#11579 Help with ssh connection to compose-x86-01.stg.iad2.fedoraproject.org:
Closed: Fixed a month ago by kevin. Opened 2 months ago by lsedlar.

I'm a Pungi developer. I would like to test https://pagure.io/pungi/pull-request/1699 in a more realistic environment. In the past I used the staging compose host for that.

I'm in sysadmin-releng group, I can ssh to production compose hosts, but for some reasons the staging one doesn't let me in.

I have the same SSH keys configured in both production and staging FAS. But still the key that is accepted in production is rejected by the staging host.

Can I get some help with fixing the access?

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

2 months ago

I checked that @lsedlar is in sysadmin-releng on staging FAS as well, so I don't see any reason for SSH key to be rejected.

Which host are you trying to access?

I'd like to use compose-x86-01.stg.iad2.fedoraproject.org.

I have this in .ssh/config (which works for prod):

Host bastion.fedoraproject.org
    HostName bastion-iad01.fedoraproject.org
    User lsedlar
    ProxyCommand none
    ForwardAgent no

Host *.iad2.fedoraproject.org
    User lsedlar
    ProxyCommand ssh -W %h:%p bastion.fedoraproject.org

I can confirm that the compose-x86-01.stg.iad2.fedoraproject.org is not accessible for me as well.

It seems that there are no user account on staging machine. Only one user in /home/fedora folder.

@kevin What is the correct way to add the fedora user to machine?

User accounts are all controlled by IPA cluster, you shouldn't add local users. ;)

I looked at this a bit, but the staging ipa servers are under some construction right now, so not sure the failure. will look more soon...

ok. This should be all fixed.

The machine was in a weird state with ipa, so I unenrolled it, but then trying to run the playbook hit a scp error because it's sshd_config was too old. I manually fixed that, then ran the playbook and it re-enrolled and everything is working now.

Please reopen or file a new ticket if you see any futher problems.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Metadata Update from @kevin:
- Issue assigned to kevin

2 months ago

I'm not sure what I'm doing wrong. I still see the same behaviour as before.

With prod, I can authenticate with either a key or kerberos ticket. The staging host doesn't let me in with neither.

Do I need some special configuration for stage? What logs would be helpful for debugging?

Metadata Update from @lsedlar:
- Issue status updated to: Open (was: Closed)

2 months ago

so, it was working, but I just tried and it failed again. ;(

sssd was giving some kind of system error, so I restarted it and its working for me now?

can you try again now?

I apologize for missing the last comment. I just tried it again and I'm still getting the same error.

Pretty frustrating. sssd was offline again. ;(

It working right now. Please try again.

I'll try and figure out from the logs why sssd is going off line. ;(

No luck. I wonder if somehow my attempt to connect is bringing sshd down :confused:

I think it's because our ipa cluster in staging is being worked on to upgrade it to rhel9, and at least one of the members of the cluster is unhappy. ;(

Will try and get that sorted out. Sorry for the long delay here.

I upgraded the machine to f39... it seems like it might be more stable now? (but I could be wrong). Can you try it again now?

I'm in! Thank you very much.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Login to comment on this ticket.

Boards 1
ops Status: Backlog