Configure the satellite remote execution to use SSH key other than foreman-proxy SSH key

Solution Verified - Updated -


  • Red Hat Satellite 6


  • After creating a separate user for remote execution , the foreman-proxy's SSH key is still used for remote execution.


  • Setup Remote Execution using non-root user on RHEL systems connected to Red Hat Satellite 6.

  • Create an SSH key pair and choose the desired location for it, or using an existing one:

    # ssh-keygen
  • Run the following command on both satellite and the capsules to set the directory where SSH keys are stored and the private SSH key name :

    # satellite-installer --foreman-proxy-plugin-remote-execution-ssh-ssh-identity-dir [Directory where SSH keys are stored]  \
     --foreman-proxy-plugin-remote-execution-ssh-ssh-identity-file [Private SSH key name]
  • Ensure that foreman-proxy user can access and read the new SSH keypair without any issues.

    # su - foreman-proxy -s /bin/bash -c "ls -l /PATH/TO/NEW/SSH/KEYPAIR/DIRECTORY/"
    # curl -vvv https://<satellite or capsule fqdn>:9090/ssh/pubkey
    • If either or both of the command returns Access Denied or Permission Denied, then set appropriate permission or ACL for the directory where SSH keys are stored.

    • The easiest way to do that would be setting an ACL for the foreman-proxy user as displayed below.

      # setfacl -R -m u:foreman-proxy:rwx /PATH/TO/NEW/SSH/KEYPAIR/DIRECTORY/

Root Cause

  • The satellite is configured by default to use the foreman-proxy SSH key to run the remote execution.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.