We Keep Coding

What is the best way to save ssh public key in custom vagrant box?

I often see unofficial documents that says you should save vagrant user’s ssh public key when creating your own box like below:
curl https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant.pub >> /home/vagrant/.ssh/authorized_keys
And when vagrant up with the box, the following message is shown:
default: Vagrant insecure key detected. Vagrant will automatically replace
default: this with a newly generated keypair for better security.
default:
default: Inserting generated public key within guest...
default: Removing insecure key from the guest if it's present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...
It seems to me that mitchellh’s vagrant.pub key above is not appropriate.
What is the best way to save vagrant user’s ssh public key?

The key you point on raw.githubusercontent.com is a sample to no be used.
The returned message seem tell that another keypair is automatically generated:
default: Inserting generated public key within guest...
default: Removing insecure key from the guest if it's present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...
so if everything is going correctly, your container now use a new public key in /home/vagrant/.ssh/authorized_keys and your local host use a new private key in $HOME/.ssh/id_rsa.
Compare this files with files you originally downloaded, look at modification time of both files (on local host and in vagrant container)
Build your own key
Simply run:
ssh-keygen -f ~/.ssh/vagrant-dedicated
see man ssh-keygen for key length, cipher, etc...
Sample output:
dialog:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Simple output:
Generating public/private rsa key pair.
Your identification has been saved in vagrant-dedicated.
Your public key has been saved in vagrant-dedicated.pub.
The key fingerprint is:
SHA256:U2YfVbMlCUed7tXrvf3xBQoLB3glpSpto4hwdjTKwV0 user #host
The key's randomart image is:
+---[RSA 2048]----+
| E ..o .o==+|
| . . . . + o.o=|
| o + . + + . ...|
| . + o o = . . .o|
|. = o = S o . o o|
|.+ o + . + o . + |
|. . . . . ..o|
| .*|
| .*|
+----[SHA256]-----+
This will create two files:
ls -l ~/.ssh/vagrant-dedicated*
-rw------- 1 user user 1679 Oct 20 12:18 vagrant-dedicated
-rw-r--r-- 1 user user 394 Oct 20 12:18 vagrant-dedicated.pub
head -n1 ~/.ssh/vagrant-dedicated*
==> vagrant-dedicated <==
-----BEGIN RSA PRIVATE KEY-----
==> vagrant-dedicated.pub <==
ssh-rsa AAAAB3...0y/5 user#host
Replace content of containers /home/vagrant/.ssh/authorized_keys by content of ~/.ssh/vagrant-dedicated.pub, then use vagrant-dedicated as private key for ssh connection.
ssh -i ~/.ssh/vagrant-dedicated vagrant#container
Note about fingerprint
Before 1st connection to a new target host, ssh will prompt you about host's fingerprint.
You could compare output of
ssh-keygen -vlf /etc/ssh/ssh_host_rsa_key.pub
on target vagrant container with output of your 1st connection output:
ssh -o VisualHostKey=true -i ~/.ssh/vagrant-dedicated vagrant#container
First run will begin output like:
The authenticity of host 'container (10.12.34.56)' can't be established.
Then, the fingerprint, something like
ECDSA key fingerprint is SHA256:9M+2wGn0nZO3GPYkWuuxzXqI3nIbk5IJJ5xwhsxwbXk
And the Ascii art representation:
+---[ECDSA 256]---+
| . .. . |
| = .+ E |
| =oo. |
| .=.. |
| S=o. |
| o+=o..o |
| =+*X*..|
| . =*+#+.|
| .o=O+= |
+----[SHA256]-----+
Both commands must give identical fingerprint and ascii art.

How to deploy from CircleCI to Google Compute Engine?

