Template Import Failure

[lslamp]

Greetings,

I upgraded my version of zabbix, then tried to import the template and received the following error.

Can someone please clarify. Thanks Lawrence

[patricegautier]

Interesting.. I can see the item ssh.run[mpstat_nvr] in the export but the import process doesn't seem to be able to find it. Anything more in the server logs (/var/log/zabbix/zabbix_server.log)?

[patricegautier]

Also which version of zabbix are you importing into?

[lslamp]

root@kodi:~# zabbix_server --version zabbix_server (Zabbix) 5.4.2 Revision 4c8f9aabe1 28 June 2021, compilation time: Jun 11 2021 14:01:39

Copyright (C) 2021 Zabbix SIA License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

Compiled with OpenSSL 1.1.1f 31 Mar 2020 Running with OpenSSL 1.1.1f 31 Mar 2020

I set the debug level to 5 and saw nothing interesting in the zabbix_server.log Lawrence

[lslamp]

I tried to follow the instructions that were provided. So I did an upgrade of my zabbix version.

Lawrence

[patricegautier]

That's the right call - I need to set up a blank instance to see if I can reproduce. Stay tuned.

[lslamp]

Thanks for the follow-up --- exceptional support

[patricegautier]

Hi Lawrence,

On a completely new instance of zabbix 5.4.3, I am not able to reproduce the issue when importing the .json file. A few questions:

• is that the one you are importing • is this an import on top of an existing set of templates? • are you importing all the templates at once?

[lslamp]

Patrice,

1. I did and upgrade of the zabbix version. as for the template. I go into the config / templates and import the template there.
2. There are olether zabbix templates, but no unifi templates. The one I am importing is new to my instance of zabbix.
3. Sorry have I missed other templates then? I will look see. Lawrence

[patricegautier]

oh I think I know what's going on - you need to import all the templates in any of the provided export file. Are you picking and choosing per chance?

[lslamp]

Sorry, I did not make myself clear. Itake the full content of the xml file and import it as it is with no changes

[patricegautier]

try with json?

[lslamp]

can you import the json into zabbix, wow did not know that. I will try.

[lslamp]

downloaded the json file, renamed it and tried to import it and ran in the same error.

Lawrence

[lslamp]

I am very sorry to hassle you but I think that the issue my stupidity ...

I just realised that when I import the template, it does not name the new template the same as the file I am importing, it creates multiple templates ... so to answer your question I think that the templates are already installed. I will select the ones that are in zabbix that should be recreated. and try again left is from your documents and right is what is installed into zabbix. Will follow up.

[lslamp]

what a diff I am. Sorry for the confusion. After deleting the templates from zabbix and reinstalling them, all imported using the xml file no hassles. Only when I deleted the templates all my hists were deleted as well. So I need to recreate them all again ... but what the hell. That is the least I can do after giving you the run around.

Thanks Will keep you posted with what I see in zabbix. Thanks

[patricegautier]

mm.. seems like a big problem if you lose your history every time you import a new version. You didn't have an option to 'Delete' vs 'Delete and Clear'?

[lslamp]

OK Patrice, After trying many different options I kept coming up with different errors. So I cleared ALL unifi templates from my installation. I then imported the unifi templates again.

I also removed all templates from the hosts, I then went about adding the related templates. see below.

After the import, the following templates have been added.

The below image shows that I select the USG gateway, and add the Unifi USG template.

When I update the addition, I get the following error.

I then removed the Unifi USG template and added the Unifi SSH Host

Why is it complaining about a possible conflict with MAC Address. looking into your template I see the entry for MAC Address A, but where is the MAC Address sourcing from?

Any ideas? Lawrence

[lslamp]

I have been looking around in the configuration for the Host ICAN Gateway. Looking under the items I do see an item called MAC Address, but this is disabled .. Could this be what is causing the possible conflict.

Should I disable SNMP monitoring for this to work. I will try and see.

Just checked and you need some sort of interface configured. I do not see on for SSH.

[lslamp]

Patrice, I am sorry but I am confusing myself with this now. Let me clarify, on my system the zabbix user is a system user and as such does not have a home directory. I used the sudo to create the necessary keys but if I am correct a home dir needs to exist for the public keys to be stored. When I try to run the ssh-copy-id command I get an error.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes mktemp: failed to create file via template ‘/var/lib/zabbix//.ssh/ssh-copy-id_id.XXXXXXXXXX’: No such file or directory /usr/bin/ssh-copy-id: ERROR: mktemp failed

Any ideas why? Lawrence

[patricegautier]

So which command are you issuing?

