Yes, I just verified. It is present, but that alone is not sufficient for
that node to be able to SSH to other nodes itself. It allows other nodes
which have the correct private key to SSH to it, but not the other way
around.
For example, on one compute node I'm having trouble with /root/.ssh has
these three files:
-rw-------. 1 root root 408 Mar 7 14:28 authorized_keys
-rw-------. 1 root root 411 Mar 7 14:28 copy.sh
-rw------- 1 root root 402 Mar 3 16:20 known_hosts
And authorized_keys has the correct ssh-rsa public key entry, but I cannot
go from this node to any other node in my cluster via passwordless ssh. But
as soon as I run updatenode -k, and type in the password that it prompts
for to complete the command, the id_rsa key is added as the fourth file to
the /root/.ssh directory, and then after that I can ssh to other nodes from
it without supplying a password. That is the issue.
In the past simply running the remoteshell postscript (or so I assumed) was
sufficient for adding the id_rsa file, and it was all automated from a
fresh deploy by specifying remoteshell as one of the default postscripts to
run. But now it doesn't look like remoteshell is placing the id_rsa file on
the node (unless some other script or command is responsible for that), but
remoteshell looks like it creates everything else in /root/.ssh/ (and
/etc/ssh/).
Is remoteshell the correct postscript for that, or was the id_rsa key most
likely being pushed to the nodes some other way (like by some code that
called updatenode -k upon initial deployment)? Either way, all I can say
for sure is that id_rsa used to appear in /root/.ssh on the compute node
automatically and now it does not.
Regards,
Josh
On Tue, Mar 8, 2016 at 4:19 AM, Xiao Peng Wang <[email protected]> wrote:
> To enable the login without password, the rsa public key should be copied
> to /root/.ssh/authorized_keys in the compute node. Could you check whether
> the key has been added in to
> /root/.ssh/authorized_keys?
>
>
>
> Thanks
> Best Regards
> ----------------------------------------------------------------------
> Wang Xiaopeng (王晓朋)
> IBM China System Technology Laboratory
> Tel: 86-10-82453455
> Email: [email protected]
> Address: 28,ZhongGuanCun Software Park,No.8 Dong Bei Wang West Road,
> Haidian District Beijing P.R.China 100193
>
>
>
> ----- Original message -----
> From: Josh Nielsen <[email protected]>
> To: xCAT Users Mailing list <[email protected]>
> Cc:
> Subject: Re: [xcat-user] Updatenode -k won't create id_rsa key without
> prompting for password
> Date: Tue, Mar 8, 2016 5:26 AM
>
> Also if remoteshell is invoked directly as a postscript ('updatenode
> node0086c -V -P remoteshell') it produces the same result, but does not
> prompt for a password (like invoking xdsh -K directly doesn't), and copies
> everything over except id_rsa. So actually the prompting for a password is
> specific to updatenode -k, not xdsh -K or the remoteshell postscript (which
> run that). So I'm not sure if that is relevant to the underlying problem or
> not, but if I do invoke updatenode -k and supply it the password it copies
> the id_rsa to the node.
>
> On Mon, Mar 7, 2016 at 2:12 PM, Josh Nielsen <[email protected]>
> wrote:
>
> Hello,
>
> When we freshly deploy a node from the kickstart and run our postscripts
> we noticed that for some reason the /root/.ssh/id_rsa file which allows
> passwordless login from that node to other nodes is missing, though this
> was not the case just a few months ago. When I try to generate the key
> manually it prompts for a password, after which it will copy/create that
> file successfully (see below), but there are a few odd things connected to
> this.
>
> The error is:
> updatenode node0087c -k
> Enter the password for the userid: root on the node where the ssh keys
> will be updated:
>
> The first oddity is that even after supplying the password once for a
> particular node it will prompt for the password every time if I run it
> again, as well as the related problem that this never used to happen before
> and the key used to be created without issue or prompting for a password.
> The 'passwd' xCAT table has the password for root (if that is where it
> looks for this command).
>
> Secondly I have done several manual debugging steps (and poking around
> source code to see what is happening) and I have run the actual xdsh
> command that is called, shown from the -V verbose output (which it prints
> two of, the first apparently to prep the SNs and run the 'remoteshell'
> postscript on them, and the second to actually do the same to the node
> specified).
>
> xdsh sn1,sn2 --nodestatus -s -v -e /install/postscripts/xcatdsklspost 5 -m
> [MN_IP] 'remoteshell,servicenode' --tftp /tftpboot --installdir /install
> --nfsv4 no -c -V
>
> xdsh node0086c --nodestatus -s -v -e /install/postscripts/xcatdsklspost 5
> -m [SN1_IP] 'remoteshell' --tftp /tftpboot --installdir /install --nfsv4 no
> -c -V
>
> This did not reveal anything useful, except that when invoked directly
> like this no password is prompted for and it runs, but still leaves out the
> id_rsa file. I followed also the suggestion by Wang Xaiopeng in this thread
> (*http://tinyurl.com/jz2jzmb <http://tinyurl.com/jz2jzmb>)* to test the
> getcredentials call with:
>
> 1. Enable mini server
> /xcatpost/allowcred.awk &
>
> 2.Try to get rsa hostkey
> USEOPENSSLFORXCAT=yes XCATSERVER=<MNIP>:3001 /xcatpost/getcredentials.awk
> ssh_rsa_hostkey
> This returned ssh_rsa_hostkey sucessfully. When remoteshell is run
> (whether with updatenode -k or xdsh -K) it actually does copy over the key
> files into /etc/ssh/ and it copies known_hosts, copy.sh, and
> authorized_keys into /root/.ssh on the compute node but omits id_rsa. What
> could be going wrong here?
>
> Regards,
> Josh Nielsen
>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://makebettercode.com/inteldaal-eval
> _______________________________________________
> xCAT-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://makebettercode.com/inteldaal-eval
> _______________________________________________
> xCAT-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