I want to deploy CircleCi's artifacts to Google Compute Engine after CI test,
but I got stuck in SSH key issues.
When gcloud compute copy-files ran, gcloud will ask for ssh key generating during CircleCI's deployment process, which I don't know how to handle.
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
I've looked into document here and here, but none of them mentioned SSH related topics. So what SSH key should I use and how can I pass it to gcloud securely?
[UPDATED]
Here's my commands in the deployment step.
- echo $GCLOUD_SERVICE_KEY | base64 --decode --ignore-garbage > ${HOME}/gcloud-service-key.json
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update
- sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account --key-file ${HOME}/gcloud-service-key.json
- sudo /opt/google-cloud-sdk/bin/gcloud config set project $GCLOUD_PROJECT_ID
- sudo /opt/google-cloud-sdk/bin/gcloud compute copy-files ./dist instance-1:/tmp/ --zone $GCLOUD_INSTANCE_ZONE

First error:
Enter passphrase (empty for no passphrase):
You have to add the --quiet flag.
gcloud compute copy-files
This command ensures that the user's public SSH key is present in the project's metadata. If the user does not have a public SSH key, one is generated using ssh-keygen(1) (if the --quiet flag is given, the generated key will have an empty passphrase).
https://cloud.google.com/sdk/gcloud/reference/compute/copy-files
Second error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
add a user before the instance name 338234243-compute#instance-1:/tmp
remove the last / of the instance path instance-1:/tmp
Check the owner of the tmp directory (user you choose should have a R&W right)
It seems that the user by default of my generated ssh key was root, and GCC sshd is not allowing root connection...

I had the same issue, and upon tinkering more and reading the google cloud docs, I realized I needed to generate an ssh key.
I use CircleCI (this also works with TravisCI) and this was the command I added to my circle.yml file to generate the ssh key:
- ssh-keygen -q -N "" -f ~/.ssh/google_compute_engine

How to specify a different location for ssh keys loading during rhc setup?

I am using rhc cli tool for OpenShift projects. I have encountered a problem with default rhc ssh key.
On any ssh related action (setup, app-create, etc..) rhc creates ~/.ssh/id_rsa key if it does not exist. I do not like that behaviour, and I would like it to use something like ~/.ssh/OpenShift-SSH-Keys/my_id_rsa.
Because during rhc setup, it did not ask me from which location I wanted to load the keys. Thus I also looked in ~/.openshift/express.conf and I only saw the configurations for ssl; not ssh.
So I found on the internet this following configuration line to add to ~/.openshift/express.conf:
ssh_key_file='~/.ssh/OpenShift-SSH-Keys/my_id_rsa'
I added it and also modified my ~/.ssh/config file:
# Openshift *.rhcloud.com ssh-key config
Host *.rhcloud.com
IdentityFile ~/.ssh/OpenShift-SSH-Keys/my_id_rsa
IdentitiesOnly yes
VerifyHostKeyDNS yes
StrictHostKeyChecking no
PasswordAuthentication no
UserKnownHostsFile ~/.ssh/known_hosts
To finish I setup my account like that:
rhc setup --config ~/.openshift/express.conf -l myusername#gmail.com
Output of this command line:
OpenShift Client Tools (RHC) Setup Wizard
This wizard will help you upload your SSH keys, set your application namespace, and check that other programs like Git are
properly installed.
If you have your own OpenShift server, you can specify it now. Just hit enter to use the server for OpenShift Online:
openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com|
You can add more servers later using 'rhc server'.
Using myusername#gmail.com to login to openshift.redhat.com
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Password: ************************
OpenShift can create and store a token on disk which allows to you to access the server without using your password. The
key is stored in your home directory and should be kept secret. You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... RSA 1024 bit CA certificates are loaded due to old openssl compatibility
lasts 29 days
Saving configuration to /Users/theuser/.openshift/express.conf ... done
No SSH keys were found. We will generate a pair of keys for you.
Created: /Users/theuser/.ssh/id_rsa.pub
Your public SSH key must be uploaded to the OpenShift server to access code. Upload now? (yes|no) no
You can upload your public SSH key at a later time using the 'rhc sshkey' command
Checking for git ... found git version 2.5.0
Checking common problems .. done
Checking for a domain ... mydomainz1955
Checking for applications ... found 1
myapp http://myapp-mydomainz1955.rhcloud.com/
You are using 2 of 3 total gears
The following gear sizes are available to you: small
Your client tools are now configured.
As you can see in the output of the command line: No SSH keys were found. We will generate a pair of keys for you., although I specified in the ~/.openshift/express.conf that I already had ssh keys generated, rhc setup did not take them in consideration or did not find them.
So according to you guys, is it possible to somehow specify a different location for ssh keys loading during rhc setup?
Note: I know how to add additional ssh key, but I would like to stop rhc creating/using ~/.ssh/id_rsa

