Opened 3 years ago

Closed 3 years ago

#2663 closed task (fixed)

Get access to osgeo7-*

Reported by: jsanz Owned by: sac@…
Priority: normal Milestone: Unplanned
Component: SysAdmin Keywords:
Cc:

Description

Following up from #2660, I'd like to get access to osgeo7-* servers. At this moment, after adding the configuration to .ssh/config I get this output

$ ssh jsanz@osgeo7-old-webextra
jsanz@hop.osgeo7.osgeo.org: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host

My current public key is the second entry in osgeo6:/home/jsanz/.ssh/authorized_keys finishing with jorge.sanz@elastic.co.

Thanks!

Change History (8)

comment:1 by robe, 3 years ago

jsanz -- I don't see your key in your ldap profile, did you try adding it?

Go to https://id.osgeo.org/ldap/edit

Login and put your public key there.

in reply to:  1 ; comment:2 by jsanz, 3 years ago

Replying to robe:

jsanz -- I don't see your key in your ldap profile, did you try adding it?

Go to https://id.osgeo.org/ldap/edit

Login and put your public key there.

Done, I've added my public key on that form. I waited a day but I still get a permission denied error.

in reply to:  2 comment:3 by robe, 3 years ago

Replying to jsanz:

Done, I've added my public key on that form. I waited a day but I still get a permission denied error.

The change takes effect immediately so you don't need to wait. I do see the key now on your ldap account and confirmed it matches what you have in osgeo6 second key aside from linebreaks and spaces which shouldn't matter as the ldap one is chunked on mine too and I don't have a authorized_keys in my hop home drive and can get in with my account.

I've manually added the key to your home drive on hop.osgeo7.osgeo.org to rule out any weird whitespace issues.

If that still doesn't work perhaps your issue is the one described below.

https://dev.to/bowmanjd/upgrade-ssh-client-keys-and-remote-servers-after-fedora-33-s-new-crypto-policy-47ag

Here: https://wiki.osgeo.org/wiki/SAC_Service_Status#Accessing_osgeo7_containers_via_ssh

Troubleshooting: In case of "Permission denied (publickey)." after an update to a modern openSSH version, it might well be that your ssh key (RSH key) is disabled in your client in favour of more modern cyphers.

Ugly workaround: add one line `PubkeyAcceptedKeyTypes ...` in `.ssh/config`, to re-enable RSA keys for now (consider to generate a new key):

 vim .ssh/config
 ...
 Host *
    ...
    PubkeyAcceptedKeyTypes +ssh-rsa

comment:4 by jsanz, 3 years ago

Thanks for the suppport Regina.

Now I can access hop.osgeo.org without issues but I still can't get into the lxd container with the ProxyCommand setup.

I'm fine with having to log first into the download server but ssh jsanz@old-webextra.lxd server is asking for a password for my handle and the OSGeo ldap password is not working.

The PubkeyAcceptedKeyTypes is not working for me 😥

... few minutes later ...

I've realized I can get into other containers like osgeo7-web, osgeo7-download, or osgeo7-pycsw so there's something different with old-webextra. Hope this helps.

comment:5 by Jeff McKenna, 3 years ago

Odd timing but I'm in the exact same situation now as @jsanz: cannot ProxyJump into old-webextra, but can jump into the other containers.

Version 1, edited 3 years ago by Jeff McKenna (previous) (next) (diff)

comment:6 by robe, 3 years ago

try now. Was same issue with letsencrypt and old-webextra being so old it didn't trust the new authority.

Feel free to close if all set. Jsanz can you by chance also try removing your key on hop server to see if the ssh still works. I want to make sure your key registered in ldap works so if you need to access other servers on other hosts you'll be able to.

comment:7 by Jeff McKenna, 3 years ago

Confirmed fix here, thanks again @robe !!!

comment:8 by jsanz, 3 years ago

Resolution: fixed
Status: newclosed

Confirmed here as well, I renamed the .ssh/authorized_keys file in the hop server just in case is needed again but I could get into the old-webextra server with my LDAP password and check the status of the planet, etc.

Thanks again 👏👏

Note: See TracTickets for help on using tickets.