[OSGeo] #3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+---------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Keywords: LDAP,ssh
----------------------+---------------------------
For automated artifact upload we would need a "grassbot" user on the
'osgeo8-grass' and 'osgeo7-download' machines.

This user has already been generated in OSGeo-LDAP.

We then want be able to login via ssh or copy artifact via scp.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3363&gt;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

You need to login as that grassbot user and then add the ssh public key to
that account.

That should allow you to push to osgeo7-download with ssh key.

For the osgeo8-grass, that one doesn't pull ssh pubkey from LDAP, so would
need you to login as that user and register the pub key under that
account.
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

I tried, to no avail:

Using the ssh config stated here:
SAC Service Status - OSGeo

Re: "download", I am not authorized:

{{{
ssh -v -v grassbot@osgeo7-download
OpenSSH_9.6p1, OpenSSL 3.2.4 11 Feb 2025
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 24: Applying options for osgeo7-*
debug1: /home/mneteler/.ssh/config line 93: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host osgeo7-download originally
osgeo7-download
debug2: match not found
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 24: Applying options for osgeo7-*
debug2: add_identity_file: ignoring duplicate key ~/.ssh/grassbot_osgeo
debug1: /home/mneteler/.ssh/config line 93: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host osgeo7-download originally
osgeo7-download
debug2: match found
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: Executing proxy command: exec ssh grassbot@hop.osgeo7.osgeo.org -W
$(sed -e "s/^osgeo7-//;s/$/.lxd/" <<< "osgeo7-download"):22
debug1: identity file /home/mneteler/.ssh/grassbot_osgeo type 3
debug1: identity file /home/mneteler/.ssh/grassbot_osgeo-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
grassbot@hop.osgeo7.osgeo.org: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
}}}

although the ssh pub key is in the LDAP profile.

Re: "grass.osgeo.org":

{{{
mneteler@caddy: ~$ ssh grasslxd
Enter passphrase for key '/home/mneteler/.ssh/id_ed25519':
Linux grass 5.15...
neteler@grasslxd:~$ cd ..
neteler@grasslxd:/home$ ls
cmbarton/ darkblueb/ martinl/ neteler/ robe/ strk/ tmsz/
}}}

There is no user "grassbot", shall I generate it?
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

Replying to [comment:2 neteler]:
> I tried, to no avail:
>
> Using the ssh config stated here:
> SAC Service Status - OSGeo
>
> Re: "download", I am not authorized:
>

osgeo7-download is the same as upload.osgeo.org and the same as
hop.osgeo7.osgeo.org so that extra call to osgeo7-download is redundant.

Does ssh grassbot@upload.osgeo.org work?
if it does, just use that. That is all you need to upload files to
download.osgeo.org

>
> although the ssh pub key is in the LDAP profile.
>
> Re: "grass.osgeo.org":
>
>
> {{{
> mneteler@caddy: ~$ ssh grasslxd
> Enter passphrase for key '/home/mneteler/.ssh/id_ed25519':
> Linux grass 5.15...
> neteler@grasslxd:~$ cd ..
> neteler@grasslxd:/home$ ls
> cmbarton/ darkblueb/ martinl/ neteler/ robe/ strk/ tmsz/
> }}}
>
>
> There is no user "grassbot", shall I generate it?

Yes you should create a grassbot user and add the ssh pubkey of grassbot
to that account.
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

Just one observation: on "download" there is no user "grassbot", so maybe
that's why?
Or is that autogenerated somehow?
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

I have no success with upload.osgeo.org:

{{{
ssh -v grassbot@upload.osgeo.org
OpenSSH_9.6p1, OpenSSL 3.2.4 11 Feb 2025
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 93: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 93: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: Connecting to upload.osgeo.org [140.211.15.30] port 22.
debug1: Connection established.
...
debug1: Authenticating to upload.osgeo.org:22 as 'grassbot'
debug1: load_hostkeys: fopen /home/mneteler/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit>
compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit>
compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:9Rj8e6GTNUeah218p0NaUqh143OD/90r2+MPpv90yeQ
debug1: load_hostkeys: fopen /home/mneteler/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'upload.osgeo.org' is known and matches the ECDSA host key.
debug1: Found key in /home/mneteler/.ssh/known_hosts:276
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-
ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-
sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-
sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no
identities
debug1: Will attempt key: /home/mneteler/.ssh/id_rsa RSA
SHA256:UNlrM0p4kYjM/HePNSGbZSMTSRqyjrXP7JVkB4Fi9FA
debug1: Will attempt key: /home/mneteler/.ssh/id_ecdsa
debug1: Will attempt key: /home/mneteler/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/mneteler/.ssh/id_ed25519 ED25519
SHA256:OnmnwV7PovBKQlb/98tRvCyPS4EUsJGXaShwUQSNDZI
debug1: Will attempt key: /home/mneteler/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/mneteler/.ssh/id_xmss
debug1: Will attempt key: /home/mneteler/.ssh/id_dsa
debug1: Offering public key: /home/mneteler/.ssh/id_rsa RSA
SHA256:UNlrM0p4kYjM/HePNSGbZSMTSRqyjrXP7JVkB4Fi9FA
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/mneteler/.ssh/id_ecdsa
debug1: Trying private key: /home/mneteler/.ssh/id_ecdsa_sk
debug1: Offering public key: /home/mneteler/.ssh/id_ed25519 ED25519
SHA256:OnmnwV7PovBKQlb/98tRvCyPS4EUsJGXaShwUQSNDZI
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/mneteler/.ssh/id_ed25519_sk
debug1: Trying private key: /home/mneteler/.ssh/id_xmss
debug1: Trying private key: /home/mneteler/.ssh/id_dsa
debug1: No more authentication methods to try.
grassbot@upload.osgeo.org: Permission denied (publickey).
}}}

(osgeo8: will create a new user on the other VM tomorrow or so)
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

Replying to [comment:4 neteler]:
> I have no success with upload.osgeo.org:
>
> debug1: Trying private key: /home/mneteler/.ssh/id_xmss
> debug1: Trying private key: /home/mneteler/.ssh/id_dsa
> debug1: No more authentication methods to try.
> grassbot@upload.osgeo.org: Permission denied (publickey).
> }}}
>
> (osgeo8: will create a new user on the other VM tomorrow or so)

Okay I think issue is hopefully resolved now.

In order to connect to upload.osgeo.org, the account has to be part of
shell group.

I just added grassbot to shell via - https://id.osgeo.org/ldap/shell
For future you'll need to do that and should be able to since any shell
user can add another shell user.

Give it a try now.
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

Replying to [comment:4 neteler]:

> (osgeo8: will create a new user on the other VM tomorrow or so)

Just an FYI, you don't need to create a new user in grass.lxd,
it's the same deal that the user has to be in shell group for the ldap
auth to work on grass.
So by adding that already to shell group. You should be able to do on
grass

{{{
sudo su grassbot
}}}

and then I think I had set it to autocreate the home drive on first login.
So then you can add the public key to authorized_keys list of the grassbot
account.
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

osgeo7: also here I still cannot login successfully to upload.osgeo.org
with the "grassbot" user.

The current situation:

locally:

{{{
# locally .ssh/config
# ssh grassbot@osgeo7-download
# SAC Service Status - OSGeo
Host osgeo7-*
   ProxyCommand ssh grassbot@hop.osgeo7.osgeo.org -W $(sed -e
"s/^osgeo7-//;s/$/.lxd/" <<< "%h"):%p
   IdentityFile "~/.ssh/grassbot_osgeo"
}}}

server:

{{{
grassbot@download:~$ ls -la .ssh/authorized_keys
-rw-r--r-- 1 grassbot users 96 Mar 30 13:19 .ssh/authorized_keys
}}}

Now trying to login from outside:

{{{
mneteler@caddy: ~$ ssh -v grassbot@osgeo7-download
OpenSSH_9.6p1, OpenSSL 3.2.4 11 Feb 2025
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 20: Applying options for osgeo7-*
debug1: /home/mneteler/.ssh/config line 30: Applying options for osgeo7-*
debug1: /home/mneteler/.ssh/config line 99: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 20: Applying options for osgeo7-*
debug1: /home/mneteler/.ssh/config line 30: Applying options for osgeo7-*
debug1: /home/mneteler/.ssh/config line 99: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: Executing proxy command: exec ssh grassbot@hop.osgeo7.osgeo.org -W
$(sed -e "s/^osgeo7-//;s/$/.lxd/" <<< "osgeo7-download"):22
debug1: identity file /home/mneteler/.ssh/grassbot_osgeo type 3
debug1: identity file /home/mneteler/.ssh/grassbot_osgeo-cert type -1
debug1: identity file /home/mneteler/.ssh/old_id_ed25519 type 3
debug1: identity file /home/mneteler/.ssh/old_id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
grassbot@hop.osgeo7.osgeo.org: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
}}}
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

osgeo8: I still cannot login successfully to grass.osgeo.org with the
"grassbot" user.