As far as I see you just want rhc to not use your default ssh key. So here is how you create a separate key and configure rhc to use it instead of the default one.
Key points are that:
you select no to generating and uploading ssh key during rhc
setup
you add your key separately with rhc sshkey add
you configure ssh to use the different key for that domain as you
list in your original example
Does this cover your concerns?
[crackit#koTapaH ~]$ mkdir /home/crackit/my_key_location
[crackit#koTapaH ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/crackit/.ssh/id_rsa): /home/crackit/my_key_location/key.rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/crackit/my_key_location/key.rsa.
Your public key has been saved in /home/crackit/my_key_location/key.rsa.pub.
The key fingerprint is:
c5:20:15:fb:17:96:86:8f:88:28:18:17:2a:b8:eb:51 crackit#koTapaH
The key's randomart image is:
+--[ RSA 2048]----+
| . ..+. |
|.. . . + . . |
|= . . + = |
|.= . . + = . |
|o .E. . S o o |
| ... . |
|.. |
|. . |
| . |
+-----------------+
[crackit#koTapaH ~]$ rhc setup
OpenShift Client Tools (RHC) Setup Wizard
This wizard will help you upload your SSH keys, set your application namespace,
and check that other programs like Git are properly installed.
If you have your own OpenShift server, you can specify it now. Just hit enter to
use the server for OpenShift Online: openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com|
You can add more servers later using 'rhc server'.
Login to openshift.redhat.com:
Login to openshift.redhat.com: asdfgg#example.com
Password: *************
OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret. You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... lasts about 1 month
Saving configuration to /home/crackit/.openshift/express.conf ... done
No SSH keys were found. We will generate a pair of keys for you.
Created: /home/crackit/.ssh/id_rsa.pub
Your public SSH key must be uploaded to the OpenShift server to access code.
Upload now? (yes|no)
no
You can upload your public SSH key at a later time using the 'rhc sshkey'
command
Checking for git ... found git version 2.1.0
Checking common problems .. done
Checking for a domain ... foobar
Checking for applications ... found 2
jenkins http://jenkins-foobar.rhcloud.com/
tmp http://tmp-foobar.rhcloud.com/
You are using 2 of 3 total gears
The following gear sizes are available to you: small, medium
Your client tools are now configured.
[crackit#koTapaH ~]$ rhc sshkey add mykey my_key_location/key.rsa.pub
RESULT:
SSH key my_key_location/key.rsa.pub has been added as 'mykey'
[crackit#koTapaH ~]$ vi .ssh/config
<.. do your modifications here ..>
[crackit#koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040#tmp-foobar.rhcloud.com ...
*********************************************************************
You are accessing a service that is for use only by authorized users.
If you do not have authorization, discontinue use at once.
Any use of the services is subject to the applicable terms of the
agreement which can be found at:
https://www.openshift.com/legal
*********************************************************************
Welcome to OpenShift shell
This shell will assist you in managing OpenShift applications.
!!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
Shell access is quite powerful and it is possible for you to
accidentally damage your application. Proceed with care!
If worse comes to worst, destroy your application with "rhc app delete"
and recreate it
!!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
Type "help" for more info.
[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit#koTapaH ~]$
Update: I didn't notice keys are generated. But I am sure that the generated keys during rhc setup are not actually used. First because the keys from default location are never added to openshift. And you can see a quick proof below. Another way to see is rhc sshkeys list.
Another thing is that if you already have keys in default location, then no keys are generated (in which case you still select no to not upload them). But it is actually a minor bug IMO in rhc that ssh keys are generated without asking the user. It might be a very rare use case - you don't have default key and you want to use a key from non-standard location (this is not your use case where you have a key in standard location, just don't want to use it) but still IMO one shouldn't generate something user did not request. So here's how I show you that only my desired custom key is used:
[crackit#koTapaH ~]$ rm -rf .ssh/id_rsa*
[crackit#koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040#tmp-foobar.rhcloud.com ...
<...>
Type "help" for more info.
[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit#koTapaH ~]$ ls .ssh/
config known_hosts
[crackit#koTapaH ~]$
Update 2 Of course token cannot help you with ssh:
[crackit#koTapaH ~]$ rm -rf my_key_location
[crackit#koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040#tmp-foobar.rhcloud.com ...
no such identity: /home/crackit/my_key_location/key.rsa: No such file or directory
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
SSH key is used for ssh. Token is used for API requests. These are different use cases. rhc uses the ssh executable underneath so using a custom key means to edit ~/.ssh/config to set your default key to another location or set different keys for different hosts. This is not handled well by rhc setup. But once you have your key set, you don't have to run rhc setup anymore.

