Hello,
I am attempting to install Aegir and I am stuck at the SSH configuration step. I am probably overlooking something obvious but can't figure out what that is. I have, however, searched the forum for others having the same problem, have read general documentation on SSH and Aegir-specific discussion of this issue, but still cannot resolve my problem.
Specifically: I have reviewed the canonical instructions for Aegir and the following pages (plus many other pages not listed):
http://groups.drupal.org/node/36886
http://www.ubuntu-howto.info/howto/how-to-connect-with-ssh-without-using...
That said, Aegir requires that the "aegir" user have the capability to ssh into a web server from the Aegir server, using keys. I have been able to install and configure OpenSSH to work properly between machines, using keys, for a different username, so I suspect that I am close to having this working.
The relevant difference between the "aegir" user and the user I have ssh w/ keys working for is that the "aegir" user is a system account, so it does not have a password. This fact seems to trip up my attempts because I am always prompted for the password of the aegir user when I attempt to "scp" or similar.
I should add that I am running Ubuntu 10.04, I have confirmed the file permissions of the key info at the remote system, and have tried restarting the SSH server.
Any advice would be greatly appreciated --
Dave
P.S. I posted this first in the post-install Drupal forum but didn't get any responses so I'm posting this here now.
Comments
Looking for best practice
Merge with 87414?
I'm curious about this too.
I'm curious about this too. I just gave the aegir user a password so I could do everything (FTP/SSH) with that user. It has worked fine for me but I have no idea if it's actually a good idea or not.
Although I do know you can just become the aegir user with su, as shown in the documentation.
SOLVED
I now have this capability working. I'll describe it in painful detail in the hope that I help at least one relative newcomer such as myself such troubles. The solution comprises two parts (copying the file over and setting permissions):
Primarily, I had to generate the key file as Aegir user and move the key file over from the first server, where it was generated, to the second server, where it would be used, as a conventional (i.e., non-system account) user (that is assumed to have FTP capability at the second server). This can be accomplished as follows:
Steps to be run from the first server:
1. Start by being logged in as the conventional user
2. Become Aegir user: "sudo su -s /bin/bash - aegir"
3. Create key file: "ssh-keygen -t dsa" [when prompted for text, just hit return]. This produces, among other things, a public key file named "id_dsa.pub". This file will be copied to the other server.
4. Copy id_dsa.pub to a location that is accessible to the conventional user account: "cp .ssh/id_dsa.pub /[accessible_location]/." + "chmod 777 /[accessible_location]/id_dsa.pub" (remember to remove this temporary file later)
5. Return to being the conventional user by exiting out of "su"
6. FTP the file from [accessible_location] to the second server [again, this assumes that a FTP capability exists between the first and second server, and that the conventional user is able to use that capability on both machines]
At the second server:
7. Become the Aegir user (as above)
8. Copy the file to the .ssh directory, under Aegir user's home directory, as the file "authorized_keys" (e.g., /var/aegir/.ssh/authorized_keys). Note: if this file already exists, you want to concatenate id_dsa.pub on to the existing authorized_keys file.
Last, I had to set the file permissions just right on the second server:
9. change the permissions on this file to 600 (i.e., chmod 600 authorized_keys)
When I tried this before, I left the permissions on authorized_keys as 777 during debug. I now understand that passwordless login WON'T WORK with this permissions set to 777.
Obviously, we would not leave them at 777 in a permanent solution anyway, but I was surprised that this issue was a show-stopper during debug/installation.
Hope this helps someone --
Dave
ssh-copy-id
Isn't it easier to use ssh-copy-id, it replaces steps 4-9, only problem is you'll need to set a password for the remote aegir user since you need it to login
Agreed (now)
@attiks - thanks for your comment. I considered the approach you suggested above, which I was previously able to execute for a user account with a password. I was dissuaded, however, in part due to my limited understanding of options for the "passwd" command and in part due to my understanding that the aegir user account much not have a password during installation of the Aegir software (based on a short comment in the canonical instructions).
I knew, of course, that passwd could change the aegir account's password to something else, but I was not aware (until the present moment) that passwd could also delete passwords for accounts other than the logged-in user, including passwords of other accounts.
Thus, I agree that ssh-copy-id would work, and that it would be easier, if one uses the passwd command from a non-aegir account to create a password for the aegir account and then uses the passwd command to delete that password upon completion of the ssh setup.
This realization may seem obvious to experienced *nix hands, especially administrators, but I'm not yet in that camp. I'm having fun moving in that direction, though.
Next time maybe generate a
Next time maybe generate a key with
ssh-keygen -t rsa -b 2048 -C "your comments". Afaik dsa encryption defaults to 1024b, theoretically making it vulnerable to attack.