Direct SSH to Compute Node not working

Solution Verified - Updated -

Environment

  • Red Hat OpenStack Platform 10.0

Issue

  • Zenoss is used to monitor overcloud servers. Currently, Zenoss SSH library does not support agent forwarding, hence require direct SSH. After adding the public key to all control and compute nodes, direct SSH to control is working, but SSH to compute always reports that connection is closed by the peer compute node.

    [root@master]# ssh -v heat-admin@10.10.20.51
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 10.10.20.51 [10.10.20.51] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
ssh_exchange_identification: read: Connection reset by peer

Debug message - debug1: key_load_public: No such file or directory
Connection getting reset for SSH : ssh_exchange_identification: read: Connection reset by peer

Resolution

  • There can be multiple possibilities for not letting SSH, But considering this issue below are the scenarios which need to be considered.

  • openssh is looking for a key but not able to locate it or it may be the case that the key is corrupt and may need to re-generate it.

  • The other cause can be IP has been blacklisted in /etc/hosts.deny due to exceeding failed login attempts.

Diagnostic Steps

  • Also below are the possible cause for not letting SSH into a compute node:

  • Check for the below parameter are set correctly in /etc/ssh/sshd_config

    PermitRootLogin yes
.
.
. . .
PasswordAuthentication yes
.
.
UsePAM yes

  • Check if the IP is blacklisted in /etc/hosts.deny

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments