Page 1 of 1
VMware vMA Settings Manager:
Posted: Tue Jun 04, 2019 4:18 am
by Unigarant
We just installed a new VMA. This was needed because our new vCenter was no longer working with the old VMWare VMA.
After some effort we seemed to have everything working. Checks work, key login works with the Nagios user.
However, after starting the test from the vMA Settings Manager we get the following error:
Code: Select all
There was an issue establishing an SSH session with the vMA host vma-centos.unigarant.nl!
The output is as follows:
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Please refer to the box293_check_vmware manual on how to configure this Nagios host to communicate with the vMA host.
We have tried doing the complete install again, removing the stored host keys, doing it by IP instead of hostname, copying the keys to the apache user again, setting the correct permissions on the known hosts (again): nothing works...
Any help is appreciated.
Re: VMware vMA Settings Manager:
Posted: Tue Jun 04, 2019 2:30 pm
by cdienger
Are you following the steps in
https://exchange.nagios.org/components/ ... 0&cf_id=29 (starting on page 8) to create and transfer the certificate? What is the output if you run the following on the XI machine:
Code: Select all
su nagios -
ssh vi-admin@vma_ip_or_hostname
?
Re: VMware vMA Settings Manager:
Posted: Wed Jun 05, 2019 6:46 am
by Unigarant
Yes, we followed the procedure. And as stated: when we log in via ssh vi-admin.... it logs in without problems, does not require a password.
However, when we try it via the test settings radio button we get the error above.
We have done some additional testing: there seem to be issues with the permissions on the folowing file.
Code: Select all
There was an issue establishing an SSH session with the vMA host vma-centos.unigarant.nl!
The output is as follows:
Load key "/usr/share/httpd/.ssh/id_dsa": Permission denied
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Please refer to the box293_check_vmware manual on how to configure this Nagios host to communicate with the vMA host.
After changing the permissions on that file we sometimes only get the "The output is as follows:" line, without any actual ouput. When we look at the vma after that there has been no logon attempt. With the error mentioned in the first post we do get an invalid logon on the vma...
@Box293: this file is not mentioned anywhere in the manual...
Is there anyone who can tell me exactly what the permissions should be on the /usr/share/httpd/.ssh/ directory and the id_dsa file in that directory?
Re: VMware vMA Settings Manager:
Posted: Wed Jun 05, 2019 2:40 pm
by cdienger
It looks like things have changed a bit since the documentation was created. Run the following on the XI command line:
Code: Select all
cp /home/nagios/.ssh/known_hosts /usr/share/httpd/.ssh/
cp /home/nagios/.ssh/id_dsa /usr/share/httpd/.ssh/
setfacl -R -m u:apache:r-x /usr/share/httpd/.ssh/
Re: VMware vMA Settings Manager:
Posted: Fri Jun 07, 2019 6:48 am
by Unigarant
cdienger wrote:It looks like things have changed a bit since the documentation was created. Run the following on the XI command line:
Code: Select all
cp /home/nagios/.ssh/known_hosts /usr/share/httpd/.ssh/
Type cp /home/nagios/.ssh/id_dsa /usr/share/httpd/.ssh/ and press Enter
Type setfacl -R -m u:apache:r-x /usr/share/httpd/.ssh/
We had already done that, to no avail. First we get an error stating that the file is open for anyone to read.
After changing the permissions to:
.ssh directory: 700 (drwx------)
public key (.pub file): 644 (-rw-r--r--)
private key (id_rsa): 600 (-rw-------)
We now get a "Host key verification failed" error...
Any suggestions?
Re: VMware vMA Settings Manager:
Posted: Fri Jun 07, 2019 9:11 am
by cdienger
These are the permissions on my lab machine where the test works:
Code: Select all
drwxr-xr-x+ 2 root root 37 Jun 6 01:38 .
drwxr-xr-x 6 root root 55 Jun 6 01:37 ..
-rw-r-x---+ 1 root root 672 Jun 6 01:38 id_dsa
-rw-r-xr--+ 1 root root 174 Jun 6 01:38 known_hosts
If this doesn't work, try running the ssh command as apache and let us know if that works:
Code: Select all
su apache -
ssh vi-admin@vma_ip_or_hostname
The apache logs may also give us some info. Run:
and then run the test and see if any errors are logged by it.
Re: VMware vMA Settings Manager:
Posted: Tue Jun 11, 2019 1:01 am
by Unigarant
cdienger wrote:These are the permissions on my lab machine where the test works:
Code: Select all
drwxr-xr-x+ 2 root root 37 Jun 6 01:38 .
drwxr-xr-x 6 root root 55 Jun 6 01:37 ..
-rw-r-x---+ 1 root root 672 Jun 6 01:38 id_dsa
-rw-r-xr--+ 1 root root 174 Jun 6 01:38 known_hosts
If this doesn't work, try running the ssh command as apache and let us know if that works:
Code: Select all
su apache -
ssh vi-admin@vma_ip_or_hostname
The apache logs may also give us some info. Run:
and then run the test and see if any errors are logged by it.
When I set the permissions to the above I get an access denied error. Which seems logical since the Apache user does not seem to have permissions to read the file?
When I then change the owner to Apache (group still root) I get an invalid permissions error stating that the file can be read by others and will not be used. When I then change the permissions to 0700 (or rwx------) I get an error without any output:
Code: Select all
There was an issue establishing an SSH session with the vMA host vma-centos.unigarant.nl!
The output is as follows:
Re: VMware vMA Settings Manager:
Posted: Tue Jun 11, 2019 1:07 pm
by cdienger
...the file can be read by others and will not be used....
Can we get a screenshot of this message? Do you see it on the command line or when you run the test in the web UI?