Hi Michal, Thanks for you reply! Log from my node : [root@dl360g9-1 ~]# tail -f -n0 /var/log/messages | grep sshd Jun 21 10:15:50 dl360g9-1 sshd[35907]: rexec line 25: Deprecated option RSAAuthentication Jun 21 10:15:50 dl360g9-1 sshd[35907]: Connection from 10.194.16.160 port 40858 on 10.194.16.150 port 2223 Jun 21 10:15:50 dl360g9-1 sshd[35907]: reprocess config line 25: Deprecated option RSAAuthentication Jun 21 10:15:50 dl360g9-1 sshd[35907]: User ovirt-vmconsole not allowed because account is locked Jun 21 10:15:50 dl360g9-1 sshd[35907]: input_userauth_request: invalid user ovirt-vmconsole [preauth] Jun 21 10:15:50 dl360g9-1 sshd[35907]: Connection closed by 10.194.16.160 port 40858 [preauth] Then I’ve tryto unlock the ovirt-vmconsole account: [root@dl360g9-1 ~]# passwd -u ovirt-vmconsole -f Unlocking password for user ovirt-vmconsole. passwd: Success [root@dl360g9-1 ~]# Give another try and got this log: [root@dl360g9-1 ~]# tail -f -n0 /var/log/messages | grep sshd Jun 21 10:22:44 dl360g9-1 sshd[36199]: rexec line 25: Deprecated option RSAAuthentication Jun 21 10:22:44 dl360g9-1 sshd[36199]: Connection from 10.194.16.160 port 40954 on 10.194.16.150 port 2223 Jun 21 10:22:44 dl360g9-1 sshd[36199]: reprocess config line 25: Deprecated option RSAAuthentication Jun 21 10:22:44 dl360g9-1 sshd[36199]: User ovirt-vmconsole authorized keys /dev/null is not a regular file Jun 21 10:22:44 dl360g9-1 sshd[36199]: Failed publickey for ovirt-vmconsole from 10.194.16.160 port 40954 ssh2: RSA SHA256:FWlv2d+MlM43y0QQvnZUAMHgvLh+rQ8jYtZsWh6KId4 Jun 21 10:22:44 dl360g9-1 sshd[36199]: Accepted certificate ID "vmconsole-proxy-user" (serial 0) signed by RSA CA SHA256:vmH4XmKfgYJBpJym9T+WK2y2abk9aniCh6TiuJcB1+U via /etc/pki/ovirt-vmconsole/ca.pub Jun 21 10:22:44 dl360g9-1 sshd[36199]: Postponed publickey for ovirt-vmconsole from 10.194.16.160 port 40954 ssh2: RSA SHA256:FWlv2d+MlM43y0QQvnZUAMHgvLh+rQ8jYtZsWh6KId4 [preauth] Jun 21 10:22:44 dl360g9-1 sshd[36199]: Accepted certificate ID "vmconsole-proxy-user" (serial 0) signed by RSA CA SHA256:vmH4XmKfgYJBpJym9T+WK2y2abk9aniCh6TiuJcB1+U via /etc/pki/ovirt-vmconsole/ca.pub Jun 21 10:22:44 dl360g9-1 sshd[36199]: error: key_verify: error in libcrypto Jun 21 10:22:44 dl360g9-1 sshd[36199]: Failed publickey for ovirt-vmconsole from 10.194.16.160 port 40954 ssh2: RSA-CERT ID vmconsole-proxy-user (serial 0) CA RSA SHA256:vmH4XmKfgYJBpJym9T+WK2y2abk9aniCh6TiuJcB1+U Jun 21 10:22:44 dl360g9-1 sshd[36199]: Connection closed by 10.194.16.160 port 40954 [preauth] So it looks like is wrong with my cert refered in /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/sshd_config on my nodes. How to retrieve the good certificate and the Hostkey? HostCertificate /etc/pki/ovirt-vmconsole/host-ssh_host_rsa-cert.pub HostKey /etc/pki/ovirt-vmconsole/host-ssh_host_rsa Jonathan Gregoire ________________________________ De : Michal Skrivanek <michal.skrivanek@redhat.com> Envoyé : 21 juin 2019 08:26 À : Jonathan Greg Cc : users@ovirt.org Objet : Re: [ovirt-users] Re: ovirt-vmconsole: Pemission denied (publickey) when I select VM id

On 20 Jun 2019, at 15:25, Jonathan Greg <jonathan763@hotmail.com> wrote:

Here is the log I get from the engine node when I do "ssh -t -p 2222 ovirt-vmconsole@ovirt-engine01.int.cloche.ca<mailto:ovirt-vmconsole@ovirt-engine01.int.cloche.ca>-i .ssh/serialconsolekey connect and I enter a console id":

[root@ovirt-engine01 ~]# tail -f /var/log/messages Jun 20 09:22:13 ovirt-engine01 sshd[8836]: rexec line 24: Deprecated option RSAAuthentication Jun 20 09:22:13 ovirt-engine01 sshd[8836]: reprocess config line 24: Deprecated option RSAAuthentication Jun 20 09:22:14 ovirt-engine01 sshd[8836]: Accepted publickey for ovirt-vmconsole from 192.168.30.217 port 55849 ssh2: RSA SHA256:rYFIGj3UaNY28ocnmWqK3UZpznU0bzo6tPR+NpnR6Hw Jun 20 09:22:14 ovirt-engine01 sshd[8836]: Attempt to write login records by non-root user (aborting) Jun 20 09:22:20 ovirt-engine01 ovirt-vmconsole-proxy-shell[8849]: INFO Opening console '7e2c5638-f97c-45c4-8487-153764db2fc7.sock@c200m2-1.int.cloche.ca' on behalf of 'admin_internal-authz'[4907b7e8-dbda-11e8-9a2e-00163e1b3a71] Jun 20 09:22:20 ovirt-engine01 sshd[8836]: Attempt to write login records by non-root user (aborting) Jun 20 09:22:21 ovirt-engine01 sshd[8848]: Received disconnect from 192.168.30.217 port 55849:11: disconnected by user Jun 20 09:22:21 ovirt-engine01 sshd[8848]: Disconnected from 192.168.30.217 port 55849

the problem seems to be between the proxy and the target host, you’d need to get logs from there. check out logs/issues of the sshd process handling the incoming requests (/usr/sbin/sshd -f /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/sshd_config -D) it could be a certificates issue. Is this an older setup or anything regarding host certificates changed recently/ever? Thanks, michal

_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.... oVirt Code of Conduct: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.... List Archives: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovir...