How to gernerate new ssh cluster keys for an existing user
203 views
Skip to first unread message
Blake Fitch
Nov 10, 2021, 11:49:53 AM11/10/21
to Warewulf
Hello All,
How new Warewulf cluster keys be generated for an existing user?
Best,
Blake
Ian Kaufman
Nov 10, 2021, 11:55:21 AM11/10/21
to ware...@lbl.gov
ssh-keygen should work just fine.
--
You received this message because you are subscribed to the Google Groups "Warewulf" group.
To unsubscribe from this group and stop receiving emails from it, send an email to warewulf+u...@lbl.gov.
To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/dae876ee-552e-41a1-8429-d029a4632c3cn%40lbl.gov.
--
Ian Kaufman
Research Systems Administrator
UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
Research Systems Administrator
UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
UC San Diego is working thoughtfully and strategically to consider our return to campus, with safety as the top priority. Stay informed about UC San Diego developments and updates in response to COVID-19 at https://returntolearn.ucsd.edu
Blake Fitch
Nov 10, 2021, 12:23:54 PM11/10/21
to Warewulf, Ian Kaufman
Hi Ian,
Thanks for the quick response!
I had the idea that Warewulf manged these keys in some special way. But if not, that would be great.
I tried just ssh-keygen after moving my own warewulf configured .ssh dir out of the way. The result was not viable to ssh to the compute nodes. Any suggestion on what could be wrong would be most appreciated.
Best,
Blake
Blake
Ian Kaufman
Nov 10, 2021, 12:31:03 PM11/10/21
to Blake Fitch, Warewulf
I would copy the .ssh directory back, rename the Warewulf keys (actually, they may have a different name anyway), and put your new key pair in the original .ssh directory.
If the homedir is NFS mounted, the new keys should be visible to all nodes.
What are the permissions on the new .ssh directory and the files below?
Ian
Blake Fitch
Nov 10, 2021, 12:51:08 PM11/10/21
to Warewulf, Ian Kaufman, Warewulf, Blake Fitch
So, to be clear, I'm trying to help someone else who did something bad with their keys. That's why I'm moving my .ssh to the side for experiments and returning it afterwards.
What I just did is:
* move my .ssh to dot.ssh
* ssh-keygen # followed by three returns
* ssh compute-1 # wants a password which isn't what we're after
* cp .ssh/id_rsa .ssh/cluster
* cp .ssh/id_rsa.pub .ssh/cluster.pub
* chmod go-rwx .ssh/*
* ssh compute-1 # still wants a pass word
* rm -rf .ssh
* mv dot.ssh .ssh
* ssh compute-1 # logs in fine without a password
Ian Kaufman
Nov 10, 2021, 1:05:12 PM11/10/21
to Blake Fitch, Warewulf
Is cluster 600?
.ssh needs to be 700, and the private key has to be 600. cluster.pub needs to be 644.
Does it work if you leave the files as id_rsa and id_rsa.pub?
Have you tried verbose logging with SSH i.e. "ssh-vvvv" to see if it is trying to read the key?
Blake Fitch
Nov 10, 2021, 3:03:26 PM11/10/21
to Warewulf, Ian Kaufman, Warewulf, Blake Fitch
I just repeated the process outlined. the permission followed your outline. The *.pubs are --rw-r--r--. which is exactly how ssh-keygen makes them. The id_rsa and clsuter are just -rw------, read write owner. And that's consistent with all other users on the cluster.
So perms were ok but, what was missing was after all that was the authorized.keys file.
What works soup to nuts:
* mv .ssh old.ssh
* ssh-keygen # followed by three empty returns
* cp .ssh/id_rsa .ssh/cluster
* cp .ssh/id_rsa.pub .ssh/cluster.pub
* .ssh/cluster.pub .ssh/authorized_keys
* ssh compute-1 # accept authenticity of new host and you're in w/o a password
The user might want to add back other keys.
It all seems obvious now. Thanks very much for your help!
Best,
Blake
Blake
Ian Kaufman
Nov 10, 2021, 3:19:16 PM11/10/21
to Blake Fitch, Warewulf
Ah, I didn't catch the lack of authorized_keys file
Ian
Blake Fitch
Nov 10, 2021, 3:50:02 PM11/10/21
to Warewulf, Ian Kaufman, Warewulf, Blake Fitch
.... that wasn't quite the end of it either. There's also an important .ssh/config file which should contain at least:
# Added by Warewulf 2020-12-08
Host *
IdentityFile ~/.ssh/cluster
StrictHostKeyChecking=no
Host *
IdentityFile ~/.ssh/cluster
StrictHostKeyChecking=no
This file should also be 0600
At the end perms are so:
$ ls -ltr .ssh
total 6
-rw-------. 1 ch ky 128 Jan 18 2021 config
-rw-------. 1 ch ky 1675 Nov 10 21:24 cluster
-rw-r--r--. 1 ch ky 413 Nov 10 21:24 cluster.pub
-rw-------. 1 ch ky 413 Nov 10 21:26 authorized_keys
-rw-------. 1 ch ky 1675 Nov 10 21:27 id_rsa
-rw-r--r--. 1 ch ky 376 Nov 10 21:32 known_hosts
$ ls -ltr .ssh
total 6
-rw-------. 1 ch ky 128 Jan 18 2021 config
-rw-------. 1 ch ky 1675 Nov 10 21:24 cluster
-rw-r--r--. 1 ch ky 413 Nov 10 21:24 cluster.pub
-rw-------. 1 ch ky 413 Nov 10 21:26 authorized_keys
-rw-------. 1 ch ky 1675 Nov 10 21:27 id_rsa
-rw-r--r--. 1 ch ky 376 Nov 10 21:32 known_hosts
Finally, the end user had granted write permissions to his whole home dir. The final step was chmod go-w /home/ch
I think this finally settles it.
Thanks again!!
Best,
Blake
Blake
Reply all
Reply to author
Forward
0 new messages