----- Original Message ----- > From: "John H. Thompson (GSFC-606.2)[Computer Sciences Corporation]" > <[email protected]> > To: "Yair Zaslavsky" <[email protected]>, "Alon Bar-Lev" <[email protected]> > Cc: [email protected] > Sent: Thursday, October 23, 2014 5:28:23 AM > Subject: Re: [ovirt-users] [Fwd: options for root and password] > > So in trying to use keys instead of root/password, per the ovirt GUI I > enter the address of the host, specify port 2222 (sshd listening here > will allow ssh into root via keys), check the "SSH Public Key" button, > copy the contents of the key provided in the UI to the > /root/.ssh/authorized_keys > file on the node being added, and get: > > Error while executing action: Cannot install Host with empty password. >
please make sure: 1. /root/.ssh is owned by root and its mode is 0700 2. /root/.ssh/authorized_keys is owned by root and its mode is 0600 3. you run restorecon -r /root/.ssh to set correct selinux properties. > > > The logs show: > > WARN [org.ovirt.engine.core.bll.AddVdsCommand] (ajp--127.0.0.1-8702-6) > [750e08ac] CanDoAction of action AddVds failed. > Reasons:VAR__ACTION__ADD,VAR__TYPE__HOST,$server > *our_server's_hostname*,VDS_CANNOT_INSTALL_EMPTY_PASSWORD > > > > On 10/21/14 4:00 AM, "Yair Zaslavsky" <[email protected]> wrote: > > > > > > >----- Original Message ----- > >> From: "Alon Bar-Lev" <[email protected]> > >> To: "Sven Kieske" <[email protected]> > >> Cc: [email protected] > >> Sent: Tuesday, October 21, 2014 10:49:02 AM > >> Subject: Re: [ovirt-users] [Fwd: options for root and password] > >> > >> > >> > >> ----- Original Message ----- > >> > From: "Sven Kieske" <[email protected]> > >> > To: [email protected] > >> > Sent: Tuesday, October 21, 2014 10:40:39 AM > >> > Subject: Re: [ovirt-users] [Fwd: options for root and password] > >> > > >> > > >> > On 21/10/14 09:21, Sven Kieske wrote: > >> > > I don't know if this is still valid, I don't find any > >> > > options regarding public/private keys in ovirt 3.3. but > >> > > I would be very interested in this topic to tighten security. > >> > > >> > It just turns out this already works in ovirt 3.3.2 > >> > maybe even earlier, but I would like to know > >> > if the point about host key validation on the mentioned wiki > >> > page is still true, as I think this would be cve-worthy. > >> > >> When host is added its ssh fingerprint is recorded in database, and is > >> enforced from this point on. > >> Only at Edit Host dialog it can be modified. > >> You can also pre-fetch the fingerprint before adding the host at Add > >>Host > >> dialog in order to confirm that it is the correct host, it will add this > >> fingerprint to database and enforce it when adding the host too. > > > > > >CC'ing Yaniv Bronheim who was the feature owner for ssh fingerprint usage > >during host addition. > >I guess Yaniv can confirm exactly which version it was added. > > > > > >> _______________________________________________ > >> Users mailing list > >> [email protected] > >> http://lists.ovirt.org/mailman/listinfo/users > >> > >_______________________________________________ > >Users mailing list > >[email protected] > >http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
