Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[crmsh-4.6] Fix: bootstrap: ssh public key should be copied to qnetd node when ssh-agent feature is not enabled (bsc#1228950) #1515

Merged
merged 3 commits into from
Aug 15, 2024
Merged

[crmsh-4.6] Fix: bootstrap: ssh public key should be copied to qnetd node when ssh-agent feature is not enabled (bsc#1228950) #1515

merged 3 commits into from
Aug 15, 2024

Conversation

nicholasyang2022
Copy link
Collaborator

Problems

When running crm cluster init qdevice --qnetd-hostame <qnetd-node> with an environ SSH_AUTH_SOCK, even if --enable-ssh-agent is not specified, crmsh will use that ssh-agent for check_ssh_passwd_need. If the ssh-agent provides a key enabling passwordless ssh authentication to the <qnetd-node>, the ssh public key of the <init-node> will not be added to the authorized_keys of <qnetd-node>.

This makes the ssh authentication between <init-node> and <qnetd-node> to depend on ssh-agent. It is unexpected and causes problems. For example, when a new node joins without ssh-agent, the new node needs the help of <init-node> to copy its ssh public key to <qnetd-node> (by running crm cluster init qnetd-remote <new-node> on <init-node>). This will fail as the <init-node> cannot get ssh access to <qnetd-node> without ssh-agent.

Fixes

When ssh-agent support is not enabled, drop environ SSH_AUTH_SOCK before checking whether passwordless ssh is available.

@nicholasyang2022
Fix: bootstrap: should check if sudo is available when running `clust…
b582c22 
…er init -N` with a non-root destination user (bsc#1228950)
@nicholasyang2022
Fix: bootstrap: should check if sudo is available when running `clust…
25983c5 
…er join -c` with a non-root destination user (bsc#1228950)
@nicholasyang2022
Fix: bootstrap: drop environ SSH_AUTH_SOCK before checking passwordle…
69d0d63 
…ss ssh when it is not enabled (bsc#1228950)

Or local generated keys will not be added to authorized_keys, and future
operations will fail when ssh-agent is not provided any longer.
@nicholasyang2022 nicholasyang2022 marked this pull request as ready for review August 14, 2024 06:48
@nicholasyang2022 nicholasyang2022 changed the title Fix: bootstrap: ssh public key should be copied to qnetd node when ssh-agent feature is not enabled (bsc#1228950) [crmsh-4.6] Fix: bootstrap: ssh public key should be copied to qnetd node when ssh-agent feature is not enabled (bsc#1228950) Aug 14, 2024
liangxin1300
liangxin1300 approved these changes Aug 15, 2024
View reviewed changes
Copy link
Collaborator

@liangxin1300 liangxin1300 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

Please port to master

@liangxin1300 liangxin1300 merged commit 5a3c45a into ClusterLabs:crmsh-4.6 Aug 15, 2024
29 checks passed
@nicholasyang2022 nicholasyang2022 mentioned this pull request Aug 15, 2024
Merged
@nicholasyang2022 nicholasyang2022 deleted the bsc_1228950_20240814 branch August 29, 2024 06:33
liangxin1300 added a commit that referenced this pull request Aug 30, 2024
@liangxin1300
Fix: bootstrap: ssh public key should be copied to qnetd node when ss…
951595d 
…h-agent feature is not enabled (bsc#1228950) (#1516)

port:

* #1515
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liangxin1300 liangxin1300 liangxin1300 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nicholasyang2022 @liangxin1300