cephadm, cannot use ECDSA key with quincy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi ceph users,
We have a few clusters with quincy 17.2.6 and we are preparing to migrate from ceph-deploy to cephadm for better management.
We are using Ubuntu20 with latest updates (latest openssh).
While testing the migration to cephadm on a test cluster with octopus (v16 latest) we had no issues replacing ceph generated cert/key with our own CA signed certs (ECDSA).
After upgrading to quincy the test cluster and test again the migration we cannot add hosts due to the errors below, ssh access errors specified a while ago in a tracker.
We use the following type of certs:
Type: ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx user certificate
The certificate works everytime when using ssh client from shell to connect to all hosts in the cluster.
We do a ceph mgr fail every time we replace cert/key so they are restarted.

----- cephadm logs from mgr ------
Oct 06 09:23:27 ceph-m2 bash[1363]: Log: Opening SSH connection to 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connected to SSH server at 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Local address: 10.10.12.160, port 51870
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Peer address: 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Beginning auth for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Auth failed for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connection failure: Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Aborting connection
Oct 06 09:23:27 ceph-m2 bash[1363]: Traceback (most recent call last):
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 111, in redirect_log
Oct 06 09:23:27 ceph-m2 bash[1363]:     yield
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 90, in _remote_connection
Oct 06 09:23:27 ceph-m2 bash[1363]:     preferred_auth=['publickey'], options=ssh_options)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib/python3.6/site-packages/asyncssh/connection.py", line 6804, in connect
Oct 06 09:23:27 ceph-m2 bash[1363]:     'Opening SSH connection to')
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib/python3.6/site-packages/asyncssh/connection.py", line 303, in _connect
Oct 06 09:23:27 ceph-m2 bash[1363]:     await conn.wait_established()
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib/python3.6/site-packages/asyncssh/connection.py", line 2243, in wait_established
Oct 06 09:23:27 ceph-m2 bash[1363]:     await self._waiter
Oct 06 09:23:27 ceph-m2 bash[1363]: asyncssh.misc.PermissionDenied: Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: During handling of the above exception, another exception occurred:
Oct 06 09:23:27 ceph-m2 bash[1363]: Traceback (most recent call last):
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 125, in wrapper
Oct 06 09:23:27 ceph-m2 bash[1363]:     return OrchResult(f(*args, **kwargs))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 2810, in apply
Oct 06 09:23:27 ceph-m2 bash[1363]:     results.append(self._apply(spec))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 2558, in _apply
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self._add_host(cast(HostSpec, spec))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 1434, in _add_host
Oct 06 09:23:27 ceph-m2 bash[1363]:     ip_addr = self._check_valid_addr(spec.hostname, spec.addr)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 1415, in _check_valid_addr
Oct 06 09:23:27 ceph-m2 bash[1363]:     error_ok=True, no_fsid=True))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 615, in wait_async
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self.event_loop.get_result(coro)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 56, in get_result
Oct 06 09:23:27 ceph-m2 bash[1363]:     return asyncio.run_coroutine_threadsafe(coro, self._loop).result()
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib64/python3.6/concurrent/futures/_base.py", line 432, in result
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self.__get_result()
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib64/python3.6/concurrent/futures/_base.py", line 384, in __get_result
Oct 06 09:23:27 ceph-m2 bash[1363]:     raise self._exception
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/serve.py", line 1361, in _run_cephadm
Oct 06 09:23:27 ceph-m2 bash[1363]:     await self.mgr.ssh._remote_connection(host, addr)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 96, in _remote_connection
Oct 06 09:23:27 ceph-m2 bash[1363]:     raise
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib64/python3.6/contextlib.py", line 99, in __exit__
Oct 06 09:23:27 ceph-m2 bash[1363]:     self.gen.throw(type, value, traceback)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 123, in redirect_log
Oct 06 09:23:27 ceph-m2 bash[1363]:     raise HostConnectionError(msg, host, addr)
Oct 06 09:23:27 ceph-m2 bash[1363]: cephadm.ssh.HostConnectionError: Failed to connect to ceph-m1 (10.10.10.232). Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: Log: Opening SSH connection to 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connected to SSH server at 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Local address: 10.10.12.160, port 51870
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Peer address: 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Beginning auth for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Auth failed for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connection failure: Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Aborting connection
Oct 06 09:23:27 ceph-m2 bash[1363]: debug 2023-10-06T09:23:27.081+0000 7f78d86d8700 -1 log_channel(cephadm) log [ERR] : Failed to connect to ceph-m1 (10.10.10.232). Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: Log: Opening SSH connection to 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connected to SSH server at 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Local address: 10.10.12.160, port 51870
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Peer address: 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Beginning auth for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Auth failed for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connection failure: Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Aborting connection
