[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Application SSH Keys



On Tue, Jan 13, 2015 at 04:46:43PM +0000, Braswell, Stephen wrote:
Hello everyone,

I’m troubleshooting an issue for a customer in my OpenShift Enterprise 2.2 install.  The customer can ssh into his gear without any problems but when he does a ‘git push’ he is prompted for an ssh key passphrase but his regular passphrase doesn’t work.  Looking at the raw output of his app with ‘oo-app-info’, I see he has an ‘ApplicationSshKey’ tied to his application, which doesn’t match his user ssh key.  I’ve never seen that before and was wondering what the application ssh key is used for and how it gets set.

Are you saying that you do *not* see any UserSshKey entries in the
output of oo-app-info? In that case, perhaps the customer needs to use
`rhc sshkey add` to configure a key.  However, you say that the customer
can SSH in, so there presumably is a user key configured.

The ApplicationSshKey is added by the OpenShift platform to gears of
scalable applications so that platform code running in one gear has SSH
access to each other.  For example, if the customer does a git push, the
OpenShift platform performs a build on one gear and then uses the
application SSH key to push the build artifacts thence to the other
gears.  This key isn't used for user access, so you can ignore it as far
as the problem that this customer is experiencing is concerned.

What OS is the customer using? Most often when I see the problem you
describe, it is on MS Windows systems where the SSH client and Git (with
its own SSH client) are coming from different distributions and so must
each be configured separately.

In case the problem is on the node end, have you run oo-diagnostics yet?
Running oo-diagnostics generally should be the first step in diagnosing
problems in OpenShift.

Is PUBLIC_HOSTNAME in /etc/openshift/node.conf set correctly? See
<https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Troubleshooting_Guide/#Password_Prompt>.
(oo-diagnostics does some verification of this setting for you.)

Otherwise, perhaps /var/log/secure on the node host would have some
clues.  This log file may show the difference in how the SSH client
authenticates and how Git authenticates.  It may also show if there is
some issue with PAM configuration that is interfering with Git.

It is also worth checking /var/log/audit/audit.log in case SELinux is
blocking access.

I hope that helps!

Thanks,

-Stephen

--
Miciah Dashiel Butler Masters <mmasters redhat com>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]