Skip to content

Latest commit

 

History

History
173 lines (132 loc) · 5.02 KB

ssh-config.adoc

File metadata and controls

173 lines (132 loc) · 5.02 KB
Raw

SSH Configuration

qDup requires a SSH connection from the machine running qDup to the target host running scripts. We recommend that configuring systems to use key based authentication so that a password is not required.

qDup also supports password based authentication if it is not possible to configure key based authentication.

1. Basic Configuration

If you do not have an existing SSH key, generate a new SSH key with;

$ ssh-keygen -t rsa

and follow the prompt;

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:p+rQz/k2sSYkLR8h+HNdo5ea9XxWcR7OfQT2EtygVf4 [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|             .o+.|
|             o=..|
|     .      .. +.|
|    . . .   o .o=|
|     . oSo.o oo+E|
|     .= =o+ +  o=|
|    . .B.. B o  o|
|     . +o.B   o o|
|     .o +=..   o |
+----[SHA256]-----+

You need to add it to the target host;

$ ssh-copy-id user@hostname

Alternatively, you can use SSH to copy your key

$ cat ~/.ssh/id_rsa.pub | ssh user@hostname "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"

2. Using Specific SSH Keys

It is possible to generate a new RSA specifically for use with qDup;

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_qdup
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_qdup
Your public key has been saved in /home/user/.ssh/id_qdup.pub
The key fingerprint is:
SHA256:CimITzUcTfQvnTqz5mUfYetpRhmfEDQ5uGb9meT4984 [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|    .+o    oo.   |
|   . ...  . +.   |
|    +   .  o o   |
|.. . o   o+.+ .  |
|o o o   So+ oX + |
| o . . . o .+oB  |
|  .   . + o.o.   |
|        .* ooo...|
|       oo  o+  oE|
+----[SHA256]-----+

A new RSA key /home/user/.ssh/id_qdup will be created

To use the new key with qDup, pass the -i or --identity parameter from the command line, f.ex.

$ java -jar qDup-uber.jar -i /home/user/.ssh/id_qdup qdup.yaml

You will need to add the SSH key to the host

$ cat ~/.ssh/id_qdup.pub | ssh user@hostname "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"

3. Encrypted SSH Keys

qDup can decrypt RSA keys that have been encrypted with a passphrase. If a passphrase was provided when the RSA key was created, pass the -p or --passphrase command line option to qDup, f.ex.

$ java -jar qDup-uber.jar -i /home/user/.ssh/id_qdup -p secret /tmp qdup.yaml

4. Specifying Known Hosts

By default, host keys are stored in ~/.ssh/known_hosts. If you want to store the host keys in another location than the default, you can specify the known hosts file location with the -k or --knownHosts command line option, f.ex;

$ java -jar qDup-uber.jar -k /home/user/.ssh/alt_known_hosts qdup.yaml

5. Password Based Authentication

Warning
 Password based authentication is not recommended

If you cannot use SSH keys and must include the password you should use a state variable and pass the value as a secret through the command line

hosts:
  alias: me:${{password}}@myserver.com:2222

Alternatively, you can specify the connection information in the expanded notation;

hosts:
  myserver:
    username: user
    hostname: myserver.com
    port: 22
    password: ${{password}}

Then run the script reading the password from a tmp file so it is not in the bash history

java -jar qDup-uber.jar -S _password="$(cat /tmp/secret.txt)" qdup.yaml

-S _password sets the state variable password and the _ prefix tells qDup to treat the value as a secret and replace it with **** in the logs.

Resolving Common Issues

1. Problems with QDup and SSH

Occasionally qDup fails to connect to a remote machine via ssh, even though using the ssh cli works as expected. In these instances, qDup will display the error below;

14:54:48.588 [qdup-command-1] ERROR io.hyperfoil.tools.qdup.Run - failed to connect user@localhost:22
14:54:48.592 failed to connect all ssh sessions for run

1.1. userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

This is expected behaviour when an old key is not FIPS-140-2 compliant (https://access.redhat.com/solutions/4906221).

  • Generate a new key which is compliant with FIPS-140-2, for example ECDSA with curve nistp256.

$ ssh-keygen -t ecdsa

  • Add the public key to authorized_keys file on the destination system