Oct 06 09:23:27 ceph-m2 bash[1363]: Traceback (most recent call last):
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 111, in redirect_log
Oct 06 09:23:27 ceph-m2 bash[1363]:     yield
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 90, in _remote_connection
Oct 06 09:23:27 ceph-m2 bash[1363]:     preferred_auth=['publickey'], options=ssh_options)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib/python3.6/site-packages/asyncssh/connection.py", line 6804, in connect
Oct 06 09:23:27 ceph-m2 bash[1363]:     'Opening SSH connection to')
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib/python3.6/site-packages/asyncssh/connection.py", line 303, in _connect
Oct 06 09:23:27 ceph-m2 bash[1363]:     await conn.wait_established()
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib/python3.6/site-packages/asyncssh/connection.py", line 2243, in wait_established
Oct 06 09:23:27 ceph-m2 bash[1363]:     await self._waiter
Oct 06 09:23:27 ceph-m2 bash[1363]: asyncssh.misc.PermissionDenied: Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: During handling of the above exception, another exception occurred:
Oct 06 09:23:27 ceph-m2 bash[1363]: Traceback (most recent call last):
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 125, in wrapper
Oct 06 09:23:27 ceph-m2 bash[1363]:     return OrchResult(f(*args, **kwargs))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 2810, in apply
Oct 06 09:23:27 ceph-m2 bash[1363]:     results.append(self._apply(spec))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 2558, in _apply
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self._add_host(cast(HostSpec, spec))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 1434, in _add_host
Oct 06 09:23:27 ceph-m2 bash[1363]:     ip_addr = self._check_valid_addr(spec.hostname, spec.addr)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 1415, in _check_valid_addr
Oct 06 09:23:27 ceph-m2 bash[1363]:     error_ok=True, no_fsid=True))
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/module.py", line 615, in wait_async
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self.event_loop.get_result(coro)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 56, in get_result
Oct 06 09:23:27 ceph-m2 bash[1363]:     return asyncio.run_coroutine_threadsafe(coro, self._loop).result()
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib64/python3.6/concurrent/futures/_base.py", line 432, in result
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self.__get_result()
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib64/python3.6/concurrent/futures/_base.py", line 384, in __get_result
Oct 06 09:23:27 ceph-m2 bash[1363]:     raise self._exception
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/serve.py", line 1361, in _run_cephadm
Oct 06 09:23:27 ceph-m2 bash[1363]:     await self.mgr.ssh._remote_connection(host, addr)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 96, in _remote_connection
Oct 06 09:23:27 ceph-m2 bash[1363]:     raise
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/lib64/python3.6/contextlib.py", line 99, in __exit__
Oct 06 09:23:27 ceph-m2 bash[1363]:     self.gen.throw(type, value, traceback)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/cephadm/ssh.py", line 123, in redirect_log
Oct 06 09:23:27 ceph-m2 bash[1363]:     raise HostConnectionError(msg, host, addr)
Oct 06 09:23:27 ceph-m2 bash[1363]: cephadm.ssh.HostConnectionError: Failed to connect to ceph-m1 (10.10.10.232). Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: Log: Opening SSH connection to 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connected to SSH server at 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Local address: 10.10.12.160, port 51870
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3]   Peer address: 10.10.10.232, port 22
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Beginning auth for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Auth failed for user root
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Connection failure: Permission denied
Oct 06 09:23:27 ceph-m2 bash[1363]: [conn=3] Aborting connection
Oct 06 09:23:27 ceph-m2 bash[1363]: debug 2023-10-06T09:23:27.081+0000 7f78d86d8700 -1 mgr handle_command module 'orchestrator' command handler threw exception: __init__() missing 2 required positional arguments: >
Oct 06 09:23:27 ceph-m2 bash[1363]: debug 2023-10-06T09:23:27.093+0000 7f78d86d8700 -1 mgr.server reply reply (22) Invalid argument Traceback (most recent call last):
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/mgr_module.py", line 1756, in _handle_command
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self.handle_command(inbuf, cmd)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 171, in handle_command
Oct 06 09:23:27 ceph-m2 bash[1363]:     return dispatch[cmd['prefix']].call(self, cmd, inbuf)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/mgr_module.py", line 462, in call
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self.func(mgr, **kwargs)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 107, in <lambda>
Oct 06 09:23:27 ceph-m2 bash[1363]:     wrapper_copy = lambda *l_args, **l_kwargs: wrapper(*l_args, **l_kwargs)  # noqa: E731
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 96, in wrapper
Oct 06 09:23:27 ceph-m2 bash[1363]:     return func(*args, **kwargs)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/module.py", line 356, in _add_host
Oct 06 09:23:27 ceph-m2 bash[1363]:     return self._apply_misc([s], False, Format.plain)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/module.py", line 1092, in _apply_misc
Oct 06 09:23:27 ceph-m2 bash[1363]:     raise_if_exception(completion)
Oct 06 09:23:27 ceph-m2 bash[1363]:   File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 225, in raise_if_exception
Oct 06 09:23:27 ceph-m2 bash[1363]:     e = pickle.loads(c.serialized_exception)
Oct 06 09:23:27 ceph-m2 bash[1363]: TypeError: __init__() missing 2 required positional arguments: 'hostname' and 'addr'
----- cephadm logs from mgr ------


