Hi Michal,

Thanks for you reply!

Log from my node :

[root@dl360g9-1 ~]# tail -f -n0 /var/log/messages | grep sshd

Jun 21 10:15:50 dl360g9-1 sshd[35907]: rexec line 25: Deprecated option RSAAuthentication

Jun 21 10:15:50 dl360g9-1 sshd[35907]: Connection from 10.194.16.160 port 40858 on 10.194.16.150 port 2223

Jun 21 10:15:50 dl360g9-1 sshd[35907]: reprocess config line 25: Deprecated option RSAAuthentication

Jun 21 10:15:50 dl360g9-1 sshd[35907]: User ovirt-vmconsole not allowed because account is locked

Jun 21 10:15:50 dl360g9-1 sshd[35907]: input_userauth_request: invalid user ovirt-vmconsole [preauth]

Jun 21 10:15:50 dl360g9-1 sshd[35907]: Connection closed by 10.194.16.160 port 40858 [preauth]

Then I’ve tryto unlock the ovirt-vmconsole account:

[root@dl360g9-1 ~]# passwd -u ovirt-vmconsole -f

Unlocking password for user ovirt-vmconsole.

passwd: Success

[root@dl360g9-1 ~]#

Give another try and got this log:

[root@dl360g9-1 ~]# tail -f -n0 /var/log/messages | grep sshd

Jun 21 10:22:44 dl360g9-1 sshd[36199]: rexec line 25: Deprecated option RSAAuthentication

Jun 21 10:22:44 dl360g9-1 sshd[36199]: Connection from 10.194.16.160 port 40954 on 10.194.16.150 port 2223

Jun 21 10:22:44 dl360g9-1 sshd[36199]: reprocess config line 25: Deprecated option RSAAuthentication

Jun 21 10:22:44 dl360g9-1 sshd[36199]: User ovirt-vmconsole authorized keys /dev/null is not a regular file

Jun 21 10:22:44 dl360g9-1 sshd[36199]: Failed publickey for ovirt-vmconsole from 10.194.16.160 port 40954 ssh2: RSA SHA256:FWlv2d+MlM43y0QQvnZUAMHgvLh+rQ8jYtZsWh6KId4

Jun 21 10:22:44 dl360g9-1 sshd[36199]: Accepted certificate ID "vmconsole-proxy-user" (serial 0) signed by RSA CA SHA256:vmH4XmKfgYJBpJym9T+WK2y2abk9aniCh6TiuJcB1+U via /etc/pki/ovirt-vmconsole/ca.pub

Jun 21 10:22:44 dl360g9-1 sshd[36199]: Postponed publickey for ovirt-vmconsole from 10.194.16.160 port 40954 ssh2: RSA SHA256:FWlv2d+MlM43y0QQvnZUAMHgvLh+rQ8jYtZsWh6KId4 [preauth]

Jun 21 10:22:44 dl360g9-1 sshd[36199]: Accepted certificate ID "vmconsole-proxy-user" (serial 0) signed by RSA CA SHA256:vmH4XmKfgYJBpJym9T+WK2y2abk9aniCh6TiuJcB1+U via /etc/pki/ovirt-vmconsole/ca.pub

Jun 21 10:22:44 dl360g9-1 sshd[36199]: error: key_verify: error in libcrypto

Jun 21 10:22:44 dl360g9-1 sshd[36199]: Failed publickey for ovirt-vmconsole from 10.194.16.160 port 40954 ssh2: RSA-CERT ID vmconsole-proxy-user (serial 0) CA RSA SHA256:vmH4XmKfgYJBpJym9T+WK2y2abk9aniCh6TiuJcB1+U

Jun 21 10:22:44 dl360g9-1 sshd[36199]: Connection closed by 10.194.16.160 port 40954 [preauth]

