audiolize / vagrant-softlayer

This is a Vagrant plugin that adds a SoftLayer provider to Vagrant, allowing Vagrant to control and provision SoftLayer CCI instances.
MIT License
42 stars 15 forks source link

Can't SSH with public key as vagrant user #66

Closed ChastinaLi closed 8 years ago

ChastinaLi commented 8 years ago

I haven't been able to vagrant up any softlayer box since May 2016:

vagrant up base02 --provider=softlayer Bringing machine 'base02' up with 'softlayer' provider... ==> base02: Creating a new SoftLayer instance... ==> base02: Waiting for instance provisioning. This may take a few minutes... ==> base02: SoftLayer instance successfully provisioned! ==> base02: Waiting for machine to boot. This may take a few minutes... base02: SSH address: 169.55.153.58:6395 base02: SSH username: vagrant base02: SSH auth method: private key base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... base02: Warning: Authentication failure. Retrying... Timed out while waiting for the machine to boot. This means that Vagrant was unable to communicate with the guest machine within the configured ("config.vm.boot_timeout" value) time period. If you look above, you should be able to see the error(s) that Vagrant had when attempting to connect to the machine. These errors are usually good hints as to what may be wrong. If you're using a custom box, make sure that networking is properly working and you're able to connect to the machine. It is a common problem that networking isn't setup properly in these boxes. Verify that authentication configurations are also setup properly, as well. If the box appears to be booting properly, you may want to increase the timeout ("config.vm.boot_timeout") value.

I found that ssh simply doesn't work with the vagrant user on a softlayer box. I'm able to SSH into the softlayer box with a different user created the exact same way as vagrant, with identical SSH settings (configurations and SSH keys). I'm able to SSH in with vagrant user into a virtualbox image built the exact same way as the softlayer box. I was still able to SSH in with vagrant user into this softlayer image May this year.

$ ssh vagrant@169.55.153.58 -p 6395 -i ./vagrant-secure-private.key -v OpenSSH_7.2p2, OpenSSL 1.0.2j 26 Sep 2016 debug1: Connecting to 169.55.153.58 [169.55.153.58] port 6395. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file ./ncw-vagrant-secure-private.key type -1 debug1: key_load_public: No such file or directory debug1: identity file ./ncw-vagrant-secure-private.key-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug1: Authenticating to 169.55.153.58:6395 as 'vagrant' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: got SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ssh-rsa SHA256:IfJVeqsRAeL15hsMh0atBbTB6+1zFFCnhecmiIHK/MQ debug1: Host '[169.55.153.58]:6395' is known and matches the RSA host key. debug1: Found key in /home/chastina.li/.ssh/known_hosts:1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next authentication method: publickey debug1: Trying private key: ./vagrant-secure-private.key debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

vagrant user and SSH setup:

!/bin/bash -e

/usr/sbin/groupadd vagrant /usr/sbin/useradd vagrant -g vagrant -G wheel echo "vagrant ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/vagrant chmod 440 /etc/sudoers.d/vagrant mkdir /home/vagrant/.ssh chmod 700 /home/vagrant/.ssh cp /tmp/vagrant.pub /home/vagrant/.ssh/authorized_keys chmod 600 /home/vagrant/.ssh/authorized_keys chown -R vagrant /home/vagrant/.ssh cp /etc/sudoers /tmp/sudoers.old sed "s/Defaults +requiretty/#Defaults requiretty/" /tmp/sudoers.old > /etc/sudoers rm /tmp/sudoers.old echo "UseDNS no" >> /etc/ssh/sshd_config

/etc/ssh/sshd_config:

# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 6395 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 \Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords yes PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM no # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server UseDNS no AllowUsers vagrant root

I wonder what changed since mid year?

ChastinaLi commented 8 years ago

Vagrant account is locked.