Topic: [Resolved] AFFA - Sending public key fails

[TTown]

Hello,

I am trying to move from a dedicated server HW (192.168.178.50, name: "sme") to a VM (192.168.178.54, name: "affa1" on VMware Server). The idea is to use Affa (http://wiki.contribs.org/Moving_SME_to_new_Hardware).
 
I did the updates on both boxes and got affa installed on the "newIP" PC ok.

Pinging is OK in both directions:

Code: [Select]

[root@affa1 ~]# ping 192.168.178.50
PING 192.168.178.50 (192.168.178.50) 56(84) bytes of data.
64 bytes from 192.168.178.50: icmp_seq=0 ttl=64 time=5.97 ms
64 bytes from 192.168.178.50: icmp_seq=1 ttl=64 time=0.557 ms--

Code: [Select]

[root@sme ~]# ping 192.168.178.54
PING 192.168.178.54 (192.168.178.54) 56(84) bytes of data.
64 bytes from 192.168.178.54: icmp_seq=0 ttl=64 time=0.468 ms
64 bytes from 192.168.178.54: icmp_seq=1 ttl=64 time=0.537 msUsing a shell I can ssh from each box into the other.
SSH settings are according to the guide.

Contents of the affa db:

Code: [Select]

[root@affa1 ~]# db affa show
AffaGlobalDisable=yes
DefaultAffaConfig=default
    sendStatus=weekly
    status=enabled
prodbox=job
    Description=My Production Server
    TimeSchedule=0030,0730,1130,1330,1730,2030
    remoteHostName=192.168.178.50
    status=disabled
prodserv=job
    RPMCheck=yes
    remoteHostName=192.168.178.50
    sshPort=22
[root@affa1 ~]#
but

Code: [Select]

affa --send-key prodserv
is giving me problems:

Code: [Select]

[root@affa1 ~]# affa --send-key prodserv
Job prodserv: Sending public key to 192.168.178.50 failed.

the production server's ssh log shows:

Code: [Select]

[root@sme ~]# cat /var/log/sshd/current
[...]
@400000004e5630e6085d55a4 Connection closed by 192.168.178.54

The affa log for the connection trial shows:

Code: [Select]

[root@affa1 ~]# cat /var/log/affa/prodserv.log
[...]
Thu Aug 25 13:24:10[START.5321]: Affa 1.0.0-3: Running /sbin/e-smith/affa --send-key prodserv
Thu Aug 25 13:24:10[send keys.5321]: Sending public key to 192.168.178.50 failed.
Thu Aug 25 13:24:10[send keys.5321]: Done.
Thu Aug 25 13:24:10[send keys.5321]: Exiting.

affa recognizes the connection problem:

Code: [Select]

[root@affa1 ~]# affa --check-connections
prodserv         : SSH connection FAILED.
prodbox          : SSH connection FAILED.

Before setting the primary domain name of the "newIP" box to the same as the the production box, the ssh log also showed something else,

Code: [Select]

[root@sme ~]# cat /var/log/sshd/current
@400000004e555f5c2df08d2c reverse mapping checking getaddrinfo for pc-00054.stefandaheim.getmyip.com failed - POSSIBLE BREAKIN ATTEMPT!
@400000004e555f5c2e2eaf6c Connection closed by 192.168.178.54

but that (reverse mapping line) has gone away now.

Please advise.
Stefan

[janet]

TTown

As per the main wiki Affa article, did you temporarily enable ssh access correctly ie

"Note:
   When initially doing this step, you will need to temporarily enable "Allow secure shell access using standard passwords" on the production server"

[TTown]

Yes, I did. the machine is 'wide open'.
I actually got a shell open right now while being away at work and on a very different network.

