Description of problem: Fetching keys via appliance_console_cli is not working with error about missing gems. Version-Release number of selected component (if applicable): CFME 5.11.X How reproducible: always Steps to Reproduce: 1. run appliance_console_cli --fetch-key={{ ip }} from ansible script Actual results: "TERM environment variable not set.”, " /opt/rh/cfme-gemset/gems/net-ssh-4.2.@/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': OpenSSH keys only supported if £D25519 is available (NotImplementedError)", "net-ssh requires the following gems for ed25519 support:", " * pbnacl (>= 3.2, < 5.0)", " * pbnacl-libsodium, if your system doesn’t have libsodium installed.”, " * berypt_pbkdf (>= 1.8, < 2.8)", "See https: //github.com/net-ssh/net-ssh/issues/478 for more information”, "Gem::LoadError : \"rbnacl is not part of the bundle. Add it to your Gemfile.\"", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/key_factory.rb:112:in `classify_key'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/key_factory.rb:52:in `load_data_private_key'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/key_factory.rb:43:in `load_private_key'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/key_manager.rb:142:in `sign'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/methods/publickey.rb:62:in `authenticate_with'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.@/lib/net/ssh/authentication/methods/publickey.rb:20:in `block in authenticate'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/key_manager.rb:122:in `block in each_identity'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/key_manager.rb:119:in `each'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/key_manager.rb:119:in `each_identity'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/methods/publickey.rb:19:in `authenticate'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/session.rb:8@:in `block in authenticate'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/session.rt in `each'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/session.rb:66:in `authenticate'", "\tfrom /opt/rh/cfme-gemset/gems/net-ssh-4.2.@/lib/net/ssh.rb:241:in `start'", "\tfrom /opt/rh/cfme-gemset/gems/net-scp-1.2.1/lib/net/scp.rb:202:in `start'", "\tfrom /opt/rh/cfme-gemset/gems/manageiq-appliance_console-5.1.@/1ib/manageiq/appliance_console/key_configuration.rb:97:in `fetch_key'", "\tfrom /opt/rh/cfme-gemset/gems/manageiq-appliance_console-5.1.0/lib/manageiq/appliance_console/key_configuration.rb:114:in `get_new_key'", "\tfrom /opt/rh/cfme-gemset/gems/manageiq-appliance_console-5.1.0/lib/manageiq/appliance_console/key_configuration.rb:51:in `activate'", "\tfrom /opt/rh/cfme-gemset/gems/manageiq-appliance_console-5.1.0/lib/manageiq/appliance_console/cli.rb:327:in `create_key'", "\tfrom /opt/rh/cfme-gemset/gems/manageiq-appliance_console-5.1.@/1ib/manageiq/appliance_console/cli.rb:183:in `run'", "\tfrom /opt/rh/cfme-gemset/gems/manageiq-appliance_console-5.1.0/lib/manageiq/appliance_console/cli.rb:431:in `parse'", "\tfrom /opt/rh/cfme-gemset/gems/manageiq-appliance_console-5.1.@/bin/appliance_console_cli:7:in `<top (required)>'", "\tfrom /opt/rh/cfme-gemset/bin/appliance_console_cli:23:in `load'" "\tfrom /opt/rh/cfme-gemset/bin/appliance_console_cli:23:in `<main>'" Expected results: obtain SSH key. Additional info: more info about SSH keys will be added later.
From above: > "net-ssh requires the following gems for ed25519 support:", > " * pbnacl (>= 3.2, < 5.0)", > " * pbnacl-libsodium, if your system doesn’t have libsodium installed.”, > " * berypt_pbkdf (>= 1.8, < 2.8)", > "See https://github.com/net-ssh/net-ssh/issues/478 for more information”, https://github.com/net-ssh/net-ssh/issues/478 states the required dependencies for ed25519 It seems we need to include additional gems in our build.
It seems you are doing private key authentication to fetch the ssh key, instead of user/pass. How is the private key being used generated? Using username/password works fine. You should be able to use scp directly as a work-around. Will that work for you?
An additional note: I've tried this with RSA cipher SSH keys and it worked fine.
I'm canceling the NEEDINFO. I've been able to reproduce the issue using an ED25519 cipher.
