Description of problem: When creating a new VM out of RHEL 8 template with ssh service enabled, but without providing a public key - password authentication is disabled and a user cannot connect to the VM via ssh (unless a workaround is performed via console). Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Create a new VM from RHEL 8 template using the wizard 2. Checkbox "Expose SSH access to this machine" should be checked (don't provide a public key). 3. A note is displayed "Missing authorized key - An authorized key is not detected. SSH access is enabled with the password." 4. Connect via ssh to the VM - ssh password authentication is disabled. Actual results: Inside the VM: /etc/ssh/sshd_config PasswordAuthentication no Expected results: Inside the VM: /etc/ssh/sshd_config PasswordAuthentication yes Additional info:
I think "Expose SSH access to this machine" is just exposing the k8s ssh service for the VM, not to change the sshd configuration inside the VM. The issue seems to be a configuration issue of the VM image which is beyond the UI scope. @Kobi, what do you think?
Orel hi, thank you for the issue: Can you attache the yaml files of: - the template you use - the VM that got created when ssh is not exposed - the VM that got created when ssh is exposed As Guohua mentioned, the UI only "expose" e.g. create a service to an ssh server that should already be running on the guest. But since the UI also override the user/password settings in the guest, we need to look at the created YAMLs to see if this fields are changed in a wrong way.
Created attachment 1841164 [details] Screenshot of ssh part from "Create Virtual Machine from template" screen The message displayed to the user says "An authorized key is not detected. SSH access is enabled with the password." But password authentication is disabled on sshd config
Created attachment 1841165 [details] YAML file of VM with exposed ssh access Hi Yaacov, thanks for your response. The template being used is "Red Hat Enterprise Linux 8.0 or higher". The yaml file of the VM with exposed ssh access is attached.
Orel hi, Can you try creating the VM using "oc" CLI tool, it looks like a back-end issue ? Note I: I want to make sure it's a back-end issue before moving it to SSP component. Note II: The YAML created looks ok, It has a user name and password created: - disk: bus: virtio name: cloudinitdisk ... - cloudInitNoCloud: userData: |- #cloud-config user: cloud-user password: rrfv-3j64-eah5 chpasswd: { expire: False } name: cloudinitdisk It doesn't look like a UI creating wrong VM.
Moving to SSP, looks like it's by design (security reasons) and not UI specific --- Notes: a - I created a VM using CLI and using UI and both had: PasswordAuthentication no b - in both cases I was able to connect via ssh using username+password without needing to edit the config (!?) ssh cloud-user.test.metalkube.org -p 31021 The authenticity of host '[api.ostest.test.metalkube.org]:31021 ([10.46.26.12]:31021)' can't be established. ED25519 key fingerprint is SHA256:FKDZxYoAi3S4hQ4n/uWWznJQ+bgRp9qT1nouSikjIik. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[api.ostest.test.metalkube.org]:31021' (ED25519) to the list of known hosts. cloud-user.test.metalkube.org's password: Last login: Mon Nov 15 09:01:51 2021 [cloud-user@rhel8-circular-silkworm ~]$ sudo cat /etc/ssh/sshd_config | grep PasswordAuthenticatio #PasswordAuthentication yes # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication, then enable this but set PasswordAuthentication PasswordAuthentication no
Yaacov, can you please share more details how you created the VM, especially which disk image you used? (In reply to Yaacov Zamir from comment #6) > > b - in both cases I was able to connect via ssh using username+password > without needing to edit the config (!?) >
> Yaacov, can you please share more details how you created the VM, especially which disk image you used? I used: quay.io/kubevirt/fedora-cloud-container-disk-demo with the VM yaml Orel provided in the bug report. Orel can you add more details about the VM that you created ?
Thanks Yaacov. Fedora differs from RHEL in this regard. The "PasswordAuthentication no" is the default behavior of RHEL. I just wonder if we should modify the RHEL inside the VM, which might be unexpected, or change the user's expectation, e.g. by changing the note in the UI to something like "Missing authorized key - An authorized key is not detected. A password is configured for the user. Please ensure that is configured to accept password authentification."
Thanks, moving back to UI. So a fix can be to update the error msg: From: "Missing authorized key - An authorized key is not detected. SSH access is enabled with the password." To: "Missing authorized key - An authorized key is not detected. Please ensure that the virtual machine is configured to accept password authentication."
verified on master
*** Bug 2039664 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056