[janet]

TTown

Contents of the affa db:
db affa show
AffaGlobalDisable=yes
DefaultAffaConfig=default
    sendStatus=weekly
    status=enabled
prodbox=job
    Description=My Production Server
    TimeSchedule=0030,0730,1130,1330,1730,2030
    remoteHostName=192.168.178.50
    status=disabled
prodserv=job
    RPMCheck=yes
    remoteHostName=192.168.178.50
    sshPort=22

It seems you may have entered the db command incorrectly as you have a prodbox and a prodserv db entries, whereas the wiki says
db affa set AffaGlobalDisable yes
db affa set prodserv job
db affa setprop prodserv remoteHostName prodIP
db affa setprop prodserv RPMCheck yes
affa --make-cronjobs

[TTown]

I tried that right away ...

Code: [Select]

[root@affa1 ~]# affa --delete-job prodbox

WARNING: All configuration data of job 'prodbox' will be deleted!
Type 'proceed' to continue or <ENTER> to cancel: proceed
deleting report database 'prodbox' ... Done.
deleting affa record 'prodbox'... Done.
[root@affa1 ~]# db affa show
AffaGlobalDisable=yes
DefaultAffaConfig=default
    sendStatus=weekly
    status=enabled
prodserv=job
    RPMCheck=yes
    remoteHostName=192.168.178.50
    sshPort=22
to no avail, though

Code: [Select]

[root@affa1 ~]# affa --send-key prodserv
Job prodserv: Sending public key to 192.168.178.50 failed.
Regenerating the cronjobs didn't make a difference

Code: [Select]

[root@affa1 ~]# affa --make-cronjobs
[root@affa1 ~]# affa --send-key prodserv
Job prodserv: Sending public key to 192.168.178.50 failed.

thank you for your quick response
Stefan

[janet]

TTown

It looks to me like you inadvertantly used prodbox & prodserv to enter the db commands.

I suggest you also do

affa --delete-job prodserv

and then carefully create ALL the db entries again as per wiki

[TTown]

Hi Mary,

I tried that just now.

Code: [Select]

[root@affa1 ~]# affa --delete-job prodserv

WARNING: All 1 archives and configuration data of job 'prodserv' will be deleted!
Type 'proceed' to continue or <ENTER> to cancel: proceed
deleting archive scheduled.0 ...  Done.
deleting /var/affa/prodserv ... Done.
deleting report database 'prodserv' ... Done.
deleting affa record 'prodserv'... Done.
[root@affa1 ~]# db affa set AffaGlobalDisable yes
[root@affa1 ~]# db affa show
AffaGlobalDisable=yes
DefaultAffaConfig=default
    sendStatus=weekly
    status=enabled
[root@affa1 ~]# db affa set prodserv job
[root@affa1 ~]# db affa setprop prodserv remoteHostName 192.168.178.50
[root@affa1 ~]# db affa setprop prodserv RPMCheck yes
[root@affa1 ~]# affa --make-cronjobs
[root@affa1 ~]# db affa show
AffaGlobalDisable=yes
DefaultAffaConfig=default
    sendStatus=weekly
    status=enabled
prodserv=job
    RPMCheck=yes
    remoteHostName=192.168.178.50
[root@affa1 ~]# affa --send-key prodserv
Job prodserv: Sending public key to 192.168.178.50 failed.

The producion server's ssh log shows again:

Code: [Select]

[root@sme ~]# cat /var/log/sshd/current
...
@400000004e564ee408ec996c Connection closed by 192.168.178.54

I don't know where to look vor relevant debug messages on this ssh issue.


I am tempted to uninstall affa, reconfig/reboot and reinstall affa.


Stefan

[mmccarn]

If you're able to manually connect to the other server, have you tried manually 'sending' the ssh key to it?

affa --send-key... is simply trying to automate the generation and delivery of a keyfile as described here: http://wiki.contribs.org/SSH_Public-Private_Keys

[TTown]

Hello mmccarn

If you're able to manually connect to the other server, have you tried manually 'sending' the ssh key to it?

