Skip to content
This repository has been archived by the owner on Dec 9, 2020. It is now read-only.

AWS - ssh key login issue #61

Closed
alberttwong opened this issue Oct 20, 2016 · 11 comments
Closed

AWS - ssh key login issue #61

alberttwong opened this issue Oct 20, 2016 · 11 comments
Assignees
@cooktheryan

Comments

@alberttwong
Copy link
Contributor 

[root@localhost ~]# ssh ec2-user@bastion.ocp.alberttwong.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
06:35:3b:37:90:8e:50:32:4c:c0:67:d2:0e:54:79:0c.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:2
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Agent forwarding is disabled to avoid man-in-the-middle attacks.
Error: forwarding disabled due to host key check failure
ssh_exchange_identification: Connection closed by remote host
[root@localhost ~]# ssh ec2-user@35.160.172.216
Last login: Wed Oct 19 23:25:31 2016 from cpe-75-83-58-118.socal.res.rr.com

related to #58
@alberttwong
Copy link
Contributor Author 

[root@localhost ~]# ssh ec2-user@bastion.ocp.alberttwong.com
Warning: Permanently added 'bastion.ocp.alberttwong.com' (ECDSA) to the list of known hosts.
channel 0: open failed: administratively prohibited: open failed
ssh_exchange_identification: Connection closed by remote host
[root@localhost ~]# ssh ec2-user@35.160.172.216
The authenticity of host '35.160.172.216 (35.160.172.216)' can't be established.
ECDSA key fingerprint is 06:35:3b:37:90:8e:50:32:4c:c0:67:d2:0e:54:79:0c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '35.160.172.216' (ECDSA) to the list of known hosts.
Last login: Wed Oct 19 23:26:20 2016 from cpe-75-83-58-118.socal.res.rr.com
[ec2-user@ip-10-20-1-145 ~]$ exit
logout
Connection to 35.160.172.216 closed.
[root@localhost ~]# ssh ec2-user@bastion.ocp.alberttwong.com
channel 0: open failed: administratively prohibited: open failed
ssh_exchange_identification: Connection closed by remote host

@cooktheryan
Copy link
Contributor

This is an expected result as you have logged into the bastion on your previous install. Remove the entries in ~/.ssh/known_hosts

If you want to pick up where you left off fill in your vars and run the following

ansible-playbook -i inventory/aws/hosts -e 'public_hosted_zone=ocp.alberttwong.com wildcard_zone=apps. ocp.alberttwong.com console_port=443 deployment_type=openshift-enterprise rhsm_user= rhsm_password= rhsm_pool="Employee SKU" region=us-east-1 s3_username=openshift-s3-docker-registry byo_bastion=no' playbooks/openshift-install.yaml

@cooktheryan cooktheryan reopened this Oct 20, 2016
@alberttwong
Copy link
Contributor Author

I actually deleted all my known_hosts entries... so I don't know why this issue appears.

@alberttwong
Copy link
Contributor Author

alberttwong commented Oct 20, 2016
edited

I can reprovision again... but I don't think that's the issue. I'm going to take a time out. I'll try this again tomorrow.

@detiber
Copy link
Contributor

detiber commented Oct 20, 2016

@cooktheryan probably want to use an ansible.cfg file that sets host_key_checking=no

@cooktheryan
Copy link
Contributor

@detiber we have that param but it seems like it still hangs up on the whole known_host file. The param definitely stops from having to answer yes/no in regards to first login

@cooktheryan
Copy link
Contributor

@alberttwong feel free to shoot me your ~/.ssh/config before you kick off. Id be happy to take a look

@alberttwong
Copy link
Contributor Author 

[root@localhost ~]# cat ~/.ssh/config
Host bastion
     Hostname                 bastion.ocp.alberttwong.com
     user                       ec2-user
     StrictHostKeyChecking      no
     ProxyCommand               none
     CheckHostIP                no
     ForwardAgent               yes
     IdentityFile               /root/.ssh/id_rsa

Host *.ocp.alberttwong.com
     ProxyCommand               ssh ec2-user@bastion -W %h:%p
     user                       ec2-user
     IdentityFile               /root/.ssh/id_rsa

@alberttwong
Copy link
Contributor Author

I'd say this is a not as high priority as the other ticket. This is more of a interesting case if I want to log into the instances (hopefully I'll never have to do this).

@cooktheryan
Copy link
Contributor

cooktheryan commented Oct 24, 2016
edited

@alberttwong if you have time today/this week I'd love to setup a bluejeans session to work this out. It would help to allow me to see if there is a large issue in the installation scripts.

reach out to me rcook@redhat.com

@alberttwong
Copy link
Contributor Author

This looks to be related to DNS entry setup in Route53. The new subdomain DNS NS entry needs to copied to the main domain.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cooktheryan cooktheryan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alberttwong @detiber @cooktheryan