Hi,

I can't still connect to my vms with vmconsole proxy on my production engine (other test and dev engine are OK).

the ssh key for the wanted user is available in the the API:

<ssh_public_keys>
<ssh_public_key href="/ovirt-engine/api/users/64b7f3bf-9d43-4508-af93-63ad77652be3/sshpublickeys/aaace8d4-08d3-4452-ac91-df4b491bd899" id="aaace8d4-08d3-4452-ac91-df4b491bd899">
<content>
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyfrDI84RWtSvFOUvpb9DkbnIuEfZEQAt4ZCXDHNXcmRwa9iXfPbj69gkOJyj7Jhj9RinJn9at4NgJtrO/rRRgT+SzYUWpdO2KWHgRM5v1rpYcw820ZDdAZk+yxCjQsy6kd49q/q6B+Uzg8Kpth+CAV1ubRrBYqFiuT/qQe9y+0N1TkNdASWL38oZH9K0rzbDb4WlU2Er2BCXzoLF2NBk7iyaS3+Y65DqWPPHHdh89nilC6k5N7SCUkSOayrjh7NnErkBAKZ6PPaarZqZhZPrCbHZnu0oqA0XQXKLcYpwuhNwcK8e4ZWsDwMmArnNcmS6JFxnPIrGYxxmv01K6VXVvw==
</content>
<user href="/ovirt-engine/api/users/64b7f3bf-9d43-4508-af93-63ad77652be3" id="64b7f3bf-9d43-4508-af93-63ad77652be3"/>
</ssh_public_key>
</ssh_public_keys>

But /usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py  --version "1" keys still returns nothing.

On the engine:

[root@air ~]# systemctl status ovirt-vmconsole-proxy-sshd.service
● ovirt-vmconsole-proxy-sshd.service - oVirt VM Console SSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/ovirt-vmconsole-proxy-sshd.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-05-10 14:16:55 CEST; 22min ago
 Main PID: 3649210 (sshd)
    Tasks: 1 (limit: 204594)
   Memory: 2.7M
   CGroup: /system.slice/ovirt-vmconsole-proxy-sshd.service
           └─3649210 /usr/sbin/sshd -f /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config -D

mai 10 14:16:55 air.v100.abes.fr systemd[1]: Started oVirt VM Console SSH server daemon.
mai 10 14:16:55 air.v100.abes.fr sshd[3649210]: Server listening on 0.0.0.0 port 2222.
mai 10 14:16:55 air.v100.abes.fr sshd[3649210]: Server listening on :: port 2222.
mai 10 14:17:01 air.v100.abes.fr ovirt-vmconsole-proxy-keys[3649214]: ERROR '"keys"'
mai 10 14:17:01 air.v100.abes.fr sshd[3649212]: AuthorizedKeysCommand /usr/libexec/ovirt-vmconsole-proxy-keys ovirt-vmconsole failed, status 1
mai 10 14:17:02 air.v100.abes.fr ovirt-vmconsole-proxy-keys[3649218]: ERROR '"keys"'
mai 10 14:17:02 air.v100.abes.fr sshd[3649212]: AuthorizedKeysCommand /usr/libexec/ovirt-vmconsole-proxy-keys ovirt-vmconsole failed, status 1
mai 10 14:17:02 air.v100.abes.fr sshd[3649212]: Connection closed by authenticating user ovirt-vmconsole 10.34.100.131 port 46874 [preauth]

I tried to execute /usr/libexec/ovirt-vmconsole-proxy-keys ovirt-vmconsole but it gives an internal ERROR (as on the other working engine, so it may be not relevant)

What can I test more?

Le 18/04/2021 à 15:59, Sharon Gratch a écrit :
Hi,

Please follow the instructions mentioned here:

It seems that something is wrong with the user permissions/keys.
Is the 4.4.5 oVirt installation an upgraded or a new installation? 
You mentioned that it's working with your other engines? Do they all use the 4.4.5 version?

Thanks,
Sharon


On Fri, Apr 16, 2021 at 1:31 PM Nathanaël Blanchet <blanchet@abes.fr> wrote:
I removed the user and created an other time. Now, I have this

The key seems to be present in the DB

engine=# SELECT users.username, user_profiles.property_content::text
FROM user_profiles
JOIN users ON users.user_id = user_profiles.user_id
WHERE user_profiles.property_type= 'SSH_PUBLIC_KEY';
          username |
property_content

