SSH Plugin command override (to enable SSH debug logging)

[atheiman]

We're having intermittent issues with SSH authentication to EC2 instances bound to Active Directory. We get a lot of errors like this which work fine with a retry a minute later:

13:45:32    Remote command failed with exit status -1
13:45:32    Sudo execution password response failed: Failed waiting for input prompt: Expected input was not seen in 50000 milliseconds
13:45:32    Failed: NonZeroResultCode: Remote command failed with exit status -1

Possibly related, we get these errors intermittently as well when logging in with our Rundeck service account (with password auth SSH):

10:02:41    Authentication failure connecting to node: "ec2.i-08e59d3bd085c42fc". Password incorrect.
10:02:41    Failed: AuthenticationFailure: Authentication failure connecting to node: "ec2.i-08e59d3bd085c42fc". Password incorrect.

We dont see any issues on the AD domain controllers, so we were hoping to enable debug logging for SSH connections. I saw on this rundeck-discuss Google Group post that you can specify the SSH node executor command, but I couldnt find the config property to set this command in the docs here. I was hoping to set the SSH command to something more verbose (-vv) like:

ssh -o "StrictHostKeyChecking no" -vv ${node.username}@${node.hostname} ${exec.command}

Is there a project or global config property I can set to make the SSH command more verbose? Also, where would I see these logs? Would they show up right in the job logs or elsewhere?

[gschueler]

the built-in ssh executor is java based using Jsch, you can turn on Debug log for a job to see more info about the ssh execution.

If you want to use the openssh ssh command on your system, you will have to set the Node Executor to either the Script Execution executor, and configure it to run ssh, or you can create a plugin which does that for you, e.g. as shown here https://github.com/rundeck/rundeck/tree/master/examples/ssh-script-plugin

[atheiman]

Ok I'll try debug logging on the job itself to get more SSH connection info.

I'll also look into using the script plugin that provides script-exec for the NodeExecutor, I think thats what the comment I found on the Google Group thread must have been referring to. Looks like its documented here http://rundeck.org/docs/plugins-user-guide/script-plugin.html and configuration is documented here for plugins in general http://rundeck.org/docs/plugins-user-guide/configuring.html

[atheiman]

@gschueler is there a way to provide the Script Execution executor with a path to a rundeck key storage password to use for ssh authentication? Or is that plugin just provided by an example for me to go write my own plugin that does that? Any suggestions how to use openssh on the rundeck node to connect to a remote node using ssh password stored in the rundeck key store?

I ask because in our environment, we are required to use password authentication rather than key logins to have a federated auth setup

[ahonor]

@atheiman Did you learn how to access key data from a script plugin?

[stale[bot]]

In an effort to focus on bugs and issues that impact currently supported versions of Rundeck, we have elected to notify GitHub issue creators if their issue is classified as stale and close the issue. An issue is identified as stale when there have been no new comments, responses or other activity within the last 12 months. If a closed issue is still present please feel free to open a new Issue against the current version and we will review it. If you are an enterprise customer, please contact your Rundeck Support to assist in your request. Thank you, The Rundeck Team