VMware vMA Settings Manager:

[Unigarant]

We just installed a new VMA. This was needed because our new vCenter was no longer working with the old VMWare VMA.

After some effort we seemed to have everything working. Checks work, key login works with the Nagios user.
However, after starting the test from the vMA Settings Manager we get the following error:

Code: Select all

There was an issue establishing an SSH session with the vMA host vma-centos.unigarant.nl!
The output is as follows:
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Please refer to the box293_check_vmware manual on how to configure this Nagios host to communicate with the vMA host.

We have tried doing the complete install again, removing the stored host keys, doing it by IP instead of hostname, copying the keys to the apache user again, setting the correct permissions on the known hosts (again): nothing works...

Any help is appreciated.

[cdienger]

Are you following the steps in https://exchange.nagios.org/components/ ... 0&cf_id=29 (starting on page 8) to create and transfer the certificate? What is the output if you run the following on the XI machine:

Code: Select all

su nagios -
ssh vi-admin@vma_ip_or_hostname

?

[Unigarant]

Are you following the steps in https://exchange.nagios.org/components/ ... 0&cf_id=29 (starting on page 8) to create and transfer the certificate? What is the output if you run the following on the XI machine:

Code: Select all

su nagios -
ssh vi-admin@vma_ip_or_hostname

?

Yes, we followed the procedure. And as stated: when we log in via ssh vi-admin.... it logs in without problems, does not require a password.
However, when we try it via the test settings radio button we get the error above.

We have done some additional testing: there seem to be issues with the permissions on the folowing file.

Code: Select all

There was an issue establishing an SSH session with the vMA host vma-centos.unigarant.nl!
The output is as follows:
Load key "/usr/share/httpd/.ssh/id_dsa": Permission denied
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Please refer to the box293_check_vmware manual on how to configure this Nagios host to communicate with the vMA host.

After changing the permissions on that file we sometimes only get the "The output is as follows:" line, without any actual ouput. When we look at the vma after that there has been no logon attempt. With the error mentioned in the first post we do get an invalid logon on the vma... @Box293: this file is not mentioned anywhere in the manual...

Is there anyone who can tell me exactly what the permissions should be on the /usr/share/httpd/.ssh/ directory and the id_dsa file in that directory?

[cdienger]

It looks like things have changed a bit since the documentation was created. Run the following on the XI command line:

Code: Select all

cp /home/nagios/.ssh/known_hosts /usr/share/httpd/.ssh/
cp /home/nagios/.ssh/id_dsa /usr/share/httpd/.ssh/
setfacl -R -m u:apache:r-x /usr/share/httpd/.ssh/

[Unigarant]

It looks like things have changed a bit since the documentation was created. Run the following on the XI command line:

Code: Select all

cp /home/nagios/.ssh/known_hosts /usr/share/httpd/.ssh/
Type cp /home/nagios/.ssh/id_dsa /usr/share/httpd/.ssh/ and press Enter
Type setfacl -R -m u:apache:r-x /usr/share/httpd/.ssh/

We had already done that, to no avail. First we get an error stating that the file is open for anyone to read.
After changing the permissions to:
.ssh directory: 700 (drwx------)
public key (.pub file): 644 (-rw-r--r--)
private key (id_rsa): 600 (-rw-------)

We now get a "Host key verification failed" error...
Any suggestions?

[cdienger]

These are the permissions on my lab machine where the test works:

Code: Select all

drwxr-xr-x+ 2 root root  37 Jun  6 01:38 .
drwxr-xr-x  6 root root  55 Jun  6 01:37 ..
-rw-r-x---+ 1 root root 672 Jun  6 01:38 id_dsa
-rw-r-xr--+ 1 root root 174 Jun  6 01:38 known_hosts

If this doesn't work, try running the ssh command as apache and let us know if that works:

Code: Select all

su apache -
ssh vi-admin@vma_ip_or_hostname

The apache logs may also give us some info. Run:

Code: Select all

tail -f /var/log/httpd/* 

and then run the test and see if any errors are logged by it.

[Unigarant]

These are the permissions on my lab machine where the test works:

Code: Select all

drwxr-xr-x+ 2 root root  37 Jun  6 01:38 .
drwxr-xr-x  6 root root  55 Jun  6 01:37 ..
-rw-r-x---+ 1 root root 672 Jun  6 01:38 id_dsa
-rw-r-xr--+ 1 root root 174 Jun  6 01:38 known_hosts

If this doesn't work, try running the ssh command as apache and let us know if that works:

Code: Select all

su apache -
ssh vi-admin@vma_ip_or_hostname

The apache logs may also give us some info. Run:

Code: Select all

tail -f /var/log/httpd/* 

and then run the test and see if any errors are logged by it.

When I set the permissions to the above I get an access denied error. Which seems logical since the Apache user does not seem to have permissions to read the file?

When I then change the owner to Apache (group still root) I get an invalid permissions error stating that the file can be read by others and will not be used. When I then change the permissions to 0700 (or rwx------) I get an error without any output:

Code: Select all

There was an issue establishing an SSH session with the vMA host vma-centos.unigarant.nl!
The output is as follows:

[cdienger]

...the file can be read by others and will not be used....

Can we get a screenshot of this message? Do you see it on the command line or when you run the test in the web UI?