--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------
  sblanchet@levant.abes.fr | "ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAyfrDI84RWtSvFOUvpb9DkbnIuEfZEQAt4ZCXDHNXcmRwa9iXfPbj69gkOJyj7Jhj9RinJn9at4NgJtrO/rRRgT+SzYUWpdO2KWHgRM5v1rpYcw820ZDdAZk+yxCjQ
sy6kd49q/q6B+Uzg8Kpth+CAV1ubRrBYqFiuT/qQe9y+0N1TkNdASWL38oZH9K0rzbDb4WlU2Er2BCXzoLF2NBk7iyaS3+Y65DqWPPHHdh89nilC6k5N7SCUkSOayrjh7NnErkBAKZ6PPaarZqZhZPrCbHZnu0oqA0XQXKLcYpwuhNwcK8e4ZWsDwMmArn
NcmS6JFxnPIrGYxxmv01K6VXVvw=="
(1 row)

and now in the api

<ssh_public_keys>
<ssh_public_key
href="/ovirt-engine/api/users/64b7f3bf-9d43-4508-af93-63ad77652be3/sshpublickeys/70850a0e-1b20-4dd5-9fcd-4f64303509d1"
id="70850a0e-1b20-4dd5-9fcd-4f64303509d1">
<content>
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAyfrDI84RWtSvFOUvpb9DkbnIuEfZEQAt4ZCXDHNXcmRwa9iXfPbj69gkOJyj7Jhj9RinJn9at4NgJtrO/rRRgT+SzYUWpdO2KWHgRM5v1rpYcw820ZDdAZk+yxCjQsy6kd49q/q6B+Uzg8Kpth+CAV1ubRrBYqFiuT/qQe9y+0N1TkNdASWL38oZH9K0rzbDb4WlU2Er2BCXzoLF2NBk7iyaS3+Y65DqWPPHHdh89nilC6k5N7SCUkSOayrjh7NnErkBAKZ6PPaarZqZhZPrCbHZnu0oqA0XQXKLcYpwuhNwcK8e4ZWsDwMmArnNcmS6JFxnPIrGYxxmv01K6VXVvw==
</content>
<user
href="/ovirt-engine/api/users/64b7f3bf-9d43-4508-af93-63ad77652be3"
id="64b7f3bf-9d43-4508-af93-63ad77652be3"/>
</ssh_public_key>
</ssh_public_keys>

but I still can't connect

$ ssh -t -p 2222  ovirt-vmconsole@air.v100.abes.fr connect
ovirt-vmconsole@air.v100.abes.fr: Permission denied (publickey).

and

[root@air ~]#
/usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py
--version "1" keys

still returns empty string...


