2020/9/28 VPLEX: Management server fails to log into directors with error: "Permission denied (publickey,keyboard-interactive).

" | Dell 中国

客户视图
VPLEX: Management server fails to log into directors with error: "Permission denied (publickey,keyboard-
interactive)."

文章编号: 333764
版本: 2
文章类型: Break Fix
上次发布时间: 20 Feb 2016
摘要: How to check and compare private and public SSH keys in both management servers. If these are different, SSH access to directors from one management server
works whilst it's always denied after three password attempts from the other.

问题 SSH to directors from management server is possible and password is prompted, but it always denies access from one cluster after
three (3) attempts, even though it works with the same password from the remote cluster.

SSH to directors works from cluster-2 management server:

service@ManagementServer-2:~> ssh service@128.221.252.35

VPLEX
service@director-1-1-a:~> exit
logout
Connection to 128.221.252.35 closed.

service@ManagementServer-2:~> ssh root@128.221.252.35

VPLEX
director-1-1-a:~ #
SSH access denied from cluster-1 management server after asking for password three times:

service@ManagementServer-1:~/.ssh> ssh service@128.221.252.35

Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).

service@ManagementServer-1:~/.ssh> ssh root@128.221.252.35

Password:
Password:
Password:

Permission denied (publickey,keyboard-interactive).

原因 SSH public and/or private keys have been manually modified on one management server which changed public and private SSH keys
compared to the remote management server.

解决方案 SSH public and private keys are stored in /home/service/.ssh folder at both management servers:

service@ManagementServer-1:~/.ssh> ll
total 212
-rw-r----- 1 service users 396 Dec 31 2013 authorized_keys
-rw-r--r-- 1 service users 175 Mar 17 2014 config
-rw-r--r-- 1 service users 88 Mar 17 2014 config.bak
-rw------- 1 service users 1192 Feb 1 2010 id_dsa <-- Private key file
-rw-r--r-- 1 service users 1126 Feb 1 2010 id_dsa.pub <-- Public key file
-rw------- 1 service users 1679 Sep 17 2012 id_rsa
-rw-r--r-- 1 service users 405 Sep 17 2012 id_rsa.pub
-rw-r--r-- 1 service users 187300 Dec 16 14:34 known_hosts
Get the same files from the remote management server, where SSH to directors is working, to compare for differences (backup first):
1. Make a backup of cluster-1 management server files. In this case, this is the cluster getting SSH access to directors denied:

service@ManagementServer-1:~/.ssh> cp id_dsa id_dsa.bak

service@ManagementServer-1:~/.ssh> cp id_dsa.pub id_dsa.pub.bak
service@ManagementServer-1:~/.ssh> ll
total 228
-rw-r----- 1 service users 396 Dec 31 2013 authorized_keys
-rw-r--r-- 1 service users 175 Mar 17 2014 config
-rw-r--r-- 1 service users 88 Mar 17 2014 config.bak
https://www.dell.com/support/kbdoc/zh-cn/print/333764/30 1/4
2020/9/28 VPLEX: Management server fails to log into directors with error: "Permission denied (publickey,keyboard-interactive)." | Dell 中国

-rw------- 1 service users 1192 Feb 1 2010 id_dsa

-rw------- 1 service users 1192 Apr 3 14:30 id_dsa.bak
-rw-r--r-- 1 service users 1126 Feb 1 2010 id_dsa.pub
-rw-r----- 1 service users 1126 Apr 3 14:31 id_dsa.pub.bak
-rw------- 1 service users 1679 Sep 17 2012 id_rsa
-rw-r--r-- 1 service users 405 Sep 17 2012 id_rsa.pub
-rw-r--r-- 1 service users 187300 Dec 16 14:34 known_hosts

2. Log into cluster-2 management server and back up its private and public SSH keys. In this case, this is the cluster where SSH to
director is working:

service@ManagementServer-2:~/.ssh> cp id_dsa id_dsa.bak

service@ManagementServer-2:~/.ssh> cp id_dsa.pub id_dsa.pub.bak
service@ManagementServer-2:~/.ssh> ll
total 228
-rw-r----- 1 service users 396 Dec 31 2013 authorized_keys
-rw-r--r-- 1 service users 175 Mar 17 2014 config
-rw-r--r-- 1 service users 88 Mar 17 2014 config.bak
-rw------- 1 service users 1192 Feb 1 2010 id_dsa
-rw------- 1 service users 1192 Apr 3 14:30 id_dsa.bak
-rw-r--r-- 1 service users 1126 Feb 1 2010 id_dsa.pub
-rw-r----- 1 service users 1126 Apr 3 14:31 id_dsa.pub.bak
-rw------- 1 service users 1679 Sep 17 2012 id_rsa
-rw-r--r-- 1 service users 405 Sep 17 2012 id_rsa.pub
-rw-r--r-- 1 service users 187300 Dec 16 14:34 known_hosts

