#2663: Get access to osgeo7-*
---------------------------+-----------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Keywords:
---------------------------+-----------------------
Following up from #2660, I'd like to get access to `osgeo7-*` servers. At
this moment, after adding the configuration to `.ssh/config` I get this
output
{{{
$ ssh jsanz@osgeo7-old-webextra
jsanz@hop.osgeo7.osgeo.org: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
}}}
My current public key is the second entry in
`osgeo6:/home/jsanz/.ssh/authorized_keys` finishing with
`jorge.sanz@elastic.co`.
Thanks!
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by robe):
jsanz -- I don't see your key in your ldap profile, did you try adding it?
Go to https://id.osgeo.org/ldap/edit
Login and put your public key there.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by jsanz):
Replying to [comment:1 robe]:
> jsanz -- I don't see your key in your ldap profile, did you try adding
it?
>
> Go to https://id.osgeo.org/ldap/edit
>
> Login and put your public key there.
>
Done, I've added my public key on that form. I waited a day but I still
get a `permission denied` error.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by robe):
Replying to [comment:2 jsanz]:
> Done, I've added my public key on that form. I waited a day but I still
get a `permission denied` error.
The change takes effect immediately so you don't need to wait.
I do see the key now on your ldap account and confirmed it matches what
you have in osgeo6 second key aside from linebreaks and spaces which
shouldn't matter as the ldap one is chunked on mine too and I don't have a
authorized_keys in my hop home drive and can get in with my account.
I've manually added the key to your home drive on hop.osgeo7.osgeo.org to
rule out any weird whitespace issues.
If that still doesn't work perhaps your issue is the one described below.
https://dev.to/bowmanjd/upgrade-ssh-client-keys-and-remote-servers-after-
fedora-33-s-new-crypto-policy-47ag
Here:
https://wiki.osgeo.org/wiki/SAC_Service_Status#Accessing_osgeo7_containers_via_ssh
{{{
Troubleshooting: In case of "Permission denied (publickey)." after an
update to a modern openSSH version, it might well be that your ssh key
(RSH key) is disabled in your client in favour of more modern cyphers.
Ugly workaround: add one line `PubkeyAcceptedKeyTypes ...` in
`.ssh/config`, to re-enable RSA keys for now (consider to generate a new
key):
vim .ssh/config
...
Host *
...
PubkeyAcceptedKeyTypes +ssh-rsa
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by jsanz):
Thanks for the suppport Regina.
Now I can access `hop.osgeo.org` without issues but I still can't get into
the lxd container with the `ProxyCommand` setup.
I'm fine with having to log first into the download server but `ssh jsanz
@old-webextra.lxd` server is asking for a password for my handle and the
OSGeo ldap password is not working.
The `PubkeyAcceptedKeyTypes` is not working for me 
... few minutes later ...
I've realized I can get into other containers like `osgeo7-web`,
`osgeo7-download`, or `osgeo7-pycsw` so there's something different with
`old-webextra`. Hope this helps.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by Jeff McKenna):
Odd timing but I'm in the exact same situation now as @jsanz: cannot
ProxyJump into old-webextra, but can jump into the other containers.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by robe):
try now. Was same issue with letsencrypt and old-webextra being so old it
didn't trust the new authority.
Feel free to close if all set. Jsanz can you by chance also try removing
your key on hop server to see if the ssh still works. I want to make sure
your key registered in ldap works so if you need to access other servers
on other hosts you'll be able to.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------
Comment (by Jeff McKenna):
Confirmed fix here, thanks again @robe !!!
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2663: Get access to osgeo7-*
---------------------------+------------------------
Reporter: jsanz | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+------------------------
Changes (by jsanz):
* status: new => closed
* resolution: => fixed
Comment:
Confirmed here as well, I renamed the `.ssh/authorized_keys` file in the
hop server just in case is needed again but I could get into the `old-
webextra` server with my LDAP password and check the status of the planet,
etc.
Thanks again 
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2663#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.