On Aug 8, 2021, at 12:11 PM, lslamp @.***> wrote:

Patrice, I am sorry but I am confusing myself with this now. Let me clarify, on my system the zabbix user is a system user and as such does not have a home directory. I used the sudo to create the necessary keys but if I am correct a home dir needs to exist for the public keys to be stored. When I try to run the ssh-copy-id command I get an error.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes mktemp: failed to create file via template ‘/var/lib/zabbix//.ssh/ssh-copy-id_id.XXXXXXXXXX’: No such file or directory /usr/bin/ssh-copy-id: ERROR: mktemp failed

Any ideas why? Lawrence

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/patricegautier/unifiZabbix/issues/15#issuecomment-894842052, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFHTJZDFLSWYIWYJCGPINDT33JGJANCNFSM5ANACS7A.

[lslamp]

Let me clarify.

On my zabbix server, I login with my username and sudo to root.

I already have a directory .ssh so I created a sub-directory under .ssh called zabbid I then went into the zabbix dir.

root@kodi:~/.ssh/zabbix# pwd /root/.ssh/zabbix

I ran the following command. sudo -u zabbix ssh-keygen -P "" -t rsa -m pem -f zb_id_rsa

This generated the needed keys root@kodi:~/.ssh/zabbix# ls -ltr total 8 -rw-r--r-- 1 zabbix zabbix 565 aug 8 20:39 zb_id_rsa.pub -rw------- 1 zabbix zabbix 2459 aug 8 20:39 zb_id_rsa

I then ran the following command and got the below error. root@kodi:~/.ssh/zabbix# sudo -u zabbix ssh-copy-id -i zb_id_rsa.pub lslamp@192.168.1.1 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "zb_id_rsa.pub" The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Are you sure you want to continue connecting (yes/no/[fingerprint])? yes mktemp: failed to create file via template ‘/var/lib/zabbix//.ssh/ssh-copy-id_id.XXXXXXXXXX’: No such file or directory /usr/bin/ssh-copy-id: ERROR: mktemp failed

As far as I understand when it comes to ssh, the user that owns the keys has to have a home dir something like /home/zabbix. (I do not have one because the user is a system user) I think that this is why I am getting the error. The next confusing issue is that I am accessing the unifi devices on my network user==ing the username lslamp@ Here I think that I have two issues, the first is that neither of the users zabbix nor lslamp have a home directory on the device. and then the second issue is that there is no directory .ssh to create the file authorised_keys. So I am confused as to how this should work, because it seems that non of the ssh protocols are being followed.

Lawrence

[lslamp]

Patrice,

Seems that I am wrong. It seems that the directory /home/lslamp/.ssh does exist one the gateway device if I login using lslamp@192.168.1.1 Then there is already a file called authorized_keys there. I then compared the public key on my zabbix server to the data within the authorized_keys file and they were the same. So in theory I should be able to ssh using ssh zabbix@192.168.1.1 but when I do I am prompted for a password and this defeats the object. So I am a little confused.

Lawrence

[patricegautier]

what is the target device? what does ssh -v zabbix@192.168.1.1 look like? anything interesting in the sshd logs on islamp?

[lslamp]

Patrice, there are no extra entries in the log file. I am trying to ssh from ubuntu linux to a unifi USG device. If I ssh using lslamp@192.168.1.1 using the correct password I have no hassles. If I try use ssh zabbix@192.168.1.1 then I get the permission denied .... I think that is because the user zabbix does not have a home directory on my linux box.

Normally SSH is very secure and if you do things straight up with a normal user then there is no issue, now I am trying to use the user zabbix, that does not have a home dir to connect to a server that also does not have that user registered . not sure that will work. Lawrence

[patricegautier]

So wait, you are ssh-into into the Unifi device with the zabbix user, i.e issuing (I’m assuming 192.168.1.1 is a unifi device):

ssh @.***

That for sure won’t work. It should be the user you have enabled ssh on UniFi devices from the controller..

Am I missing something here?

-P

On Aug 11, 2021, at 2:17 AM, lslamp @.***> wrote:

Patrice, there are no extra entries in the log file. I am trying to ssh from ubuntu linux to a unifi USG device. If I ssh using @. using the correct password I have no hassles. If I try use ssh @. then I get the permission denied .... I think that is because the user zabbix does not have a home directory on my linux box.

Normally SSH is very secure and if you do things straight up with a normal user then there is no issue, now I am trying to use the user zabbix, that does not have a home dir to connect to a server that also does not have that user registered . not sure that will work. Lawrence

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/patricegautier/unifiZabbix/issues/15#issuecomment-896651414, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFHTJYXXY5HWUGL2REJWY3T4I53BANCNFSM5ANACS7A.