3. Copy both private and public SSH keys from the management server where SSH to directors is possible to the remote cluster
management server where access is denied. As these files have the same name in both clusters, make sure to rename them
while/before copying them over:

service@ManagementServer-2:~/.ssh> scp id_dsa service@128.221.252.33:/home/service/.ssh/id_dsa_c2

The authenticity of host '128.221.252.33 (128.221.252.33)' can't be established.
ECDSA key fingerprint is aa:bb:cf:6f:08:9d:9e:6d:ef:63:c7:1a:75:85:72:64 [MD5].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '128.221.252.33' (ECDSA) to the list of known hosts.
Password:
id_dsa 100% 1192 1.2KB/s 00:00

service@ManagementServer-2:~/.ssh> scp
id_dsa.pub service@128.221.252.33:/home/service/.ssh/id_dsa_c2.pub
Password:
id_dsa.pub 100% 1126 1.1KB/s 00:00

4. Back in cluster-1 management server, confirm you have all the four files (private and public SSH keys from both clusters):

service@ManagementServer-1:~/.ssh> ll
total 228
-rw-r----- 1 service users 396 Dec 31 2013 authorized_keys
-rw-r--r-- 1 service users 175 Mar 17 2014 config
-rw-r--r-- 1 service users 88 Mar 17 2014 config.bak
-rw------- 1 service users 1192 Feb 1 2010 id_dsa
-rw------- 1 service users 1192 Apr 3 14:30 id_dsa.bak
-rw------- 1 service users 1192 Apr 3 14:40 id_dsa_c2
-rw-r----- 1 service users 1126 Apr 3 14:41 id_dsa_c2.pub
-rw-r--r-- 1 service users 1126 Feb 1 2010 id_dsa.pub
-rw-r----- 1 service users 1126 Apr 3 14:31 id_dsa.pub.bak
-rw------- 1 service users 1679 Sep 17 2012 id_rsa
-rw-r--r-- 1 service users 405 Sep 17 2012 id_rsa.pub
-rw-r--r-- 1 service users 187300 Dec 16 14:34 known_hosts

Once you have the four files together, compare the private key from cluster-1 against private key from cluster-2 diff command:
If you see no output after running this command, the file is OK and doesn't need to be replaced.

service@ManagementServer-1:~/.ssh> diff id_dsa id_dsa_c2

service@ManagementServer-1:~/.ssh>
If you see an output similar to the one below, the files (and therefore private SSH key) are different:

https://www.dell.com/support/kbdoc/zh-cn/print/333764/30 2/4
2020/9/28 VPLEX: Management server fails to log into directors with error: "Permission denied (publickey,keyboard-interactive)." | Dell 中国

service@ManagementServer-1:~/.ssh> diff id_dsa id_dsa_c2

2,11c2,19
< MIIBuwIBAAKBgQDzD+xHjiUM8ISJL8emwDTCU+pLI4Prh8pmQSGKG4Wis0bryDdW
< UDcjVzprkssmo1v6+GPavMCiZuufQLcwm8dEb9b9r8w5MwAuMLZGLs7uNy+1xjn5
< H1FPT/dKlgsc+xyGbDmJ1mSuJD5XrH7TfoCnUVN+jDV8A7mpPQvbrPlNgwIVANSG
< dscLBdNLWrorDkJgWMU/RC99AoGAFooMFVYJBfVWOhTZu4FgOCiYR9ex3T/XCSKw
< 1fD/feHmPrPPeqOWowci4qqyKjl7/rJqloEcncPlQk50WeGxNhpwqQRJJLaxUIRw
< HA80TlMNjjU5moNMAmHltOlzxRXmWFm4Qm1EqdNJ97bpcYY8QWDtxukPEDF53Pku
< ChzAkfcCgYAWdRbJbeP+KqXvvNRerWIfhEo27R2y+0qJmhmvjgZ0RoX+wt6aCHlh
< fDk8uofX9l3bbOPTdodkVKGoXJfXpvc8YtyUHr+27ODROpGrkJ2rd/vD3O5LF2x9
< 3AlJUIDBG85LlkBP9/OdCmp+YZnJa/NBhQb3vUjkkVe9ZUe9nw5bmQIVAJNzufnI
< J4FcRC/SaXGXJ93e6wLt
---
> MIIDPgIBAAKCAQEA06Cdhj5aDzMLisKJ47q8RDDPZW3QPTweoASh3HNnVAlnGFa2
> Ar9gsqJJ8GruCoLvY54TPKXSGyA9+StSCqWrDloWJXWanRW0AZGRHxXaruJ6ijs/
> zRjPVXOizSqqSMw/KQkXiNDV94mbgYa3lRqFR/yOkFL1kER8/7RjtqbNG3tn1Gp2
> TGwJs5PIgUtYJX8XT7IV8wBWw/v3UWnCRZxHVfA9j2utVmSW3/8q+knSO4NzkwIE
> EIHB1nmpiwkrAJk7mHTLLsZf8VOhVI7j3QuywpIA9ftk6H+b+k0nbVxoLXbTuYVC
> 9vUJJeuuVrPhRe1gvwe5ejCq9QRpq6Bz56sDgQIVAMroWqrS3QoyGTH95oy2dbXz
> ZPxHAoIBAQCyU7rSLH7FBuFByTGmy6gIaGUc/yUT6U+AOnvJ9hoB+jBbYwqSI9eG
> 20Sup5NR6CS63g3+oB0qKzc1nmMktzOrF+o6vsBvL6L3Mefk9O+pWThVm+kYFPwZ
> 2n61BoMyjayFeo+b2sjhendJd9KexLH6SyDJLWsnXBU97BV388nxLrz2EnMnbifK
> 40Qbj8wh8KN3fshllwW710OW6VvYxMaYQTmbq5apbZj2YWxTjR0PYh3WasgnQviR
> M+ZfuL8NSx1Baos3TkFzaymcy8HnwiOzwUNG+o8I46khmlJWs4Ga8+E8VPtwSiAg
> sN2xSOS/D9UBl0+X1nNq+yXl4LQ+IOh2AoIBAFomMr4tmWVdJ4/vGm7bZbC2DYmu
> vU7bVjidb+uSLrSz/Q0HvUSxTFDv993Zy00ovR/opoiCmgPTXLmXMTiVv6mpTSK1
> qk5/aRvAtFPz/avOSvG1tkfKJD4Ei/pCD5++/LVOGNUDxYuTvX6qKn/eFXFQijHe
> 82NnqSKdjGO9RgBy+eS6gxj+88DyZwdQFdub69yWg3I3P4G1rd3vCgJQtYeRCaFs
> jpIdvZnCcmVfHJdNBd/fJHse75gRP53JaRqByF+gPwYzb4n0J8sQONLRt73bqmbS
> C7O4sajQhHDqWctwEVZpToZlgE0KFB2jTtGBQ1jEweBOCYoJUTV/R7sSHVACFDKw
> IsS4IWp+0VmK/jh3c97tvWS6

To solve the issue, replace the id_dsa file from the cluster where SSH access to directors is denied with the one from
the management server where SSH is working (in this example, replacing cluster-1 with cluster-2):

1. Remove the invalid private key file (in this example cluster-1's):

service@ManagementServer-1:~/.ssh> rm id_dsa
2. Rename the correct private key file copy from remote cluster (in this example cluster-2's):

service@ManagementServer-1:~/.ssh> mv id_dsa_c2 id_dsa

Compare now the public key from cluster unable to SSH to directors against public key from remote cluster with the diff command:
If you see no output after running this command, the file is OK and doesn't need to be replaced.

service@ManagementServer-1:~/.ssh> diff id_dsa.pub id_dsa_c2.pub

service@ManagementServer-1:~/.ssh>
If you see an output similar to the one below, the files (and therefore public SSH key) are different:

service@ManagementServer-1:~/.ssh> diff id_dsa.pub id_dsa_c2.pub

1c1
< ssh-dss AAAAB3NzaC1kc3MAAACBAPMP7EeOJQzwhIkvx6bANMJT6ksjg+uHymZBIYobhaKzRuvIN1
ZQNyNXOmuSyyajW/r4Y9q8wKJm659AtzCbx0Rv1v2vzDkzAC4wtkYuzu43L7XGOfkfUU9P90qWCxz7HI
ZsOYnWZK4kPlesftN+gKdRU36MNXwDuak9C9us+U2DAAAAFQDUhnbHCwXTS1q6Kw5CYFjFP0QvfQAAAI
AWigwVVgkF9VY6FNm7gWA4KJhH17HdP9cJIrDV8P994eY+s896o5ajByLiqrIqOXv+smqWgRydw+VCTn
RZ4bE2GnCpBEkktrFQhHAcDzROUw2ONTmag0wCYeW06XPFFeZYWbhCbUSp00n3tulxhjxBYO3G6Q8QMX
nc+S4KHMCR9wAAAIAWdRbJbeP+KqXvvNRerWIfhEo27R2y+0qJmhmvjgZ0RoX+wt6aCHlhfDk8uofX9l
3bbOPTdodkVKGoXJfXpvc8YtyUHr+27ODROpGrkJ2rd/vD3O5LF2x93AlJUIDBG85LlkBP9/OdCmp+YZ
nJa/NBhQb3vUjkkVe9ZUe9nw5bmQ== service@VPLEXLF01CS
---
> ssh-dss AAAAB3NzaC1kc3MAAAEBANOgnYY+Wg8zC4rCieO6vEQwz2Vt0D08HqAEodxzZ1QJZxhWtg
K/YLKiSfBq7gqC72OeEzyl0hsgPfkrUgqlqw5aFiV1mp0VtAGRkR8V2q7ieoo7P80Yz1Vzos0qqkjMPy
kJF4jQ1feJm4GGt5UahUf8jpBS9ZBEfP+0Y7amzRt7Z9RqdkxsCbOTyIFLWCV/F0+yFfMAVsP791Fpwk
WcR1XwPY9rrVZklt//KvpJ0juDc5MCBBCBwdZ5qYsJKwCZO5h0yy7GX/FToVSO490LssKSAPX7ZOh/m/
pNJ21caC1207mFQvb1CSXrrlaz4UXtYL8HuXowqvUEaaugc+erA4EAAAAVAMroWqrS3QoyGTH95oy2db
XzZPxHAAABAQCyU7rSLH7FBuFByTGmy6gIaGUc/yUT6U+AOnvJ9hoB+jBbYwqSI9eG20Sup5NR6CS63g
3+oB0qKzc1nmMktzOrF+o6vsBvL6L3Mefk9O+pWThVm+kYFPwZ2n61BoMyjayFeo+b2sjhendJd9KexL
H6SyDJLWsnXBU97BV388nxLrz2EnMnbifK40Qbj8wh8KN3fshllwW710OW6VvYxMaYQTmbq5apbZj2YW
xTjR0PYh3WasgnQviRM+ZfuL8NSx1Baos3TkFzaymcy8HnwiOzwUNG+o8I46khmlJWs4Ga8+E8VPtwSi
AgsN2xSOS/D9UBl0+X1nNq+yXl4LQ+IOh2AAABAFomMr4tmWVdJ4/vGm7bZbC2DYmuvU7bVjidb+uSLr
Sz/Q0HvUSxTFDv993Zy00ovR/opoiCmgPTXLmXMTiVv6mpTSK1qk5/aRvAtFPz/avOSvG1tkfKJD4Ei/
pCD5++/LVOGNUDxYuTvX6qKn/eFXFQijHe82NnqSKdjGO9RgBy+eS6gxj+88DyZwdQFdub69yWg3I3P4
G1rd3vCgJQtYeRCaFsjpIdvZnCcmVfHJdNBd/fJHse75gRP53JaRqByF+gPwYzb4n0J8sQONLRt73bqm
bSC7O4sajQhHDqWctwEVZpToZlgE0KFB2jTtGBQ1jEweBOCYoJUTV/R7sSHVA= service@Managemen
tServer

To solve the issue, replace the id_dsa.pub file from the cluster where SSH access to directors is denied with the one
from the management server where SSH is working (in this example, replacing cluster-1 with cluster-2):

1. Remove the invalid public key file (in this example cluster-1's):
https://www.dell.com/support/kbdoc/zh-cn/print/333764/30 3/4
2020/9/28 VPLEX: Management server fails to log into directors with error: "Permission denied (publickey,keyboard-interactive)." | Dell 中国

service@ManagementServer-1:~/.ssh> rm id_dsa.pub
2. Rename the correct public key file copy from remote cluster (in this example cluster-2's):

service@ManagementServer-1:~/.ssh> mv id_dsa_c2.pub id_dsa.pub

备注 Please refer to CQ 35230 for further details. CQ access is restricted to authorized customer service representatives.

附件

文章属性

首次发布时间 Fri Feb 05 2016 18:22:13 GMT

主要产品

产品 VPLEX Series, VPLEX VS2, VPLEX Metro, VPLEX Geo, VPLEX GeoSynchrony 5.2 Service Pack 1 Patch 1, VPLEX VS1, VPLEX
GeoSynchrony 5.2 Service Pack 1

https://www.dell.com/support/kbdoc/zh-cn/print/333764/30 4/4