search

PaloAltoNetworks / terraform-aws-vmseries-modules

Terraform Reusable Modules for VM-Series on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws
MIT License
40 stars 49 forks source link

AWS ssh key-pair authentication problem #237

Closed rickyb30 closed 1 year ago

rickyb30 commented 1 year ago

Describe the bug

I have created a Panorama VM version 1.10.6 using Terraform. The VM gets created successfully but the SSH authentication using PEM key is not working. It falls back to password authentication. I created the instance manually providing the same key pair and then I was able to SSH successfully.

Expected behavior

SSH authentication should work if Panorama VM is provisioned using Terraform

Current behavior

SSH authentication doesn't work using the syntax ssh -i /path/to/key.pem admin@<ip-address>. It falls back to password authentication and password can only be configured after login to VM using SSH.

Steps to reproduce

  1. Create a Panorama VM using this module https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/develop/modules/panorama
  2. Note down the IP address of the VM
  3. Try SSH to the VM using syntax ssh -i /path/to/key.pem admin@<ip-address>

NOTE: I tested both with existing key pair and generate key pair locally, passing the public key to Terraform. It fails in both scenarios.

Screenshots

image

Context

I'm trying to automate the provisioning of Panorama and Firewalls using Terraform. All the Panorama resources like device groups, security profiles, objects, etc will also be managed using Terraform

Your Environment

Terraform Version is 1.0.6 Panorama Version 1.10.6 Panorama AMI is obtained using AWS Marketplace so it's an official AMI.

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

lstadnik commented 1 year ago

What type of ssh key are you using ?

rickyb30 commented 1 year ago

What type of ssh key are you using ?

I have tried both RSA and ed25519. RSA was existing SSH pem key in AWS account I use for other VMs. When that didn't work, I generated ed25519 key pair locally and passed public key to Terraform. That didn't help either.

rickyb30 commented 1 year ago

CORRECTION: Panorama version is 10.1.6

ulm0 commented 1 year ago

hi @rickyb30 did you find the solution? for some strange reason i'm facing the same issue with panorama 10.2.0. Thanks in advance

rickyb30 commented 1 year ago

hi @rickyb30 did you find the solution? for some strange reason i'm facing the same issue with panorama 10.2.0. Thanks in advance

Hey @ulm0 Yeah so I figured it doesn't work if we use instance metadata v2. So in my terraform script, I removed metadata {} block configured in aws_instance resource.

kzoran commented 8 months ago

I ran into a same problem and this worked for me: ssh -oHostKeyAlgorithms=+ssh-rsa admin@redacted_ip.1.1.74 -i ./key-pair-name.pem