Creating OpenSSH key as nagios user

[WillemDH]

Ok, I need to create an openSSH key as the user that operates nagios. Is this the user nagios and if so, I don't think I ever had to set a password for this user, hence I don't know how I can login with this user in order to generate a public key. I tried using "runuser nagios -c ssh-keygen" logged in as root, but I get the following errors:
open eternuskey failed: Permission denied.
Saving the key failed: eternuskey.

This is the procedure I'm following to get the Fujitsu Eternus DX plugin working:
Create an SSH client public key and a secret key as a pair in the Nagios server. These keys can be created by
using the "ssh-keygen" command of OpenSSH or by another method.
Note that a pair of keys (the SSH client public key and the secret key) must be created and registered in the
Nagios server by using the user account that operates Nagios.
Refer to the manuals that can be viewed at the following URL for details on how to create keys with the "sshkeygen"
command for Open SSH.
http://www.openssh.org/manual.html
The ETERNUS Disk storage system supports the public key types that are listed in the table below.
Figure 2.2 Public key types
Public key types Encryption level of public keys
OpenSSH style RSA for SSH v1 Up to 4096 bits.
IETF style DSA for SSH v2
IETF style RSA for SSH v2

[sreinhardt]

If you are logging in as root, you should be able to just su into the nagios user like so:

su - nagios

I am not sure, but I would think your permissions issue is likely to the /home/nagios/.ssh directory and the keys there. On my system this is not created yet, so you may need to do this first.

[WillemDH]

Ok, I'll try this out later, but first I'm trying to get it working as root, which doesn't seem so easy either. I tried the following command with -t dsa and -t rsa.

ssh-keygen -t dsa -f $HOME/.ssh/dsa_eternus_key_file
which gave:
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/dsa_eternus_key_file.
Your public key has been saved in /root/.ssh/dsa_eternus_key_file.pub.

After which I copied the dsa_eternus_key_file.pub file to another location and uploaded it in the Eternus interface for the nagios users I created there.

The procedure says:
Confirm that the communication by using the SSH client public key is performed between the Nagios server
and the ETERNUS Disk storage system.
Make sure to connect to the ETERNUS Disk storage system from the Nagios server, and enter "yes" (continue
connecting) when the confirmation message is displayed.
Note that this operation must be performed by using the user account that operates Nagios.
Example:
Use the "ssh" command in the terminal device and connect to the ETERNUS Disk storage system.
ETERNUS Disk storage system information
Execute the same command again. Confirm that the logging in to the ETERNUS Disk storage system is
complete without displaying the confirmation message.
Confirm that the ETERNUS Disk storage system does not request passwords for user account 1 and user
account 2. If the entering of a password is requested, the SSH client public key and the secret key may have
been incorrectly set. Check the SSH client public key and the secret key settings again.

I'm able to log into the Eternus from the Nagios server as user root and the second time I don't need to confirm, but it keeps asking me for a password.... Anyone got any idea what i'm doing wrong?

This is the URL of the full procedure:
http://www.fujitsu.com/downloads/STRSYS ... 01ENZ0.pdf

[abrist]

As you are attempting to log into the server as root, you need to make sure that the public key was copied to /root/.ssh/ on the Eternus device.

[WillemDH]

Does the user on the Eternus need to have the same name as the user with which is logged in? So it ened to be named "nagios"? Strange as I need two users. The public key is uploaded by the gui. I'll try to ssh it and check tomoorow if the file isplaced in the right place.

[abrist]

The public key on the remote host must match the private key on the XI server. So if you generate a private/public key fro the "nagios" user on the XI server, you just need to copy the public key to the remote server. It gets copied into the user directory of your choice: /home/<user>/.ssh and then you just have to make sure to login as that user from the "nagios' user on the XI sever.

[WillemDH]

In fact the Eternus plugin requires two users. So I created sys_nagios_user1 (software role) en sys_nagios_user2 (monitor role).

I'm still trying ot get it working with the root user on the nagios server. So I did the following:
ssh-keygen -t rsa
Then copied the "id_rsa.pub" to a location I can access with Windows.
Then uploaded the .pub key with the Eternus website. I also tried to ssh the Eternu to look where the key is stored, but the Eternus doesn't allow that apparently.

After uploading the key, and tryng to ssh, logged in as root, with the sys_nagios_user1, it still asks me for a password..
After entering the password I'm able to connect to the CLI, but the documentation of the Eternus says it is required to not enter any password..

[abrist]

After uploading the key, and tryng to ssh, logged in as root, with the sys_nagios_user1, it still asks me for a password..

What user do you specify when you ssh to the Eternus device?

Your private key must be in the user's folder you are sshing from:

Code: Select all

/home/<username>/.ssh

As well as you need the public key uploaded to the user you are sshing to (should be uploaded to that user through the Eternus web ui).

Code: Select all

ssh <eternus user>@<eternus ip>

[WillemDH]

Hi all,

I managed to make this public / private key setup work. In fact the documentation was incorrect. The Fujitsu Eternus support helped me through it. The public key need to be converted to a RFC4716 public key.
ssh-keygen -e -f ~/.ssh/id_dsa > ~/.ssh/id_dsa_com.pub
ssh-keygen -i -f ~/.ssh/id_dsa_com.pub > ~/.ssh/id_dsa.pub
Thanks again for all the help!

Willem

[abrist]

No problem. Hopefully they will fix up their docs. Enjoy the week!