X

Troubleshooting SSH setup in GlassFish v3.1

Yamini Kalyandurga
Consulting Member of Technical Staff


http-equiv="Content-Type">
Troubleshooting SSH setup in GlassFishv3.1


Centralized administration feature in GlassFish v3.1 uses SSH for
provisioning GlassFish nodes and managing cluster (or instance)
lifecycle operations securely. Even before DAS can use SSH for
communicating with remote hosts, SSH needs to be configured properly.
Since SSH server settings vary on different platforms (and even across
different flavors of Unix), GlassFish SSH setup command, style="font-style: italic;">setup-ssh may fail at times. In
this blog, I've tried to capture such failure cases as well as
solutions on how to address them.



Before getting into the setup-ssh command, its important to understand
SSH authentication schemes. Please check this href="http://wikis.sun.com/display/GlassFish/3.1SSHAuthentication">blog
on GlassFish SSH authentication schemes.

 

The asadmin setup-ssh command
uses password authentication to copy over the specified (or generated)
public key to the remote host. Before exiting, the command also
verifies that SSH public key authentication works as expected.



Please note that all of the SSH server settings mentioned below pertain
to the settings on the remote host since DAS host is actually the SSH
client. SSH server settings is configured through the SSH server
configuration file located as follows:



Unix: style="font-style: italic;">/etc/ssh/sshd_config or style="font-style: italic;">/etc/sshd_config

Windows with Cygwin: From
within cygwin terminal, /etc/sshd_config
or actual path on file system would be style="font-style: italic;"><Cywin-install-dir>/etc/sshd_config

Windows with MKS Toolkit: style="font-style: italic;">Programs -> MKS Toolkit ->
Configuration -> Configuration Information.



Also note that SSH server needs to be restarted whenever any of the
server attributes are changed.

  • Password authentication error

$ asadmin setup-ssh sunone172

Enter SSH password for yamini@sunone172>

SSH key setup failed: SSH password authentication failed for user
yamini on host sunone172

Command setup-ssh failed.



Reason:
SSH user password entered is incorrect or SSH server is rejecting
password authentication.



Solution: Change the 'style="font-style: italic;">PasswordAuthentication' setting to 'style="font-style: italic;">yes' in SSH server config and
restart the SSH server.



Explanation: Assuming that you
are typing in the correct password, first check if manual ssh works:


$ ssh sunone172

Permission denied (publickey).



If you see something like above, it
means that SSH server is not even considering password authentication.



It can also be possible that password authentication appears to be
working manually:


$ ssh sunone172 pwd

Password:

/home/yamini



But there is a catch here, the above
appears to be using password authentication but its actually using
keyboard-interactive authentication. The point is password
authentication is different from keyboard-interactive. In the former
case, the (SSH) client reads in the password from user and sends it
across to the SSH server whereas in the latter case, the password is
challenged from the SSH server. A subtle difference is in the way the
prompting happens. Also notice
the last debug message from 'ssh -v':


Password:

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

Password:

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

Password:

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug1: Next authentication method: password

yamini@sunone172's password:



First three prompts are from the SSH
server whereas the last one is from the SSH client.



The attribute that turns on/off keyboard-interactive is 'style="font-style: italic;">ChallengeResponseAuthentication'
attribute in SSH server configuration. href="http://fixunix.com/ssh/73976-difference-between-password-keyboard-interactive.html">Here
is a nice explanation on the difference between password and
keyboard-interactive.


In short, it doesn't matter if
keyboard-interactive is turned on or not, what matters for us is the
password authentication setting.
  • Connection verification failure

$ asadmin setup-ssh sunone172

SSH key not found for user yamini

Would you like to generate a SSH key pair (without a key passphrase)
for yamini to access [sunone172]? [y/n]: y

Enter SSH password for yamini@sunone172>

Created directory /home/yamini/.ssh

/usr/bin/ssh-keygen successfully generated the identification
/home/yamini/.ssh/id_rsa

Copied keyfile /home/yamini/.ssh/id_rsa.pub to yamini@sunone172

Connection verification failed.

Command setup-ssh failed.



Reason
1:
Public key authentication is disabled on SSH server.


Solution:
Change the attribute 'PubkeyAuthentication'
to 'yes' in the SSH server
configuration file and restart the SSH server.



Reason 2: On remote host,
permissions on $HOME or style="font-style: italic;">.ssh or style="font-style: italic;">authorized_keys file is too loose.



Solution: Either disable strict
checking of file permissions by setting 'style="font-style: italic;">StrictModes' to 'style="font-style: italic;">no' in SSH server config file and
restart the SSH server.
         
Or make sure that the following permissions are in place:

          style="font-style: italic;">$HOME --> 755

          style="font-style: italic;">$HOME/.ssh --> 700

          style="font-style: italic;">$HOME/.ssh/authorized_keys -->
600 or 644


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.