Ask Your Question
0

can't ssh to instance

asked 2017-02-27 23:43:33 -0500

harshal gravatar image

updated 2017-02-27 23:44:08 -0500

I had created few instance and putted in security group where all tcp are allow (icmp and ssh ). I can ping the instance from floating ip but when i tried ssh it , it says permission denied or asked password.

I tried this with multiple images i can't login with using with assign keys pairs . what are the reason behind these ? where i'll get logs related to images and keypair

edit retag flag offensive close merge delete

Comments

If you use key pairs, which is the usual way to access instances, perhaps your instances are unable to access metadata. Run openstack console log show <instance name or ID> to find out whether instances have their keys. The console log of my Centos instance, for example, ends like this:

Bernd Bausch gravatar imageBernd Bausch ( 2017-02-28 02:58:42 -0500 )edit

console log:

----BEGIN SSH HOST KEY KEYS-----
ecdsa-sha2-nistp256 AAAAE2VjZH  ... (snip) ....
-----END SSH HOST KEY KEYS-----
cloud-init[911]: Cloud-init v. 0.7.5 finished at Tue, 28 Feb 2017 07:47:19 +0000. Datasource DataSourceOpenStack [net,ver=2].  Up 266.74 seconds
Bernd Bausch gravatar imageBernd Bausch ( 2017-02-28 03:02:44 -0500 )edit

I can see console logs from given command. even my o/p is same as yours . Where i can cehck about metadata stuff ?

harshal gravatar imageharshal ( 2017-02-28 03:19:30 -0500 )edit

If you see those keys in the console log, your instance is able to get metadata. You should also be able to ssh to the instance if you use the private key corresponding to the public key on the instance. Perhaps you didn't set the right permissions on the private key file? What is the precise error?

Bernd Bausch gravatar imageBernd Bausch ( 2017-02-28 03:50:27 -0500 )edit

Sorry for confusion, my openstack keypair list o/p fingerprint section should have match with console o/p right ?

harshal gravatar imageharshal ( 2017-02-28 04:15:40 -0500 )edit

5 answers

Sort by » oldest newest most voted
0

answered 2017-03-05 02:18:53 -0500

benhart gravatar image

It will not work until you attach the key to your instance, that should have been detected earlier and must be or you will result with errors. this kind of detection can also be spotted by a lot of program. I know one called Checkmarx that might help you with that. not sure of their cost but you can look for it. Good luck anyway. Ben.

edit flag offensive delete link more
0

answered 2017-02-28 12:26:51 -0500

updated 2017-02-28 12:28:18 -0500

From the ssh log, it seems none of your keys matched the public key on the server. Why don't you create a new key-pair and try logging in with that, or upload a public key manually to your OpenStack key store and use that. You can either use CLI:

bash openstack keypair create KEY_NAME > MY_KEY.pem

as described here [1] .

Or, you can add a new keypair through horizon [2] .

As the instance is able to access the meta-data server, I don't see why you shouldn't be able to access your instances with the right key.

[1] - https://docs.openstack.org/user-guide/cli-nova-configure-access-security-for-instances.html (https://docs.openstack.org/user-guide...)

[2] - https://docs.openstack.org/user-guide/cli-nova-configure-access-security-for-instances.html (https://docs.openstack.org/user-guide...)

edit flag offensive delete link more

Comments

i tried this too but its still asking for a password.

harshal gravatar imageharshal ( 2017-02-28 23:10:53 -0500 )edit

This is a typical workflow:

openstack keypair create mykey > mykey.pem
chmod 600 mykey.pem
openstack server create ... --key-name mykey ...
openstack server add floating ip ....
ssh -vvv -i mykey.pem centos@ipaddress

Try it and, if it fails, add the output to your question.

Bernd Bausch gravatar imageBernd Bausch ( 2017-03-05 17:46:53 -0500 )edit
0

answered 2017-02-28 13:14:42 -0500

dasm gravatar image

Harshal, it looks like you have mispaired ssh keys. Are you sure, you're using private key, which public part got loaded into VM?

edit flag offensive delete link more
0

answered 2017-02-28 04:55:08 -0500

amitabh sinha gravatar image

@harshal 1. Can you please check the mtu size of the launched vm. 2. Trying do ssh with verbise mode enabled ssh -vvv username@ipaddress kindly paste the log here .

edit flag offensive delete link more

Comments

1) how do i check mtu size ? 2) here is ssh logs

harshal gravatar imageharshal ( 2017-02-28 05:22:18 -0500 )edit

Login into instance and run ifconfig command from terminal.

amitabh sinha gravatar imageamitabh sinha ( 2017-02-28 05:32:17 -0500 )edit
0

answered 2017-02-28 05:23:53 -0500

harshal gravatar image
[hlakare.HLAKARE2L] ➤ ssh -vvv centos@202.136.68.31
OpenSSH_6.7p1, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /etc/ssh_config
debug3: macs ok: [hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com]
debug2: ssh_connect: needpriv 0
debug1: Connecting to 202.136.68.31 [202.136.68.31] port 22.
debug1: Connection established.
debug1: identity file /home/mobaxterm/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh ...
(more)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-02-27 23:43:33 -0500

Seen: 2,898 times

Last updated: Mar 05 '17