[lslamp]

let me try to clarify the details I am placing here are not the real information, but it is all relevant to what my issue is.

I have a linux box running ubuntu - ipaddress 192.168.1.199 server name - kodi unifi controller software is installed on this machine. zabbix-server and zabbix-agent installed on this machine.

USG device - ipaddress 192.168.1.1 Controller is sourced from my linux box.

in my root home directory. /root/.ssh/zabbix I have the following two files.

I tried to run what you suggested and got the following error. What is confusing is that the zabbix directory is owned by zabbix:zabbix and so are the two files. So don't understand the error. See image below.

I log into the USG device using lslamp@192.168.1.1 and can connect without a hassle, with a password. There is nothing that I can do to get me to log into the USG without using a password. I have tried using the username lslamp@192.168.1.1 and zabbix@192.168.1.1. I am ALWAYS prompted for a password. What I find strange is that if I log into the USG and go into the .ssh directory, there is a file authorized_keys and all the public keys related to the autologin are present.

ssh-rsa AAAAB3Nza.......9Jj1PYvc= root@kodi ssh-rsa AAAAB3Nza........CnUslvilc= llamprec@kodi ssh-rsa AAAAB3Nza.........8I/5zRM= zabbix@kodi

I am stumped, cannot understand what is forcing the password prompt. very strange indeed. Lawrence

[patricegautier]

A couple of educated guesses:

• try ssh -v to see if the logging reveals anything

• try to make your home directory readable and writable by the zabbix user to see if that changes anything..

  -P

On Aug 12, 2021, at 2:22 PM, lslamp @.***> wrote:

let me try to clarify the details I am placing here are not the real information, but it is all relevant to what my issue is.

I have a linux box running ubuntu - ipaddress 192.168.1.199 server name - kodi unifi controller software is installed on this machine. zabbix-server and zabbix-agent installed on this machine.

USG device - ipaddress 192.168.1.1 Controller is sourced from my linux box.

in my root home directory. /root/.ssh/zabbix I have the following two files. https://user-images.githubusercontent.com/6013759/129268452-fbbe9915-38df-458a-af98-7ab8c9425ac3.png I tried to run what you suggested and got the following error. What is confusing is that the zabbix directory is owned by zabbix:zabbix and so are the two files. So don't understand the error. See image below. https://user-images.githubusercontent.com/6013759/129269644-a2ce4b7b-601a-4ce7-8095-1634ab39c687.png I log into the USG device using @. and can connect without a hassle, with a password. There is nothing that I can do to get me to log into the USG without using a password. I have tried using the username @. and @.*** I am ALWAYS prompted for a password. What I find strange is that if I log into the USG and go into the .ssh directory, there is a file authorized_keys and all the public keys related to the autologin are present.

ssh-rsa AAAAB3Nza.......9Jj1PYvc= @. ssh-rsa AAAAB3Nza........CnUslvilc= @. ssh-rsa AAAAB3Nza.........8I/5zRM= @.***

I am stumped, cannot understand what is forcing the password prompt. very strange indeed. Lawrence

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/patricegautier/unifiZabbix/issues/15#issuecomment-897976885, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFHTJYU4AT6EDQFBHLYIU3T4Q3QBANCNFSM5ANACS7A.

[lslamp]

Patrice,

Thanks in advance for your patience. Below is the extract from ssh -vvv -i pubkey I have removed most of the encryption methods. I have tried to pass only the info that is relevant.

llamprec@kodi:~$ ssh -vvv -i .ssh/zabbix/zb_id_rsa.pub zabbix@192.168.1.1 OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug2: resolve_canonicalize: hostname 192.168.1.1 is address debug2: ssh_connect_direct debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22. debug1: Connection established. debug1: identity file .ssh/zabbix/zb_id_rsa.pub type 0 debug1: identity file .ssh/zabbix/zb_id_rsa.pub-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Debian-4~bpo70+1 debug1: match: OpenSSH_6.6.1p1 Debian-4~bpo70+1 pat OpenSSH_6.6.1* compat 0x04000002 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.1.1:22 as 'zabbix' debug3: hostkeys_foreach: reading file "/home/llamprec/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/llamprec/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys from 192.168.1.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31

This is the server key which is accepted.