Hi, thank you for working in this bug. And few yes here - yes, it is missing gems in build - as in linked issue. Yes, it is working with RSA. And yes, there is problem with ED25519 cipher... --mheppler
https://github.com/ManageIQ/manageiq-appliance_console/pull/113
New commit detected on ManageIQ/manageiq-appliance_console/master: https://github.com/ManageIQ/manageiq-appliance_console/commit/67653544afebe7bdbfedeed9c9161cac38592aeb commit 67653544afebe7bdbfedeed9c9161cac38592aeb Author: Joe VLcek <jvlcek> AuthorDate: Tue Mar 24 19:08:45 2020 +0000 Commit: Joe VLcek <jvlcek> CommitDate: Tue Mar 24 19:08:45 2020 +0000 Add net-ssh gems needed to support ed25519 cipher Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1815568 manageiq-appliance_console.gemspec | 3 + 1 file changed, 3 insertions(+)
https://github.com/ManageIQ/manageiq-appliance/pull/278
New commit detected on ManageIQ/manageiq-appliance/master: https://github.com/ManageIQ/manageiq-appliance/commit/d2d9d9200d121109e26c3b494bed7b3be315ff08 commit d2d9d9200d121109e26c3b494bed7b3be315ff08 Author: Joe VLcek <jvlcek> AuthorDate: Thu Apr 2 20:00:02 2020 +0000 Commit: Joe VLcek <jvlcek> CommitDate: Thu Apr 2 20:00:02 2020 +0000 Update dependency on manageiq-appliance_console https://bugzilla.redhat.com/show_bug.cgi?id=1815568 manageiq-appliance-dependencies.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
New commit detected on ManageIQ/manageiq-appliance/ivanchuk: https://github.com/ManageIQ/manageiq-appliance/commit/c9996b455b55f2c59cbc6ea9ad20778af810dd44 commit c9996b455b55f2c59cbc6ea9ad20778af810dd44 Author: Brandon Dunne <bdunne> AuthorDate: Thu Apr 2 20:46:56 2020 +0000 Commit: Brandon Dunne <bdunne> CommitDate: Thu Apr 2 20:46:56 2020 +0000 Merge pull request #278 from jvlcek/bz_1815568_update_ap Update dependency on manageiq-appliance_console (cherry picked from commit 61904a1c5fad2cea5ba4c4685d8f0bda84cfd4b8) https://bugzilla.redhat.com/show_bug.cgi?id=1815568 manageiq-appliance-dependencies.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
New commit detected on ManageIQ/manageiq-appliance/jansa: https://github.com/ManageIQ/manageiq-appliance/commit/20c96408b63b6dfe3083c371133c21896bcbe51e commit 20c96408b63b6dfe3083c371133c21896bcbe51e Author: Brandon Dunne <bdunne> AuthorDate: Thu Apr 2 20:46:56 2020 +0000 Commit: Brandon Dunne <bdunne> CommitDate: Thu Apr 2 20:46:56 2020 +0000 Merge pull request #278 from jvlcek/bz_1815568_update_ap Update dependency on manageiq-appliance_console (cherry picked from commit 61904a1c5fad2cea5ba4c4685d8f0bda84cfd4b8) https://bugzilla.redhat.com/show_bug.cgi?id=1815568 manageiq-appliance-dependencies.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
This is reproducible without the ansible part. Only the shell command # appliance_console_cli --fetch-key=OTHER_APPLIANCE_IP But it seems the Public key authentication needs to be in use (one needs to have a keypair and have the public key distributed for example with ssh-copy-id) to get the error message about the ed25519. On the cfme-5.11.5.0-1.el8cf.x86_64, I didn't get the message about ed25519, but there is other problem though. The command fails: # appliance_console_cli --fetch-key=OTHER_APPLIANCE_IP fetch encryption key Failed to fetch key: key was 385 bytes (Expected 32) Could not create encryption key (v2_key) When the PK auth is not in use, it works fine on both -- the affected and though-to-be fixed CFME. Conclusion: Fails QE
*** Bug 1824306 has been marked as a duplicate of this bug. ***
[root@somewhere ~]# rpm -q cfme cfme-5.11.5.1-1.el8cf.x86_64 [root@somewhere ~]# appliance_console_cli --sshpassword smartvm --fetch-key x.x.x.236 fetch encryption key # Without Publick-key auth it worked! Let's try with PK auth. [root@somewhere ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:85WPT2oOJBB7nwMej+RIXVxqhtFZrIdJN1zNPw1mGZk root.com The key's randomart image is: +---[RSA 3072]----+ | . .o.*o.oB | | + +=.= E o| | + B.+= + .o| | . B O+... .o| | . S *.o .| | = o o | | o . o | | ..+ | | oo . | +----[SHA256]-----+ [root@somewhere ~]# ssh-copy-id x.x.x.236 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root.x.236's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'x.x.x.236'" and check to make sure that only the key(s) you wanted were added. [root@somewhere ~]# appliance_console_cli --sshpassword smartvm --fetch-key x.x.x.236 fetch encryption key Failed to fetch key: key was 385 bytes (Expected 32) Could not create encryption key (v2_key)
I think we figured this out together with Joe. The problem is that some part of the encryption tools is not supporting RSA for the SSH Pulic key authentication. Gems comming with cfme <= 5.11.4.2-1.el8cf.x86_64 seem to not handle neither the RSA nor the ed25519: # Before the fix: ## case when we have only the RSA-key: /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': OpenSSH keys only supported if ED25519 is available (NotImplementedError) net-ssh requires the following gems for ed25519 support: * rbnacl (>= 3.2, < 5.0) * rbnacl-libsodium, if your system doesn't have libsodium installed. * bcrypt_pbkdf (>= 1.0, < 2.0) See https://github.com/net-ssh/net-ssh/issues/478 for more information Gem::LoadError : "rbnacl is not part of the bundle. Add it to your Gemfile." ## When ed25519 is available, there is slight difference in what is said: /opt/rh/cfme-gemset/gems/net-ssh-4.2.0/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': unsupported key type `ssh-ed25519' (NotImplementedError) net-ssh requires the following gems for ed25519 support: * rbnacl (>= 3.2, < 5.0) * rbnacl-libsodium, if your system doesn't have libsodium installed. * bcrypt_pbkdf (>= 1.0, < 2.0) See https://github.com/net-ssh/net-ssh/issues/478 for more information Gem::LoadError : "rbnacl is not part of the bundle. Add it to your Gemfile." # After the fix Gems comming with cfme-5.11.5.1-1.el8cf.x86_64 seem to not handle the RSA, but are ok with the ed25519. In my verification, I didn't create the ed25519 key, the RSA was used and failed thus I though this wasn't fixed. [root.Y ~]# appliance_console_cli --fetch-key X.X.X fetch encryption key Failed to fetch key: key was 385 bytes (Expected 32) Could not create encryption key (v2_key) In this case I would expect and appreciate an error message about the key is not of the type the tooling can handle (ed25519). When both (ed25519 and RSA) or just ed25519 Private and Public keys are present, the ed25519 is used and all goes fine. Note that it is good idea to NOT use the `--sshpassword` param of the command `appliance_console_cli` to not run into wrong conclusion that key have worked while only passphrase auth was used.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2020