their home drive and no one else's).
- The .ssh directory permissions can cause consternation (I've seen in some environments) if they are too wide open This documentation at Red Hat recommends 700 for the .ssh directory, and 600 for ~/.ssh/authorized_keys

I was banging my head at this very same issue. In my case the permissions on the /home/swreport/.ssh directory were not 700. Things worked like a charm after I changed permissions using:

 [root@sat-server ~]# chmod 700 /home/swreport/.ssh

Gary,

Have you checked the sshd_config on the satellite server, does it allow empty passwords and Key authentication?

Kind regards,

Jan Gerrit Kootstra

Hi,

I was able to get it to ssh in to my sat server after I ran the rsa copy. Still not sure why it wasn't working previously but it is working now.
Thanks for the help all!

Great to hear it Gary. Using ssh-keys becomes one of those things that you don't really think about after you use them for a while... and you might lose track of all the minor details that is required to make them work (permissions, SElinux, format of the key file, default locations, etc...)

Glad to hear you are up and running with this Gary!

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.