Description of problem: After configuring AWS EC2 as a compute resource and provisioning a virtual machine, the user cannot SSH onto the virtual machine because foreman has generated an SSH key pair itself used to provision the machine. These can be seen inside AWS (see screenshot 1) - note the key pair name: foreman-55905d889-6bee-4c9b-85a7-0204bcfc888c The user should be able to view and download these keys through the Foreman web gui (as a minimum). They should also be able to use existing pairs already configured in AWS or should be given the option to generate their own. This entails a potential security risk as it is not obvious if a keypair is generated per virtual machine OR per compute resource. Here is the work around to get the key to SSH to the machine: 1) Run the command hammer compute-resources list 2) Take note of the compute-resource (can vary depending on how many you have or have had, the number increments even after they have been deleted). 3) Now run su to the postgres user, CD to tmp and run the following command: echo 'select secret from key_pairs where compute_resource_id = <Compute Resource ID>;' | psql -d foreman -t | sed -e 's/^[ \t]*//'| sed 's/+$//' | sed "s/[[:blank:]]*$//" > /tmp/<Key Pair Name>.pem * Where the Compute Resource ID and Key Pair Name have been replaced. * You can verify the integrity of key using this command: openssl rsa -in <Key Pair Name> If the key is not displayed, or it asks you for a pass phrase, there is an issue with the key. 4) You should have a pem file which can now be used to log into your EC2 machine. Depending on your AMI, try the following command: ssh -i <Key Pair Name>.pem ec2-user@<EC2 VM Hostname or IP> For regular RHEL AMI, the initial user is ec2-user, it may be different depending on the AMI used. Version-Release number of selected component (if applicable): 6.1.7 (probably affects 6.1.8 and maybe 6.2) How reproducible: Very easy to reproduce. Steps to Reproduce: 1. Setup AWS Compute Resource and users, provision a VM. 2. > Try to connect to the machine via SSH, not possible without key. 3. Run work around to get key, but it should be easier! Also cannot use custom key pairs. Actual results: Key pairs are not visible to user unless they run database queries. Expected results: User should be able to get their key pair easily or use custom key pairs for AWS EC2 instances. Additional info:
Created redmine issue http://projects.theforeman.org/issues/17015 from this bug
Upstream bug assigned to szadok
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17015 has been resolved.
1) Added Ec2 Compute Resource and downloaded the ssh private key, at the time of creation. 2) Added Ec2 image and mentioned user as ec2-user. 3) Created a new host. 4) Logged in to the new Host via the ssh private key downloaded during step 1) kbidarka ~ Downloads ssh -i ./foreman-useast1_ec2-sat63.pem ec2-user.amazonaws.com [ec2-user@ip-172-25-0-111 ~]$ VERIFIED With sat6.3-snap24
More information around this is available here, https://github.com/theforeman/foreman/pull/4024#issuecomment-262164402
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. > > For information on the advisory, and where to find the updated files, follow the link below. > > If the solution does not work for you, open a new bug report. > > https://access.redhat.com/errata/RHSA-2018:0336