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJ0rHqpY debug3: hostkeys_foreach: reading file "/home/llamprec/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/llamprec/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys from 192.168.1.1 debug1: Host '192.168.1.1' is known and matches the ECDSA host key. debug1: Found key in /home/llamprec/.ssh/known_hosts:2 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks

This is the presentation of the public key

debug1: Will attempt key: .ssh/zabbix/zb_id_rsa.pub RSA SHA256:Kizd8oxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMFuvk explicit debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 53 debug3: input_userauth_banner Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you acknowledge that you have read and understood the Ubiquiti License Agreement (available in the Web UI at, by default, http://192.168.1.1) and agree to be bound by its terms.

debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey

This is the check and acceptance of the public key.

debug1: Offering public key: .ssh/zabbix/zb_id_rsa.pub RSA SHA256:Kizd8o8Avm0ZlnipsTQYJI1wxOL9q7OQwKuzEFMFuvk explicit debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51

This is where it breaks. Connecting to the USG device, here in the next line you can see that Authentications possible are publickey and password. (password should be disabled)

debug1: Authentications that can continue: publickey,password debug2: we did not send a packet, disable method

here you can see that it ignores the publickey and says that the next authmethod is password ...... ???? WHY?

debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password zabbix@192.168.1.1's password:

I am not sure how to force the USG to accept the public key and not ask for a password because the correct public key is offered.

Lawrence

[patricegautier]

So my read of this is the device on the other side is rejecting the public key. Question is why..

It’s a USG sounds like – What firmware is it running? Anything in /var/log/messages on that device? Anything weird in ./etc/ssh/sshd_config

The next step is probably to get sshd to run with verbose options..

-P

On Aug 13, 2021, at 5:05 AM, lslamp @.***> wrote:

Patrice,

Thanks in advance for your patience. Below is the extract from ssh -vvv -i pubkey I have removed most of the encryption methods. I have tried to pass only the info that is relevant.

@.:$ ssh -vvv -i .ssh/zabbix/zb_id_rsa.pub @. OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug2: resolve_canonicalize: hostname 192.168.1.1 is address debug2: ssh_connect_direct debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22. debug1: Connection established. debug1: identity file .ssh/zabbix/zb_id_rsa.pub type 0 debug1: identity file .ssh/zabbix/zb_id_rsa.pub-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Debian-4bpo70+1 debug1: match: OpenSSH_6.6.1p1 Debian-4~bpo70+1 pat OpenSSH_6.6.1* compat 0x04000002 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.1.1:22 as 'zabbix' debug3: hostkeys_foreach: reading file "/home/llamprec/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/llamprec/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys from 192.168.1.1 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: @. @.> debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: @. @.> MAC: compression: none debug1: kex: client->server cipher: @. @.> MAC: compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31

This is the server key which is accepted.

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJ0rHqpY debug3: hostkeys_foreach: reading file "/home/llamprec/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/llamprec/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys from 192.168.1.1 debug1: Host '192.168.1.1' is known and matches the ECDSA host key. debug1: Found key in /home/llamprec/.ssh/known_hosts:2 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks

This is the presentation of the public key

debug1: Will attempt key: .ssh/zabbix/zb_id_rsa.pub RSA SHA256:Kizd8oxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMFuvk explicit debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 53 debug3: input_userauth_banner Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you acknowledge that you have read and understood the Ubiquiti License Agreement (available in the Web UI at, by default, http://192.168.1.1 http://192.168.1.1/) and agree to be bound by its terms.

debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey

This is the check and acceptance of the public key.

debug1: Offering public key: .ssh/zabbix/zb_id_rsa.pub RSA SHA256:Kizd8o8Avm0ZlnipsTQYJI1wxOL9q7OQwKuzEFMFuvk explicit debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51

This is where it breaks. Connecting to the USG device, here in the next line you can see that Authentications possible are publickey and password. (password should be disabled)

debug1: Authentications that can continue: publickey,password debug2: we did not send a packet, disable method

here you can see that it ignores the publickey and says that the next authmethod is password ...... ???? WHY?

debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password @.***'s password:

I am not sure how to force the USG to accept the public key and not ask for a password because the correct public key is offered.

Lawrence

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/patricegautier/unifiZabbix/issues/15#issuecomment-898411272, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFHTJZ2Y6FVSSVCTAY7XVDT4UDANANCNFSM5ANACS7A.

[lslamp]

I did a tail on the following logs messages and auth.log. running the ssh again shows no entries in either. Only when I type the wrong password is there an entry in the auth.log file.

you are correct, it is a USG. Below is the version.

I will try to figure out how to run sshd in verbose mode. Will keep you posted.

Lawrence

[lslamp]

Patrice, As a test I tried to do the same ssh-copy-id to a unifi switch and I had exactly the same issue. Seems if I use a password then it will work, if not then no chance.

Lawrence

[patricegautier]

Mm.. do me a favor and try the updatePublichKey.sh script from the certRenewalScripts https://github.com/patricegautier/certRenewalScripts repo and see if that gives any different result..

