can u check the site table if sshbetweennodes is set up? The default for
sshbetweennodes is ALLGROUPS, and will enable passwordless between nodes.
this attribute will be ignored if zone table is set up, so please check
zone table also.
if it enables, the remoteshell postscript will copy id_rsa and id_rsa.pub
over to compute node, otherwise, it only copies id_rsa.pub.
from source code, updatenode -k is always required password.
Thanks,
Casandra
...................................................................
Casandra Hong Qiu
Phone: (845) 433-9291, t/l 293-9291
Office: B/002, Floor 3, Z13
[email protected]
From: Josh Nielsen <[email protected]>
To: xCAT Users Mailing list <[email protected]>
Date: 03/08/2016 12:51 PM
Subject: Re: [xcat-user] Updatenode -k won't create id_rsa key without
prompting for password
Yes, I just verified. It is present, but that alone is not sufficient for
that node to be able to SSH to other nodes itself. It allows other nodes
which have the correct private key to SSH to it, but not the other way
around.
For example, on one compute node I'm having trouble with /root/.ssh has
these three files:
-rw-------. 1 root root 408 Mar 7 14:28 authorized_keys
-rw-------. 1 root root 411 Mar 7 14:28 copy.sh
-rw------- 1 root root 402 Mar 3 16:20 known_hosts
And authorized_keys has the correct ssh-rsa public key entry, but I cannot
go from this node to any other node in my cluster via passwordless ssh. But
as soon as I run updatenode -k, and type in the password that it prompts
for to complete the command, the id_rsa key is added as the fourth file to
the /root/.ssh directory, and then after that I can ssh to other nodes from
it without supplying a password. That is the issue.
In the past simply running the remoteshell postscript (or so I assumed) was
sufficient for adding the id_rsa file, and it was all automated from a
fresh deploy by specifying remoteshell as one of the default postscripts to
run. But now it doesn't look like remoteshell is placing the id_rsa file on
the node (unless some other script or command is responsible for that), but
remoteshell looks like it creates everything else in /root/.ssh/
(and /etc/ssh/).
Is remoteshell the correct postscript for that, or was the id_rsa key most
likely being pushed to the nodes some other way (like by some code that
called updatenode -k upon initial deployment)? Either way, all I can say
for sure is that id_rsa used to appear in /root/.ssh on the compute node
automatically and now it does not.
Regards,
Josh
On Tue, Mar 8, 2016 at 4:19 AM, Xiao Peng Wang <[email protected]> wrote:
To enable the login without password, the rsa public key should be copied
to /root/.ssh/authorized_keys in the compute node. Could you check
whether the key has been added in to
/root/.ssh/authorized_keys?
Thanks
Best Regards
----------------------------------------------------------------------
Wang Xiaopeng (王晓朋)
IBM China System Technology Laboratory
Tel: 86-10-82453455
Email: [email protected]
Address: 28,ZhongGuanCun Software Park,No.8 Dong Bei Wang West Road,
Haidian District Beijing P.R.China 100193
----- Original message -----
From: Josh Nielsen <[email protected]>
To: xCAT Users Mailing list <[email protected]>
Cc:
Subject: Re: [xcat-user] Updatenode -k won't create id_rsa key without
prompting for password
Date: Tue, Mar 8, 2016 5:26 AM
Also if remoteshell is invoked directly as a postscript ('updatenode
node0086c -V -P remoteshell') it produces the same result, but does not
prompt for a password (like invoking xdsh -K directly doesn't), and
copies everything over except id_rsa. So actually the prompting for a
password is specific to updatenode -k, not xdsh -K or the remoteshell
postscript (which run that). So I'm not sure if that is relevant to the
underlying problem or not, but if I do invoke updatenode -k and supply it
the password it copies the id_rsa to the node.
On Mon, Mar 7, 2016 at 2:12 PM, Josh Nielsen <[email protected]>
wrote:
Hello,
When we freshly deploy a node from the kickstart and run our
postscripts we noticed that for some reason the /root/.ssh/id_rsa file
which allows passwordless login from that node to other nodes is
missing, though this was not the case just a few months ago. When I try
to generate the key manually it prompts for a password, after which it
will copy/create that file successfully (see below), but there are a
few odd things connected to this.
The error is:
updatenode node0087c -k
Enter the password for the userid: root on the node where the ssh keys
will be updated:
The first oddity is that even after supplying the password once for a
particular node it will prompt for the password every time if I run it
again, as well as the related problem that this never used to happen
before and the key used to be created without issue or prompting for a
password. The 'passwd' xCAT table has the password for root (if that is
where it looks for this command).
Secondly I have done several manual debugging steps (and poking around
source code to see what is happening) and I have run the actual xdsh
command that is called, shown from the -V verbose output (which it
prints two of, the first apparently to prep the SNs and run the
'remoteshell' postscript on them, and the second to actually do the
same to the node specified).
xdsh sn1,sn2 --nodestatus -s -v -e /install/postscripts/xcatdsklspost 5
-m [MN_IP] 'remoteshell,servicenode' --tftp /tftpboot
--installdir /install --nfsv4 no -c -V
xdsh node0086c --nodestatus -s -v -e /install/postscripts/xcatdsklspost
5 -m [SN1_IP] 'remoteshell' --tftp /tftpboot --installdir /install
--nfsv4 no -c -V
This did not reveal anything useful, except that when invoked directly
like this no password is prompted for and it runs, but still leaves out
the id_rsa file. I followed also the suggestion by Wang Xaiopeng in
this thread (http://tinyurl.com/jz2jzmb) to test the getcredentials
call with:
1. Enable mini server
/xcatpost/allowcred.awk &
2.Try to get rsa hostkey
USEOPENSSLFORXCAT=yes
XCATSERVER=<MNIP>:3001 /xcatpost/getcredentials.awk ssh_rsa_hostkey
This returned ssh_rsa_hostkey sucessfully. When remoteshell is run
(whether with updatenode -k or xdsh -K) it actually does copy over the
key files into /etc/ssh/ and it copies known_hosts, copy.sh, and
authorized_keys into /root/.ssh on the compute node but omits id_rsa.
What could be going wrong here?
Regards,
Josh Nielsen
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