So it looks like is wrong with my cert refered in /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/sshd_config on my nodes. How to retrieve the good certificate and the Hostkey?
HostCertificate /etc/pki/ovirt-vmconsole/host-ssh_host_rsa-cert.pub

HostKey /etc/pki/ovirt-vmconsole/host-ssh_host_rsa



Jonathan Gregoire

De : Michal Skrivanek <michal.skrivanek@redhat.com>
Envoyé : 21 juin 2019 08:26
À : Jonathan Greg
Cc : users@ovirt.org
Objet : Re: [ovirt-users] Re: ovirt-vmconsole: Pemission denied (publickey) when I select VM id
 


> On 20 Jun 2019, at 15:25, Jonathan Greg <jonathan763@hotmail.com> wrote:
>
> Here is the log I get from the engine node when I do "ssh -t -p 2222 ovirt-vmconsole@ovirt-engine01.int.cloche.ca<mailto:ovirt-vmconsole@ovirt-engine01.int.cloche.ca>-i .ssh/serialconsolekey connect and I enter a console id":
>
> [root@ovirt-engine01 ~]# tail -f /var/log/messages
> Jun 20 09:22:13 ovirt-engine01 sshd[8836]: rexec line 24: Deprecated option RSAAuthentication
> Jun 20 09:22:13 ovirt-engine01 sshd[8836]: reprocess config line 24: Deprecated option RSAAuthentication
> Jun 20 09:22:14 ovirt-engine01 sshd[8836]: Accepted publickey for ovirt-vmconsole from 192.168.30.217 port 55849 ssh2: RSA SHA256:rYFIGj3UaNY28ocnmWqK3UZpznU0bzo6tPR+NpnR6Hw
> Jun 20 09:22:14 ovirt-engine01 sshd[8836]: Attempt to write login records by non-root user (aborting)
> Jun 20 09:22:20 ovirt-engine01 ovirt-vmconsole-proxy-shell[8849]: INFO Opening console '7e2c5638-f97c-45c4-8487-153764db2fc7.sock@c200m2-1.int.cloche.ca' on behalf of 'admin_internal-authz'[4907b7e8-dbda-11e8-9a2e-00163e1b3a71]
> Jun 20 09:22:20 ovirt-engine01 sshd[8836]: Attempt to write login records by non-root user (aborting)
> Jun 20 09:22:21 ovirt-engine01 sshd[8848]: Received disconnect from 192.168.30.217 port 55849:11: disconnected by user
> Jun 20 09:22:21 ovirt-engine01 sshd[8848]: Disconnected from 192.168.30.217 port 55849

the problem seems to be between the proxy and the target host, you’d need to get logs from there.
check out logs/issues of the sshd process handling the incoming requests (/usr/sbin/sshd -f /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/sshd_config -D)
it could be a certificates issue. Is this an older setup or anything regarding host certificates changed recently/ever?

Thanks,
michal
> _______________________________________________
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-leave@ovirt.org
> Privacy Statement: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fsite%2Fprivacy-policy%2F&amp;data=02%7C01%7C%7Cb7b51d1cbb884664ba6208d6f643b817%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636967168066231541&amp;sdata=m8toPBOywUl%2FKSkdHzn6VVB%2B1yctgBBWsKchbZYSwPs%3D&amp;reserved=0
> oVirt Code of Conduct: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&amp;data=02%7C01%7C%7Cb7b51d1cbb884664ba6208d6f643b817%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636967168066231541&amp;sdata=%2FlrotkfYNYONqRw52VENFvSflLdMP8sdgwhz8zaYWVs%3D&amp;reserved=0
> List Archives: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPHQIKZZPHPJ4XXKKQ2TOZI6DC4W75FIL%2F&amp;data=02%7C01%7C%7Cb7b51d1cbb884664ba6208d6f643b817%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636967168066231541&amp;sdata=i%2FMlPsrMYqotCmUW3XUGQMNdUCfJqkAqj2LfkXO1nwk%3D&amp;reserved=0