How would I do that? By successfully ssh-ing from each box into the other I'd think this would be accomplished.

affa --send-key... is simply trying to automate the generation and delivery of a keyfile as described here: http://wiki.contribs.org/SSH_Public-Private_Keys

I don't think I understand how to tweak the delivery mechanism on this page. root does not have /home/e-smith/files/users/root/.ssh/authorized_keys. Should I create it?
I am confused :-/


Where would affa put the key on the server?
If I ssh ino my machines as root and run

Code: [Select]

ssh-keygen -t rsa
it stores the key in /root/.ssh/id_rsa.pub
How (and where to) should I transfer this file?

Also I think I noticed affa using DSA keys, not RSA. Does that matter?

Best regards
Stefan

[TTown]

[...]
I am tempted to uninstall affa, reconfig/reboot and reinstall affa.
[...]

Did that.
Didn't help.

My Perl knowledge is basically non-existing, but I tried looking at the code producing the error message:

Code: [Select]

[...]
{
my $ak="/root/.ssh/authorized_keys2";
$cmd="/bin/cat $kf | /usr/bin/ssh $sshQuiet $HostKeyAliasOption -o StrictHostKeyChecking=no -p $port $remotehost '/bin/cat - > $ak.$LocalIP.\$\$ && /bin/touch $ak && /bin/grep -v \"$pubk\" < $ak >> $ak.$LocalIP.\$\$ ; /bin/mv -f $ak.$LocalIP.\$\$ $ak'";
}
dbg( "Exec Cmd: $cmd" );
my $err=system($cmd);
$s = $err ? "Sending public key to $remotehost failed." : "Public key sent to $remotehost";
[...]


This file: "/root/.ssh/authorized_keys2"; does for some reason not exist on the production box.

But since I really don't understand

Code: [Select]

$cmd="/bin/cat $kf | /usr/bin/ssh $sshQuiet $HostKeyAliasOption -o StrictHostKeyChecking=no -p $port $remotehost '/bin/cat - > $ak.$LocalIP.\$\$ && /bin/touch $ak && /bin/grep -v \"$pubk\" < $ak >> $ak.$LocalIP.\$\$ ; /bin/mv -f $ak.$LocalIP.\$\$ $ak'"; this might just be describing the source (the file exists on the affa box).

What can I do?

Stefan

[mmccarn]

For AFFA to work, it needs to be able to connect to the target server without requiring an interactive password or passphrase.  The specific type of encryption in the ssh key doesn't matter (rsa vs dsa)

Generate an rsa key on the affa server that does *not* use a passphrase (press <enter> when prompted for the passphrase):
http://wiki.contribs.org/SSH_Public-Private_Keys#On_SME_Server

Install the public keyfile on the target server in /root/.ssh/authorized_keys2:
http://wiki.contribs.org/SSH_Public-Private_Keys#Installing_the_Public_Key_onto_the_Server

Test that ssh will connect without asking for a password from the Affa server to the server being backed up:
ssh 192.168.178.50


****
The public key is a simple one-line text file - you can transfer it from the affa server to the target server using scp, or you can copy/paste it from one putty window to another:
on the AFFA server:
cat id_rsa.pub

on the target server:
mkdir -p /root/.ssh
cd /root/.ssh
vi authorized_keys2
(now copy and paste the contents of id_rsa.pub into authorized_keys2).

[TTown]

[...]
****
The public key is a simple one-line text file - you can transfer it from the affa server to the target server using scp, or you can copy/paste it from one putty window to another:
on the AFFA server:
cat id_rsa.pub

on the target server:
mkdir -p /root/.ssh
cd /root/.ssh
vi authorized_keys2
(now copy and paste the contents of id_rsa.pub into authorized_keys2).

Did that.

