search

cea-hpc / clustershell

Scalable cluster administration Python framework — Manage node sets, node groups and execute commands on cluster nodes in parallel.
https://clustershell.readthedocs.io/
427 stars 85 forks source link

clush: support password-based authentication #198

Closed thiell closed 1 year ago

thiell commented 12 years ago

support password-based authentication for initial connection to nodes

judovana commented 8 years ago

Some update?

thiell commented 8 years ago

Kind of :) If you really want to use password-based authentication with clustershell, you can try sshpass. It is supported in 1.7.1. Please see #241, #242 and #244 and 6e4e131f454b2ac37cfcd93e1a17d9a39bbbe951 for the details or just check out this nice doc:

degremont commented 8 years ago

As @thiell said, there is a couple of workarounds for this feature. Anyway, I think we need to support of interactively provided password in future releases.

@thiell: could we imagine, when using a special option (--password?) reading if on the command line, and writing it to each workers?

kkost commented 5 years ago

Support for entering a password for keys with a passphrase would be appreciated too. Doing something like this works around it:

ssh_path: 'sshpass -f plain_text_file_with_password.txt -P Enter ssh'
ssh_options: '-i /some/non-default/key.pem -oBatchMode=no'

...but really defeats the purpose.

Falkor commented 2 years ago

I don't catch why the following approach does not work: 

$ export SSHPASS="$(pass [...])"  # use passstore to define the password
# check direct SSH works - OK
$ sshpass -e ssh myserver 'whoami'  
# repeat with clush - Not OK 
$ clush -O ssh_path='sshpass -e ssh' -w myserver 'whoami'
myserver: Permission denied (publickey,password).
clush: myserver: exited with exit code 255

Most likely the SSHPASS variable is not passed to the clush processes. Any suggestion?

cseraphine commented 2 years ago

Whoops, just missed the ten year anniversary of this ticket.

I realize there are situations where you don't like passwords, but in the enterprise there are common tasks that require it. (Example: Installing ssh keys on a few hundred fresh Dells, whose idracs all are hit with root/calvin). This sort of thing is literally the last reason we have expect installed on our servers, and I would love to move past it.

thiell commented 1 year ago

10-year anniversary gift ;) With clustershell 1.9, you will be able to enable the new sshpass clush mode to support password-based authentication:

# enable sshpass mode
cp /etc/clustershell/clush.conf.d/sshpass.conf.example /etc/clustershell/clush.conf.d/sshpass.conf

# use clush -m sshpass or --mode sshpass (this will prompt for a password and authenticate all nodes via sshpass)
clush -m sshpass -w <nodes> uptime

of course the password must be the same on all specified <nodes>

yh882317 commented 1 year ago

There is an issue here. If I install the clush via pip install --user ClusterShell. The clush.conf.d dir is under ~/.local/etc/clustershell. However, the confdir in ~/.local/etc/clustershell/clush.conf is still /etc/clustershell/clush.conf.d. Therefore, the sshpass mode is not detected even if I do cp ~/.local/etc/clustershell/clush.conf.d/sshpass.conf.example ~/.local/etc/clustershell/clush.conf.d/sshpass.conf.

thiell commented 1 year ago

@yh882317

in ~/.local/etc/clustershell/clush.conf you have the default confdir:

confdir: /etc/clustershell/clush.conf.d $CFGDIR/clush.conf.d

correct?

If /etc/clustershell/clush.conf doesn't exist, $CFGDIR should theorically be defined as ~/.local/etc/clustershell and your configuration should be found.

Do you have a /etc/clustershell/clush.conf on this system? If not, this might be a bug.

yh882317 commented 1 year ago

in ~/.local/etc/clustershell/clush.conf you have the default confdir: confdir: /etc/clustershell/clush.conf.d $CFGDIR/clush.conf.d correct?

Yes

Do you have a /etc/clustershell/clush.conf on this system?

No, there is no such file. I only did pip install --user ClusterShell. It is intended to be installed for github local runner. I'd prefer not to bother the system etc space.

thiell commented 1 year ago

I just tried like you and my sshpass mode was found. To see which directories are found and parsed, can you try to use debug mode (-d) with a dummy command, like this?

$ clush -w localhost -m sshpass -d true

you should see something like this:

ClushConfig parsed: ['/home/sthiell/.local/etc/clustershell/clush.conf', '/etc/clustershell/clush.conf.d/sshpass.conf', '/etc/clustershell/clush.conf.d/sudo.conf']
Available run modes: sshpass sshpass-file sudo
yh882317 commented 1 year ago

you_hu@bayonet001:~/projectsdeployment$ clush -w localhost -m sshpass -d true DEBUG:root:clush: STARTING DEBUG Changing max open files soft limit from 1048576 to 8192 User interaction: True Create STDIN worker: False ClushConfig parsed: ['/home/you_hu/.local/etc/clustershell/clush.conf'] Available run modes: ERROR: invalid mode "sshpass" (available: )

More info: system distro is ubuntu22.04

thiell commented 1 year ago

Got it, thanks @yh882317 for your help finding the issue. I was able to reproduce if I remove completely /etc/clustershell. We'll fix this.

As a workaround – for now – you can change confdir to point explicitly to your clush.conf.d (use full path), like this:

confdir: /home/you_hu/.local/etc/clustershell/clush.conf.d