On Aug 13, 2021, at 12:59 PM, lslamp @.***> wrote:

Patrice, As a test I tried to do the same ssh-copy-id to a unifi switch and I had exactly the same issue. Seems if I use a password then it will work, if not then no chance.

Lawrence

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/patricegautier/unifiZabbix/issues/15#issuecomment-898689803, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFHTJYMPZH2AS7RR6TBSTLT4V2SBANCNFSM5ANACS7A.

[lslamp]

Patrice,

I am sorry but reading the readme for the github link it seems to say that the key update is related to Letsencrypt files. I do not have letsencrypt keys installed on this machine. also looking at the issue, it is not on my linux box because I can connect to this box with passwordless ssh and I can connect from this box to 6 raspi machines.

The issue is squarely in the unifi devices. I also do not think that I can run the publickeys script on any of the devices. I think that this has very clearly got to be resolved on the unifi devices. I have tried with 3 unidevices and get exacetly the same issue.

Let me know your thoughts. Lawrence

[patricegautier]

You can also provision public keys from the controller itself.. have you tried that?

-P

On Aug 14, 2021, at 3:14 PM, lslamp @.***> wrote:

Patrice,

I am sorry but reading the readme for the github link it seems to say that the key update is related to Letsencrypt files. I do not have letsencrypt keys installed on this machine. also looking at the issue, it is not on my linux box because I can connect to this box with passwordless ssh and I can connect from this box to 6 raspi machines.

The issue is squarely in the unifi devices. I also do not think that I can run the publickeys script on any of the devices. I think that this has very clearly got to be resolved on the unifi devices. I have tried with 3 unidevices and get exacetly the same issue.

Let me know your thoughts. Lawrence

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/patricegautier/unifiZabbix/issues/15#issuecomment-898964604, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFHTJYBIUQO4SVTWHSNZT3T43TDTANCNFSM5ANACS7A.

[tocks53]

Hi @lslamp ,

We don't have the same problem.

My ssh connection is ok

1) i put my pub key in the interface web Unifi (zb_id_rsa.pub)

you can check the pub key is good on a switch : in ssh on the switch : cat /etc/dropbear/authorized_keys

2) for test ssh, use : sudo -u zabbix ssh -i /home/zabbix/.ssh/zb_id_rsa admin@192.168.53.235

change /home/zabbix/.ssh/zb_id_rsa with the patch of your private key not the zb_id_rsa.pub

the admin user name is the name in web UI

what is your user in unifi UI ?

[lslamp]

Patrice, I have opened a ticket with unifi support, see if they can advise. Will keep you posted Lawrence

[patricegautier]

fingers crossed.

[patricegautier]

@lslamp I just ran into this too and I realized/confirmed the keys on Unifi devices are stored not in ~/.ssh/authorized_keys but in ./var/etc/dropbear/authorized_keys

The controller UI or the updatePublicKey.sh with the -b option, that will hit the right spot, but not ssh-copy-id.

I will update the doc.

[lslamp]

Patrice

I ran the following I was in the /home/llamprec/.ssh/zabbix/ directory ../../scripts/updatePublicKeys.sh -u zabbix -b -i zb_id_rsa lslamp@192.168.1.1

The output is below. [sudo] password for llamprec: -- ### This is my local sudo password. Need to update public key for lslamp@192.168.1.1 Could not create directory '/var/lib/zabbix//.ssh'. The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. ECDSA key fingerprint is SHA256:qON1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJ0rHqpY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Failed to add the host to the list of known hosts (/var/lib/zabbix/.ssh/known_hosts). Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you acknowledge that you have read and understood the Ubiquiti License Agreement (available in the Web UI at, by default, http://192.168.1.1) and agree to be bound by its terms.

lslamp@192.168.1.1's password: cp: can't create '/var/etc/dropbear/': Path does not exist

Why is this happening? Lawrence

[patricegautier]

so that device is not one that uses dropbear..

So a thought: if you can't get it going with key pairs, then it's possible to switch all the SSH items to password authentication. There are 2 downside to doing this:

• you lose some security since you are using password auth
• everytime you import an update to the templates, you will have to redo this. I unfortunately don't see an easy way to support both.

If you are interested, I can send instructions

[patricegautier]

Actually belay that - I think I can get passwords going as an option. Stay tuned.

[patricegautier]

Check out the latest commits. There is now an option to provide a file containing your ssh password..

Please note you will need to update mca-dump-short and add a new script ssh-run to be accessible by zabbix. Check out the doc update & let me know if you have any issues..

[patricegautier]

Closing - I think this is solved