5

When executing:

knife bootstrap {{IP}} --ssh-user centos --ssh-password '' \
--sudo --use-sudo-password --node-name node1 \
--run-list 'recipe[learn_chef_httpd]'

I am getting the following error:

ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user centos@{{IP}}@{{IP}}

I am trying to connect to centos user which has no password, because I want to use SSH-Key Auth.

I have tried passing a number of permutations:

knife bootstrap {{IP}} -x centos -i .chef/james-chef-validator.pem  --sudo  --run-list 'recipe[learn_chef_httpd]'

all without success...

if running with -VV:

...

DEBUG: allowed methods: publickey,gssapi-keyex,gssapi-with-mic
DEBUG: none failed
DEBUG: trying publickey
DEBUG: connecting to ssh-agent
ERROR: could not connect to ssh-agent
ERROR: all authorization methods failed (tried none, publickey)
ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user  centos@{{IP}}@{{IP}}

Any ideas?

James McDougall
  • 151
  • 1
  • 1
  • 9

3 Answers3

5

Fixed it!

So when you are using hosted chef you need to pass in a private key with the bootstrap and have the public key in your autherized_keys file....

  1. install the ChefSDK
  2. SCP your starter kit from hosted Chef
  3. extract the starter kit to ~/chef-repo
  4. generate a new keypair: ssh-keygen
  5. add the public key to your autherized_keys file: $ cat id_rsa.pub >> authorized_keys

  6. run the knife bootstrap with the following:

    sudo knife bootstrap {{server-ip}} --ssh-user {{your-server-user}} -i ~/.ssh/id_rsa --sudo --node-name web1

That should work!

I would also suggest that the user you pass as the --ssh-user has passwordless sudo access.

James McDougall
  • 151
  • 1
  • 1
  • 9
  • 1
    It always prompt for password. I am able to connect using the ssh user@ipaddress -i .ssh/id_rsa but knife command always prompt for password. Any idea? Thank you. – Robert Jan 26 '17 at 14:39
2

What you need are ssh keys.

Initially the 'node1' server (referred to as below) will need a password set for your 'centos' user (referred to as below). Once you have set a password for that user follow the instructions below.

To set it up login on the client server (the one running chef) as the chef user and run 

ssh-keygen -t rsa

Follow the instructions (just press enter when asked for a password)

Then run the following command

ssh-copy-id <targetuser>@<targetserver>

Follow the on screen instructions, and that's all there is to it.
Chef should then pick up that ssh key automatically.

EDIT:

For Hosted Chef the process is a little different. In Chef Manage go to Administration>Users> and select your username. In there you should see a public key.

Login on your target server as the target user then check if you have the ~/.ssh directory

ls ~/.ssh

If that says "ls: cannot access ~/.ssh: No such file or directory" run

mkdir ~/.ssh

Then using you command-line file editor of choice (I prefer VIM) create the file ~/.ssh/authorized_keys and copying the public key you found on Hosted Chef into that file.

EDIT: If your public key is in the format starting:

-----BEGIN PUBLIC KEY-----

You will first need to convert that into the SSH public key format.

To do so create a file on your local machine called publickey.pem and copy your publickey into it. Then open a terminal into that location and run:

ssh-keygen -f publickey.pem -i -m PKCS8

Hope this helps. Tim.

Tim Armstrong-Ooi
  • 51
  • 5
2

I'm not aware of anyone that uses the keys provided from Hosted Chef Server or on-premises Chef Server as their SSH authentication keys as Tim is suggesting.

The keys provided by the Chef server are typically only used by Chef client tools such as chef-client and knife for authenticating to the Chef server's API.

Creating a separate key pair for SSH authentication, as Tim's first response and James ultimate answer suggest, is the right way to go. This can either be done manually or by using Chef to configure the system with the appropriate SSH keys.

Jeremiah Snapp
  • 21
  • 2