----- sshd logs DEBUG3 level ------
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug2: input_userauth_request: try method publickey [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug2: userauth_pubkey: valid user root querying public key ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzO------------ [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: userauth_pubkey: test pkalg ecdsa-sha2-nistp384 pkblob ECDSA SHA256:m6Q0ZQVjjDLWxbmCn0hcGQ2---------- [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_key_allowed entering [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_request_send entering: type 22 [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_request_receive_expect entering: type 23 [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_request_receive entering [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_request_receive entering
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: monitor_read: checking request 22
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_answer_keyallowed entering
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_answer_keyallowed: key_from_blob: 0x5568f0aa7880
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: trying public key file /etc/ssh/fake_authorized_keys
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: fd 5 clearing O_NONBLOCK
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: restore_uid: 0/0
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_answer_keyallowed: publickey authentication test: ECDSA key is not allowed
Oct  6 09:33:09 ceph-m1 sshd[57168]: Failed publickey for root from 10.10.12.160 port 40854 ssh2: ECDSA SHA256:m6Q0ZQVjjDLWxbmCn0hcGQ24gbpk-------------
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_request_send entering: type 23
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug2: userauth_pubkey: authenticated 0 pkalg ecdsa-sha2-nistp384 [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: ensure_minimum_time_since: elapsed 8.263ms, delaying 8.080ms (requested 8.171ms) [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: send packet: type 51 [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: Connection closed by authenticating user root 10.10.12.160 port 40854 [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: do_cleanup [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: monitor_read_log: child log fd closed
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: mm_request_receive entering
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: do_cleanup
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: PAM: cleanup
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug3: PAM: sshpam_thread_cleanup entering
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: Killing privsep child 57169
Oct  6 09:33:09 ceph-m1 sshd[57168]: debug1: audit_event: unhandled event 12
Oct  6 09:33:09 ceph-m1 sshd[757]: debug1: main_sigchld_handler: Child exited
---------------


I get "ECDSA key is not allowed" above.
>From sshd logs, it looks like the client is not sending what is required or in the expected format.

Now, what was changed in quincy/mgr on ssh client?
Is anyone else using ECDSA keys and it works with quincy?
I could not find in PRs something specific to this that could block the access, but it might be.
Any suggestion?

Thank you!
Paul
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux