Unable to ssh into Satellite server from SAM server using SSH key
Hi,
I am following the steps outlined on https://access.redhat.com/site/documentation/en-US/Red_Hat_Subscription_Management/1/html/Using_Subscription_Asset_Manager/sam-splice.html and I am at stuck at the part where I ssh into the sat server from the SAM server.
I have created the RSA key on my SAM sever, added the swreport user to the sat server, created the authorized keys file in the .ssh dir of the swreport and set the required file permissions.
The contents of the of the auth key file:
command="/usr/bin/spacewalk-report $SSH_ORIGINAL_COMMAND" \
ssh-rsa (contents of /var/lib/splice/id_rsa-sat from SAM server) swreport@satserver
Any suggestions on what I can do to get this to authenticate with the SSH key and not prompt for a password?
Thanks.
Responses
Guru
6863 points
PREFACE: I have not used SAM.
If you are using SElinux, I would do the following:
# ON Satellite
restorecon -RFvv ~swreport/.ssh
chmod 0600 ~swreport/authorized_keys
# ON SAM
restorecon -Fvv /var/lib/splice/id_rsa-sat
If that does not work, temporarily disable SElinux
setenforce 0
have you tried a simple ssh connection from SAM to Satellite s the swreport user?
ssh -i /var/lib/splice/id_rsa-sat swreport@satserver
# OR
ssh -v -i /var/lib/splice/id_rsa-sat swreport@satserver
# OR
ssh -v -v -i /var/lib/splice/id_rsa-sat swreport@satserver
Hi - thanks for the reply.
I am not using SELinux and I am able to SSH into the Sat frm the SAM server but it still asks me for a password.
Guru
6863 points
I would make one recommendation, which is in line with the Doc you linked with a slight difference.
On your SAM server:
su - splice
echo | ssh-keygen -t rsa -f /var/lib/splice/id_rsa-sat -N ''
ssh-copy-id -i /var/lib/splice/id_rsa-sat swreport@satserver
ssh -i /var/lib/splice/id_rsa-sat swreport@satserver
NOTE: The ssh-keygen will overwrite the old ssh-key you created on your SAM box for the splice user
The ssh-copy-id will then push the key (identified by -i) to the satserver for the swreport user.
The final step just confirms that it worked.
Please let us know how those steps go.
Guru
6827 points
Gary,
Certainly see the other good tips from James above... another thing to keep in mind for ssh...
I have seen ssh keys not work if a user's permissions for their drive are more open than 755 (home drives typically ought to be 700). I've seen where a user had their home drive set to 777 (that is a bad practice if it exists) and their ssh keys would not work until their home drive was at minimum 755 (I'd recommend 700 because it is their home drive and no one else's).
- The .ssh directory permissions can cause consternation (I've seen in some environments) if they are too wide open This documentation at Red Hat recommends 700 for the .ssh directory, and 600 for ~/.ssh/authorized_keys
Guru
6222 points
Gary,
Have you checked the sshd_config on the satellite server, does it allow empty passwords and Key authentication?
Kind regards,
Jan Gerrit Kootstra
Pro
482 points
Hi,
I was able to get it to ssh in to my sat server after I ran the rsa copy. Still not sure why it wasn't working previously but it is working now.
Thanks for the help all!
Guru
6863 points
Great to hear it Gary. Using ssh-keys becomes one of those things that you don't really think about after you use them for a while... and you might lose track of all the minor details that is required to make them work (permissions, SElinux, format of the key file, default locations, etc...)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.