Configure the satellite remote execution to use SSH key other than foreman-proxy SSH key

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6

Issue

  • After creating a separate user for remote execution , the foreman-proxy's SSH key is still used for remote execution.

Resolution

  • Setup Remote Execution using non-root user on RHEL systems connected to Red Hat Satellite 6.

  • Create an SSH key pair and choose the desired location for it, or using an existing one:

    # ssh-keygen

  • Run the following command on both satellite and the capsules to set the directory where SSH keys are stored and the private SSH key name :

    #### For Red Hat Satellite\Capsule 6.11 or below:

# satellite-installer --foreman-proxy-plugin-remote-execution-ssh-ssh-identity-dir [Directory where SSH keys are stored]  \
 --foreman-proxy-plugin-remote-execution-ssh-ssh-identity-file [Private SSH key filename]

#### For Red Hat Satellite\Capsule 6.12 and later:

# satellite-installer --foreman-proxy-plugin-remote-execution-script-ssh-identity-dir [Directory where SSH keys are stored]  \
 --foreman-proxy-plugin-remote-execution-script-ssh-identity-file [Private SSH key filename]

    Note: Use only the filename for argument foreman-proxy-plugin-remote-execution-(script/ssh)-ssh-identity-file, i.e. --foreman-proxy-plugin-remote-execution-(script/ssh)-ssh-identity-file id_rsa

  • Ensure that the foreman-proxy user can access and read the new SSH keypair without any issues.

    # su - foreman-proxy -s /bin/bash -c "ls -l /PATH/TO/NEW/SSH/KEYPAIR/DIRECTORY/"

# curl -vvv https://<satellite or capsule fqdn>:9090/ssh/pubkey

    • If either or both of the command returns Access Denied or Permission Denied, then set appropriate permission or ACL for the directory where SSH keys are stored.

    • The easiest way to do that would be to set an ACL for the foreman-proxy user as displayed below.

      # setfacl -R -m u:foreman-proxy:rwx /PATH/TO/NEW/SSH/KEYPAIR/DIRECTORY/

  • Navigate to the WebUI --> Infrastructure --> Capsules page and refresh the features of the satellite\capsule server where the SSH keys were replaced.

For more KB articles/solutions related to Red Hat Satellite 6.x Remote Execution Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Remote Execution Issues

Root Cause

  • The satellite is configured by default to use the foreman-proxy SSH key to run the remote execution.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments