cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wido den Hollander <w...@widodh.nl>
Subject Re: ssh key process
Date Mon, 27 Aug 2012 21:36:54 GMT


On 08/27/2012 11:26 PM, Marcus Sorensen wrote:
> Guys,
>    In development/testing, I occasionally run into issues with the ssh
> keys on the system VMs.  Today specifically, I've been trying to hunt
> down issues most of the day and still only have a hunch about the
> process.  Most of what I'm finding are the default authorized_keys
> (anthony@mobl-ant), but I've got a variety; one generated on a test
> management server that has long been decommissioned, one that was
> generated on the current management server. I've got keys in the VMs
> on /root/.ssh/authorized_keys, /var/cache/cloud/authorized_keys, in
> the systemvm.iso, in the systemvm template qcow2, in the systemvm
> template copied to local storage, in the patch disk, I have an
> id_rsa.pub.cloud on some of my hosts. I'm not quite sure how to
> recover, short of hunting down absolutely every one of these
> authorized_keys files and changing them to a known good keypair. I've
> found the injectkeys.sh script that seems to be intended to update the
> systemvm.iso, but even in working clusters the systemvm.iso just has
> the default anthony auth key.
>
> If someone could even briefly describe how the private keys end up on
> the host and how the public key ends up on the system VM it would help
> me dramatically. As it is I think some of this stuff I've been digging
> through is either unused or unnecessary, which just confuses things.
>

The management server has a private key stored in the homedirectory of 
the user "cloud", this is also stored in the MySQL table "configuration" 
with the name "ssh.privatekey" and "ssh.publickey".

Whenever the Agent starts up it receives the public and private 
id_rsa.cloud and id_rsa.cloud.pub file through the ModifySshKeysCommand 
command. It stores these keys in /root/.ssh

Now, when you deploy a System VM the injectkeys.sh script will be used 
to inject this key prior to deploying the System VM.

So, this key is not inserted in systemvm.iso, but it is injected into 
the SystemVM when it is created.

The default anthony key should be there, that should have been removed 
already.

Does this help?

Wido

Mime
View raw message