Description of problem: The ruby library we use reads ~foreman-proxy/ssh/config, and supports a number of options[1] including ForwardAgent, however unlike the SSH CLI, it does not start an agent if one's not started. So, we would need to actually start an agent. Version-Release number of selected component (if applicable): 6.2 GA How reproducible: Always Steps to Reproduce: 1. Configure ~foreman-proxy/.ssh/config as such: Host * ForwardAgent yes StrictHostKeyChecking no # just for testing 2. Create a job in Satellite that SSH's to another host that is configured to allow foreman-proxy keys, e.g the satellite itself ssh localhost hostname -f Actual results: Job fails, agent is not used. If you look at SSH logs (see ), you'll see this: I, [2016-08-02T13:04:47.697219 #1422] INFO -- net.ssh.service.forward[253c094]: opening auth-agent channel D, [2016-08-02T13:04:47.697262 #1422] DEBUG -- net.ssh.authentication.agent[14d9af8]: connecting to ssh-agent E, [2016-08-02T13:04:47.697305 #1422] ERROR -- net.ssh.authentication.agent[14d9af8]: could not connect to ssh-agent E, [2016-08-02T13:04:47.697340 #1422] ERROR -- net.ssh.service.forward[253c094]: attempted to connect to agent but failed: Net::SSH::Authentication::AgentNotAvailable (no implicit conversion of nil into String) E, [2016-08-02T13:04:47.697378 #1422] ERROR -- net.ssh.connection.session[255524c]: [2, "could not connect to authentication agent"] Expected results: Job succeeds Additional info: You can make it work by editing connector.rb and starting an agent before we do Net::SSH.start. Of course this should be refactored, and a single agent should be used for the life of the dynflow process, but this works: vars = `ssh-agent` vars = vars.split(';').reject { |r| !r.strip.include?('=') } vars.each do |var| name, value = var.split('=') ENV[name.strip] = value.strip end `ssh-add ~/.ssh/id_rsa_foreman_proxy` # add our identity to the agent
To view the logs I pasted in in 'Actual results', you'll need BZ1362630 to be solved
Customer was able to work around this issue via the following steps: 1) Setup pam_ssh_agent_auth for sudo 2) Put the foreman_proxy's pub key in the appropriate location 3) Copy the foreman_proxy's private key to the remote user's .ssh directory 4) Preface remote jobs with starting ssh-agent and line to add key to agent 5) use sudo as needed 6) kill agent on exit Example Job (confirmed works for cu): eval $(ssh-agent) ssh-add /home/satellite/.ssh/id_rsa_foreman_proxy sudo -i bash -c 'whoami; sleep 1; df -h' ssh-agent -k
Here is a template version of the work around above, I am using this in place of the default ssh remote execution template. ##################################################### eval $(ssh-agent) >/dev/null 2>&1 ssh-add /home/satellite/.ssh/id_rsa_foreman_proxy >/dev/null 2>&1 sudo -i bash << "EOF" <%= input("command") %> EOF ssh-agent -k >/dev/null 2>&1 #####################################################
Created redmine issue http://projects.theforeman.org/issues/21850 from this bug
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.