The current situation:

locally:
{{{
# locally: ssh key
mneteler@caddy: ~$ ls -la .ssh/grassbot_osgeo*
-rw------- 1 mneteler mneteler 464 Mar 19 14:48 .ssh/grassbot_osgeo
-rw-r--r-- 1 mneteler mneteler 96 Mar 19 14:48 .ssh/grassbot_osgeo.pub

# locally: .ssh/config
host grasslxd-grassbot
   Hostname grass.lxd
   ProxyCommand ssh grassbot@hop.osgeo8.osgeo.org -W %h:%p
   IdentityFile "~/.ssh/grassbot_osgeo"
   User grassbot
}}}

server:
{{{
# server side (the grassbot user is now there and I can sudo into it)
# ssh pub key is registered
grassbot@grass:~$ ls -la .ssh/
total 3
drwx------ 2 grassbot users 3 Mar 30 13:01 ./
drwxr-xr-x 4 grassbot users 11 Mar 30 13:12 ../
-rw-r--r-- 1 grassbot users 96 Mar 30 13:01 authorized_keys
}}}

Now trying to login from outside:

{{{
ssh -v grasslxd-grassbot
OpenSSH_9.6p1, OpenSSL 3.2.4 11 Feb 2025
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 12: Applying options for grasslxd-
grassbot
debug1: /home/mneteler/.ssh/config line 99: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 99: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: Executing proxy command: exec ssh grassbot@hop.osgeo8.osgeo.org -W
grass.lxd:22
debug1: identity file /home/mneteler/.ssh/grassbot_osgeo type 3
debug1: identity file /home/mneteler/.ssh/grassbot_osgeo-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
grassbot@hop.osgeo8.osgeo.org: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
}}}
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

>
> There is no user "grassbot", shall I generate it?

You shouldn't have to generate one if things are working.

Can you do

 su grassbot

and then create ssh keys for that account
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

@neteler,

To rule out something wrong with the key, can you temporarily add the key
you normally use to the

https://id.osgeo.org/ldap/edit (logged in as grassbot)

to the list and try to log in as grassbot@upload.osgeo.org with your key?
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

@neteler,

Also if you have time maybe we can do have a meeting at
https://meet.osgeo.org/SAC to go over.

At a glance not seeing anything wrong with your setup.
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

**osgeo7 / upload.osgeo.org**: success!

So:
- I have generated a new ssh key *on* grass.osgeo.org (using `su
grassbot`), and
- deposited the pub key in LDAP
- copied the key-pair locally to my laptop to be able to login from here.

Now access works:

{{{
mneteler@caddy: ~/.ssh$ ssh -i ~/.ssh/grassbot_grass_osgeo
grassbot@upload.osgeo.org
Enter passphrase for key '/home/mneteler/.ssh/grassbot_grass_osgeo':
Linux download 5.15.0-105-generic #115~20.04.1-Ubuntu SMP Mon Apr 15
17:33:04 UTC 2024 x86_64
...
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
grassbot@download:~$
}}}

**osgeo8 / grass.osgeo.org**: not success yet. I guess that the hop server
is causing troubles? I guess I am close, though:

{{{
mneteler@caddy: ~$ ssh -v -i ~/.ssh/grassbot_grass_osgeo
grassbot@hop.osgeo8.osgeo.org -W grass.lxd:22
OpenSSH_9.6p1, OpenSSL 3.2.4 11 Feb 2025
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 99: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/mneteler/.ssh/config
debug1: /home/mneteler/.ssh/config line 99: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-
ends/openssh.config
debug1: Connecting to hop.osgeo8.osgeo.org [140.211.15.9] port 22.
debug1: Connection established.
debug1: identity file /home/mneteler/.ssh/grassbot_grass_osgeo type 3
debug1: identity file /home/mneteler/.ssh/grassbot_grass_osgeo-cert type
-1
debug1: Local version string SSH-2.0-OpenSSH_9.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1
Debian-5+deb11u1
debug1: compat_banner: match: OpenSSH_8.4p1 Debian-5+deb11u1 pat OpenSSH*
compat 0x04000000
debug1: Authenticating to hop.osgeo8.osgeo.org:22 as 'grassbot'
debug1: load_hostkeys: fopen /home/mneteler/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit>
compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit>
compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:+fn0UTxAYVJu8TN9R8bQDmf3yYj/c8HEphohFPkos7E
debug1: load_hostkeys: fopen /home/mneteler/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'hop.osgeo8.osgeo.org' is known and matches the ED25519 host
key.
debug1: Found key in /home/mneteler/.ssh/known_hosts:352
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-
ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-
sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-
sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no
identities
debug1: Will attempt key: /home/mneteler/.ssh/grassbot_grass_osgeo ED25519
SHA256:PPF4X/w/W6Q55L2p3S65ZPqoVh7FbuOT6cF2driAUcA explicit
debug1: Offering public key: /home/mneteler/.ssh/grassbot_grass_osgeo
ED25519 SHA256:PPF4X/w/W6Q55L2p3S65ZPqoVh7FbuOT6cF2driAUcA explicit
debug1: Server accepts key: /home/mneteler/.ssh/grassbot_grass_osgeo
ED25519 SHA256:PPF4X/w/W6Q55L2p3S65ZPqoVh7FbuOT6cF2driAUcA explicit
Enter passphrase for key '/home/mneteler/.ssh/grassbot_grass_osgeo':
Authenticated to hop.osgeo8.osgeo.org ([140.211.15.9]:22) using
"publickey".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel_connect_stdio_fwd: grass.lxd:22
debug1: channel 0: new stdio-forward [stdio-forward] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com
want_reply 0
debug1: client_input_hostkeys: searching /home/mneteler/.ssh/known_hosts
for hop.osgeo8.osgeo.org / (none)
debug1: client_input_hostkeys: searching /home/mneteler/.ssh/known_hosts2
for hop.osgeo8.osgeo.org / (none)
debug1: client_input_hostkeys: hostkeys file
/home/mneteler/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: pledge: agent
debug1: Remote: /etc/ssh/ssh-ldap-publickey:2: key options: agent-
forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /etc/ssh/ssh-ldap-publickey:2: key options: agent-
forwarding port-forwarding pty user-rc x11-forwarding
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u4

debug1: channel 0: FORCE input drain
Invalid SSH identification string.
debug1: stdio forwarding: done
}}}
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by annakrat):

@robe, it looks like there is still some problem, any idea? Thanks
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

Replying to [comment:14 annakrat]:
> @robe, it looks like there is still some problem, any idea? Thanks

@neteler is there still an issue. I'm seeing a folder in /home/grassbot
called code_and_data@ of grass.lxd that looks to have a ton of folders in
it. So I assume that means you were successful?
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

osgeo8: still not working. The folder I made via sudo from my own account.

{{{
ssh -i ~/.ssh/grassbot_grass_osgeo grassbot@hop.osgeo8.osgeo.org -W
grass.lxd:22
Enter passphrase for key '/home/mneteler/.ssh/grassbot_grass_osgeo':
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u4

Invalid SSH identification string.
}}}
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

@robe

I checked and can at least log into the hop server:

{{{
mneteler@caddy: ~$ ssh -i ~/.ssh/grassbot_grass_osgeo
grassbot@hop.osgeo8.osgeo.org
Enter passphrase for key '/home/mneteler/.ssh/grassbot_grass_osgeo':
Linux hop 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024
x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 8 19:51:26 2025 from 127.0.0.1
grassbot@hop:~$
}}}

So "only" the forwarding to grass.lxd is failing.
Do you have any idea?

`ssh -i ~/.ssh/grassbot_grass_osgeo grassbot@hop.osgeo8.osgeo.org -W
grass.lxd:22`

Is my ssh command wrong? Thanks for any support.
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by robe):

Replying to [comment:17 neteler]:
> @robe

> So "only" the forwarding to grass.lxd is failing.
> Do you have any idea?
>
> `ssh -i ~/.ssh/grassbot_grass_osgeo grassbot@hop.osgeo8.osgeo.org -W
grass.lxd:22`
>
> Is my ssh command wrong? Thanks for any support.

Haven't used that syntax. Only used the adding into my config.

But from reading, I think you need a -J command to use a jump host.

Try this:

{{{
ssh -i ~/.ssh/grassbot_grass_osgeo -J grassbot@hop.osgeo8.osgeo.org
grassbot@grass.lxd
}}}
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

#3363: Create grassbot user on 'osgeo8-grass' and 'osgeo7-download'
----------------------+----------------------------
Reporter: neteler | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: LDAP,ssh |
----------------------+----------------------------
Comment (by neteler):

Thanks, @robe. Still no access:

{{{
ssh -i ~/.ssh/grassbot_grass_osgeo -J grassbot@hop.osgeo8.osgeo.org
grassbot@grass.lxd
grassbot@hop.osgeo8.osgeo.org: Permission denied (publickey).
Connection closed by UNKNOWN port 65535
}}}

I wonder why it works for "neteler" user but not for "grassbot".
--
Ticket URL: <#3363 (Create grassbot user on 'osgeo8-grass' and 'osgeo7-download') – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.