Le 16/04/2021 à 11:07, Nathanaël Blanchet a écrit :
>
> Le 16/04/2021 à 10:31, Radoslaw Szwajkowski a écrit :
>>> [root@air-dev ~]#
>>> /usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py
>>> --version "1" keys
>>> {"keys": [{"entityid": "d5e69fa0-96a0-4aae-952d-18fe36940248",
>>> "entity":
>>> "sblanchet@levant.abes.fr@abes.fr-authz", "key": "ssh-rsa
>>> AAAAB3NzaC1yc2EAAAABIwAAAQEAyfrDI84RWtSvFOUvpb9DkbnIuEfZEQAt4ZCXDHNXcmRwa9iXfPbj69gkOJyj7Jhj9RinJn9at4NgJtrO/rRRgT+SzYUWpdO2KWHgRM5v1rpYcw820ZDdAZk+yxCjQsy6kd49q/q6B+Uzg8Kpth+CAV1ubRrBYqFiuT/qQe9y+0N1TkNdASWL38oZH9K0rzbDb4WlU2Er2BCXzoLF2NBk7iyaS3+Y65DqWPPHHdh89nilC6k5N7SCUkSOayrjh7NnErkBAKZ6PPaarZqZhZPrCbHZnu0oqA0XQXKLcYpwuhNwcK8e4ZWsDwMmArnNcmS6JFxnPIrGYxxmv01K6VXVvw=="}],
>>>
>>> "version": 1, "content": "key_list"}
>>>
>>> but the same command on the main  engine returns empty
>>>
>>> [root@air ~]#
>>> /usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py
>>> --version "1" keys
>>>
>> Empty list (no keys) should look similar to: {"keys": [], "version":
>> 1, "content": "key_list"}
>> In your case it seems that VMConsoleProxyServlet is not responding
>> i.e. on my dev env I get a similar result (empty output,error code 1)
>> when server is down.
>
> it is up
>
>
> ● ovirt-vmconsole-proxy-sshd.service - oVirt VM Console SSH server daemon
>    Loaded: loaded
> (/usr/lib/systemd/system/ovirt-vmconsole-proxy-sshd.service; enabled;
> vendor preset: disabled)
>    Active: active (running) since Fri 2021-04-16 10:50:41 CEST; 1min
> 27s ago
>  Main PID: 1914370 (sshd)
>     Tasks: 1 (limit: 204594)
>    Memory: 3.5M
>    CGroup: /system.slice/ovirt-vmconsole-proxy-sshd.service
>            └─1914370 /usr/sbin/sshd -f
> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config
> -D
>
> avril 16 10:50:41 air.v100.abes.fr systemd[1]: Started oVirt VM
> Console SSH server daemon.
> avril 16 10:50:41 air.v100.abes.fr sshd[1914370]: Server listening on
> 0.0.0.0 port 2222.
> avril 16 10:50:41 air.v100.abes.fr sshd[1914370]: Server listening on
> :: port 2222.
> avril 16 10:52:02 air.v100.abes.fr ovirt-vmconsole[1914540]:
> 2021-04-16 10:52:02,241+0200 ovirt-vmconsole-list: ERROR main:265
> Error: HTTP Error 403: Forbidden
> avril 16 10:52:02 air.v100.abes.fr
> ovirt-vmconsole-proxy-keys[1914536]: ERROR Key list execution failed rc=1
> avril 16 10:52:02 air.v100.abes.fr sshd[1914534]:
> AuthorizedKeysCommand /usr/libexec/ovirt-vmconsole-proxy-keys
> ovirt-vmconsole failed, status 1
> avril 16 10:52:02 air.v100.abes.fr ovirt-vmconsole[1914547]:
> 2021-04-16 10:52:02,806+0200 ovirt-vmconsole-list: ERROR main:265
> Error: HTTP Error 403: Forbidden
> avril 16 10:52:02 air.v100.abes.fr
> ovirt-vmconsole-proxy-keys[1914543]: ERROR Key list execution failed rc=1
> avril 16 10:52:02 air.v100.abes.fr sshd[1914534]:
> AuthorizedKeysCommand /usr/libexec/ovirt-vmconsole-proxy-keys
> ovirt-vmconsole failed, status 1
> avril 16 10:52:03 air.v100.abes.fr sshd[1914534]: Connection closed by
> authenticating user ovirt-vmconsole 10.34.100.131 port 53674 [preauth]
>
>>
>> However you can check if DB contains the right data (key is encoded as
>> JSON string - enclosed in double quotes):
>> SELECT users.username, user_profiles.property_content::text
>> FROM user_profiles
>> JOIN users ON users.user_id = user_profiles.user_id
>> WHERE user_profiles.property_type= 'SSH_PUBLIC_KEY';
>
> https://air.v100.abes.fr//ovirt-engine/api/users/1bb90486-d431-4554-a6a1-37631d8c16d4/sshpublickeys
>
>
> <ssh_public_keys/>
>
> is empty
>
> while
>
> https://air-dev.v100.abes.fr/ovirt-engine/api/users/d5e69fa0-96a0-4aae-952d-18fe36940248/sshpublickeys
>
>
> returns
>
> <ssh_public_keys>
> <ssh_public_key
> href="/ovirt-engine/api/users/d5e69fa0-96a0-4aae-952d-18fe36940248/sshpublickeys/1fa3fcaf-7475-4c72-9565-b32425d3c8fd"
> id="1fa3fcaf-7475-4c72-9565-b32425d3c8fd">
> <content>
> ssh-rsa
> AAAAB3NzaC1yc2EAAAABIwAAAQEAyfrDI84RWtSvFOUvpb9DkbnIuEfZEQAt4ZCXDHNXcmRwa9iXfPbj69gkOJyj7Jhj9RinJn9at4NgJtrO/rRRgT+SzYUWpdO2KWHgRM5v1rpYcw820ZDdAZk+yxCjQsy6kd49q/q6B+Uzg8Kpth+CAV1ubRrBYqFiuT/qQe9y+0N1TkNdASWL38oZH9K0rzbDb4WlU2Er2BCXzoLF2NBk7iyaS3+Y65DqWPPHHdh89nilC6k5N7SCUkSOayrjh7NnErkBAKZ6PPaarZqZhZPrCbHZnu0oqA0XQXKLcYpwuhNwcK8e4ZWsDwMmArnNcmS6JFxnPIrGYxxmv01K6VXVvw==
> </content>
> <user
> href="/ovirt-engine/api/users/d5e69fa0-96a0-4aae-952d-18fe36940248"
> id="d5e69fa0-96a0-4aae-952d-18fe36940248"/>
> </ssh_public_key>
> </ssh_public_keys>
>
>>
>> best regards,
>> Radek
>>
--
Nathanaël Blanchet

Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5       
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14
blanchet@abes.fr
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TUHJA7C32NPJ5K5ITX4YGXEKNOZCXVHF/
-- 
Nathanaël Blanchet

Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5 	
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14
blanchet@abes.fr