Problem:
I would like to execute a command on a remote host using the ‘Run Command - Script Default’ template but I need to use my own ssh keys for that purpose and other username (not foreman-proxy).
So I copied my keys to: /usr/share/foreman-proxy/.ssh on my foreman server and replaced existing keys:
id_rsa_foreman_proxy
id_rsa_foreman_proxy.pub
And it doesn’t work. I can’t execute a command on that host because It fails immediately with:
Error initializing command: RuntimeError - Could not establish connection to remote host using any available authentication method, tried password
2:
Exit status: EXCEPTION
3:
StandardError: Job execution failed
Is it possible? If yes, what I am doing wrong?
Expected outcome:
Foreman should execute commands on a remote hosts using ssh keys and provided username
I don’t recommend swapping the ssh keys out from under the foreman-proxy users feet. I don’t think those are used for just remote execution.
You should really create a completely separate remote execution user (e.g. rex-user) with the keys you want, and then configure remote execution to use that user by setting the remote_execution_ssh_user parameter to (type String, value rex-user) for any relevant hosts. Of course the rex user you create needs to own the ssh keys you want to use, etc.
Just to rule out common issues, which are not remote execution related:
Using the key you placed inside your foreman, can you open a ssh-connection to your target host on the terminal? Did you add the pub-key to the authorized_keys on the target host?
On the foreman the key has to be readable by foreman-proxy (only → private key shouldn’t be readable for other users)
On the foreman the ssh-connection is always opened by the foreman-proxy-user but you can specify which user should be used to login at the targetsystem (default: root) but you can specify the username.
might also need to look at the foreman-installer settings depending on how “custom” you want to make it:
–foreman-proxy-plugin-remote-execution-script-local-working-dir
–foreman-proxy-plugin-remote-execution-script-ssh-identity-dir
–foreman-proxy-plugin-remote-execution-script-ssh-identity-file
Any wrong moves here though and you will start to break things so be careful and snapshot before
Hi,
did you correctly set permissions when you placed the keys into ~foreman-proxy/.ssh? Is your key passphrase protected?
Yes, permissions are correct.
No, it is not password protected.
You should really create a completely separate remote execution user (e.g. rex-user) with the keys you want, and then configure remote execution to use that user by setting the remote_execution_ssh_user parameter to (type String, value rex-user) for any relevant hosts. Of course the rex user you create needs to own the ssh keys you want to use, etc.
Okay, I reverted my changes, so original foreman-proxy generated keys and restarted foreman. I can change the username in remote_execution_ssh_user field, but how foreman will find ssh key for that user?
Using the key you placed inside your foreman, can you open a ssh-connection to your target host on the terminal? Did you add the pub-key to the authorized_keys on the target host?
Yes, I was able to ssh by providing the ssh key as an argument e.g. ssh hostname -i key
might also need to look at the foreman-installer settings depending on how “custom” you want to make it:
–foreman-proxy-plugin-remote-execution-script-local-working-dir
–foreman-proxy-plugin-remote-execution-script-ssh-identity-dir
–foreman-proxy-plugin-remote-execution-script-ssh-identity-file
I decided to leave original foreman-proxy user name as it is. I want to use foreman-proxy one.
I wanted to use another key, not foreman-proxy key as well as other user.
Fortunately, I managed to do this by changing the ssh config for foreman-proxy user. This is how you can do it:
