Red Hat Bugzilla – Bug 1343414
Failed SSH to conversion server by ssh identity http url at p2v client
Last modified: 2016-11-03 14:01:27 EDT
Created attachment 1165562 [details] id_rsa http url Description of problem: Failed SSH to conversion server by ssh identity http url at p2v client Version-Release number of selected component (if applicable): virt-p2v-1.32.5-2.el7.iso virt-v2v-1.32.5-2.el7.x86_64 libguestfs-1.32.5-2.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.Check ssh identity info at virt-p2v manual page #man virt-p2v SSH IDENTITIES SSH identity downloaded from a website. In the GUI, use: │ Password: [ <leave this field blank> ] │ │ │ │ SSH Identity URL: [https://internal.example.com/id_rsa] │ or on the kernel command line: p2v.identity=https://internal.example.com/id_rsa Anyone could still download the private key and use it to log in to the virt-v2v conversion server, but you could provide some extra security by configuring the web server to only allow connections from P2V machines. 3.Create a key pair which must have an empty passphrase and let public key append to the authorized_keys file at conversion server 3.1#ssh-keygen -t rsa -N '' -f id_rsa 3.2#scp id_rsa.pub /root/.ssh/authorized_keys 4.Put the id_rsa at a available website, such as http://pan.baidu.com/s/1qXFPzZm, pls refer to screenshot 'id_rsa http url' 5.Boot the machine into p2v client via iso 5.At inputting conversion server info interface, input conversion ip and username and then input id_rsa http url at ssh identity url, but the ssh connection failed with error: curl error 22, pls refer to screenshot 'curl error 22' Actual results: As above description Expected results: SSH to conversion server by ssh identity http url at p2v client successfully Additional info:
Created attachment 1165566 [details] curl error 22
So the reason for the failure in this case is that the remote URL is not available. It fails with 403 Forbidden: $ wget 'http://pan.baidu.com/s/1qXFPzZm' --2016-06-07 14:25:50-- http://pan.baidu.com/s/1qXFPzZm Resolving cache.home.annexia.org (cache.home.annexia.org)... 192.168.0.254 Connecting to cache.home.annexia.org (cache.home.annexia.org)|192.168.0.254|:3128... connected. Proxy request sent, awaiting response... 403 Forbidden 2016-06-07 14:25:53 ERROR 403: Forbidden. When I tried to reproduce the bug I actually hit the same problem myself. ssh-keygen creates the id_rsa file (private key) with mode 0600 (-rw-------), which means if you just copy the file over to a web server, it will not be accessible. The web server will send 403 Forbidden errors. The solution for me was to change the mode of the file to make it public readable, eg. 0644. I don't know if that is the case for you, but you'll have to fix the 403 Forbidden error somehow. I'm also going to update the manual page to make this clear.
Assuming it turns out to be the mode problem, I added this documentation fix: https://github.com/libguestfs/libguestfs/commit/3064c853726d2904f73b45b5d35140b5a54a5859
Hi rjones, Yes, you are right, after giving permission 0644 to id_rsa on web server, p2v could ssh to conversion server via ssh identity http url successfully, thanks for your help
There is no description about changing mode 0644 of id_rsa in virt-p2v manual page with virt-v2v-1.32.5-2.el7 version After update virt-v2v to virt-v2v-1.32.5-5.el7.x86_64, there is a note about change mode of id_rsa in virt-p2v manual page as below #man virt-p2v Note that ssh-keygen(1) creates the "id_rsa" (private key) file with mode 0600. If you simply copy the file to a webserver, the webserver will not serve it. It will reply with "403 Forbidden" errors. You will need to change the mode of the file to make it publicly readable, for example by using: chmod 0644 id_rsa Try to verify ssh identity url function with http url on builds virt-p2v-1.32.5-5.el7 virt-v2v-1.32.5-5.el7.x86_64 libguestfs-1.32.5-5.el7.x86_64 Steps: 1.Create a key pair which must have an empty passphrase and let public key append to the authorized_keys file at conversion server 1.1#ssh-keygen -t rsa -N '' -f id_rsa 1.2#scp id_rsa.pub /root/.ssh/authorized_keys 2.Mount the website to local mount 10.73.194.27:/vol/S3/libvirtmanual/mxie /mnt 3.Copy the key to website #cp id_rsa /mnt 4.Change mode of the key #chmod 0644 id_rsa 5.Boot the machine into p2v client via iso 6.At inputting conversion server info interface, input conversion ip and username and then input id_rsa http url at ssh identity url, such as http://fileshare.englab.nay.redhat.com/pub/section3/libvirtmanual/mxie/id_rsa Result now The conversion server could be connected successfully via ssh identity http url on p2v client So move the bug from ON_QA to VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2576.html