Code: [Select]


[root@affa1 ~]# cd /root/.ssh/
[root@affa1 .ssh]# ls
authorized_keys2  id_dsa  id_dsa.pub  id_rsa  id_rsa.pub  known_hosts
[root@affa1 .ssh]# cat id_rsa.pub
ssh-rsa AA[snip][/snip]BVQUU= root@affa1
[root@affa1 .ssh]#
[root@affa1 .ssh]# ssh 192.168.178.50
Last login: Tue Aug 30 12:44:11 2011 from 217.110.68.82
[root@sme ~]# exit
logout
Connection to 192.168.178.50 closed.
[root@affa1 .ssh]# affa --send-key prodserv
Job prodserv: Public key sent to 192.168.178.50
[root@affa1 .ssh]# db affa show
AffaGlobalDisable=yes
DefaultAffaConfig=default
    sendStatus=weekly
    status=enabled
prodserv=job
    RPMCheck=yes
    remoteHostName=192.168.178.50
[root@affa1 .ssh]# affa --run prodserv
[root@affa1 .ssh]# affa --check-connection
prodserv         : SSH connection FAILED.
[root@affa1 .ssh]#
[/quote]

I was really impressed when the
[code]
affa --send-key prodserv
didn't return with an error and I (prematurely) thought everything was good now.
Without further verification I did

Code: [Select]

affa --run prodserv
which completed basically instantly.
So I started looking into the logs:
affa.log:

Code: [Select]

Tue Aug 30 12:50:19[START.5647]: Affa 1.0.0-3: Running /sbin/e-smith/affa --send-key prodserv
Tue Aug 30 12:50:19[send keys.5647]: Public key sent to 192.168.178.50
Tue Aug 30 12:50:19[send keys.5647]: Done.
Tue Aug 30 12:50:19[send keys.5647]: Exiting.
Tue Aug 30 12:53:33[START.5654]: Affa 1.0.0-3: Running /sbin/e-smith/affa --run prodserv
Tue Aug 30 12:57:43[START.5689]: Affa 1.0.0-3: Running /sbin/e-smith/affa --check-connection
Tue Aug 30 12:57:43[check-connections.5689]: Done.
Tue Aug 30 12:57:43[check-connections.5689]: Exiting.
prodserv.log:

Code: [Select]

Tue Aug 30 12:53:33[5654]: Affa 1.0.0-3: Starting job prodserv scheduled (192.168.178.50)
Tue Aug 30 12:53:33[5654]: Description:
Tue Aug 30 12:53:33[5654]: Checking SSH connection to 192.168.178.50
Tue Aug 30 12:53:33[5654]: Error 789: SSH connection to 192.168.178.50 failed. Did you send the public key?
Tue Aug 30 12:53:33[5654]: Email sent to admin
Tue Aug 30 12:53:33[5654]: Exiting.

Manually SSHing (from affa box) into the production box works ok (without passphrase).

Why can't affa ssh into the prod box?



Stefan

[TTown]

Seems fixed (backup running now)

Code: [Select]

Tue Aug 30 20:32:34[5859]: Affa 1.0.0-3: Starting job prodserv scheduled (192.168.178.50)
Tue Aug 30 20:32:34[5859]: Description:
Tue Aug 30 20:32:34[5859]: Checking SSH connection to 192.168.178.50
Tue Aug 30 20:32:35[5859]: Installing watchdog on 192.168.178.50
Tue Aug 30 20:32:35[5859]: signaling pre-backup event on 192.168.178.50
Tue Aug 30 20:32:48[5859]: writing list of installed RPMs on 192.168.178.50 (/home/e-smith/db/affa-rpmlist)
Tue Aug 30 20:32:49[5859]: Running rsync...

What helped?
I suppose removing corresponding entries from /root/.sshd/known_hosts. (--> http://forums.contribs.org/index.php/topic,45544.msg221463.html#msg221463)
In reallity I deleted all entries form the new affa servers known_hosts file (the server was new anyway) and removed all possibly relevant entries from the production server's /root/.sshd/authorized_key2 file (really only the affa box' 2 (!) keys). I also made sure there were no remaining cr/lf in this ...key2 file.


I got confirmation!!! I just got to log into the 'new' server and all my mails were there! Whoa!



Thank you for your support.

Stefan