Access denied remote execution

btecpostmaster · March 31, 2022, 1:14pm

I am recieving the below error when trying to perform a command on a remote server. this is a fresh install of foreman

Error initializing command: RuntimeError - Unable to create directory on remote system /var/tmp/foreman-ssh-cmd-xxxxx: exit code: 255
2:
root@{redacted}: Permission denied (publickey,password).

this is running the latest build of katello running on centos streams.
I have confirmed the /var/tmp directory is accessible and performed a verbose scp from the foreman server to the remote server using the svc account that i have created on the client side. the scp test was successful

I have these plugins
foreman-tasks foreman_ansible foreman_discovery Foreman_host_reports foreman_monitoring foreman_puppet foreman_remote_execution Foreman_snapshot_management foreman_templates katello

Has anyone come across this issue before?

gvde · March 31, 2022, 1:21pm

You are writing that you have a “svc account” on client side, but the log says you do a ssh to user root…

btecpostmaster · March 31, 2022, 1:32pm

yes that is also perplexing to me as the task is set up with the effective user as the svc account

gvde · March 31, 2022, 1:36pm

So there is your problem. Read the tooltip on the “Effective user” when setting up the job invocation:

A user to be used for executing the script. If it differs from the SSH user, su or sudo is used to switch the accounts.

Unless you change the ssh user in Administer - Settings - Remote Execution the default SSH user is root, i.e. it uses root to connect to the remote host and then does sudo or su do change to the effective user.

btecpostmaster · March 31, 2022, 1:42pm

Ok i just updated that setting however its now got the same fault different username

1:
Error initializing command: RuntimeError - Unable to create directory on remote system /var/tmp/foreman-ssh-cmd-xxxx: exit code: 255
2:
svc_foreman@{redacted}: Permission denied (publickey,password).
3:
Exit status: EXCEPTION

gvde · March 31, 2022, 1:50pm

It still looks as if the remote host doesn’t accept the ssh key for svc_foreman. Check the log on the remote host for details.

You should be able to check this on the main server (or from the smart proxy in case the connection comes from a proxy and not the main server):

[root@foreman ~]# sudo -u foreman-proxy ssh svc_foreman@remote.example.com -i /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.pub -v

That should work. If not and you are using IPA or otherwise the sss_ssh_knownhosts_proxy or other ProxyCommand settings, the topic All remote execution jobs fail immediately with exception may help.

btecpostmaster · March 31, 2022, 1:58pm

Thanks that put me onto where the issue was. It was another field in the settings that needed correcting.

gvde · March 31, 2022, 2:02pm

Can you elaborate? For those who have the same problem?

btecpostmaster · March 31, 2022, 2:22pm

There was a field that had set effective user Method. the options where sudo, su, and dzdu
I set this to sudo, i also found there was two fields for passwords. effective user and ssh user.
I had set one but not the other.

upon setting these options and removing the sudo from my command i was executing it was able to complete successfully