How to start apache-spark slave instance on a standalone environment?

This are the steps I've done so far:
Download spark-1.4.1-bin-hadoop2.6.tgz
unzip
.spark-1.4.1-bin-hadoop2.6/sbin/start-all.sh
Master is working but slave doesn't start
This is the output:
[ec2-user#ip-172-31-24-107 ~]$ sudo ./spark-1.4.1-bin-hadoop2.6/sbin/start-all.sh
starting org.apache.spark.deploy.master.Master, logging to /home/ec2-user/spark-1.4.1-bin-hadoop2.6/sbin/../logs/spark-root-org.apache.spark.deploy.master.Master-1-ip-172-31-24-107.out
localhost: Permission denied (publickey).
[ec2-user#ip-172-31-24-107 ~]$
This is the secure log
Aug 9 00:09:30 ip-172-31-24-107 sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=./spark-1.4.1-bin-hadoop2.6/sbin/start-all.sh
Aug 9 00:09:32 ip-172-31-24-107 sshd[4828]: Connection closed by 127.0.0.1 [preauth]
I believe the problem is with SSH but I haven't been able to find the solution on google...
Any idea how to fix my SSH issue?

You need to set up passwordless ssh. Try:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Then restart the cluster. If that does not work please post new error message(s).

Its infact a two step process;
Generate public/private rsa keypair.
ubuntu#master:~$ ssh-keygen -t rsa -P ""
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa):
Your identification has been saved in /home/ubuntu/.ssh/id_rsa.
Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub.
The key fingerprint is:
80:4d:40:f6:3a:09:32:07:74:25:cc:cd:f2:b3:75:10 ubuntu#master.flexilogix
The key's randomart image is:
+--[ RSA 2048]----+
|o.o+Bo.E. |
| ..=.B . |
|o o + + . |
| + . = o . |
| + + S |
| o |
| |
| |
| |
+-----------------+
set passwordless ssh;
ubuntu#master:~$ cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys
Once both steps are done, you should be able to verify it;
ubuntu#master:~$ ssh localhost

SSH asking for password even after keys set up

I am trying to setup ssh keys via this method.
Here is the starting point on server
server:~/.ssh$ ls
#shows empty
Here is the starting point on client
client: ~/.ssh$ls #shows empty dir
On client, I run
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/me/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/me/.ssh/id_rsa.
Your public key has been saved in /Users/me/.ssh/id_rsa.pub.
The key fingerprint is:
26:25:e0:2f:90:d8:d9:fb:79:03:5d:99:a1:61:a9:dc me#machine
The key's randomart image is:
+--[ RSA 2048]----+
| . o.. |
| o = . ..o + |
|. = o..oo + |
| . oo+E. |
| o + S |
| o = |
| o o |
| . . |
| |
+-----------------+
$ ls
id_rsa id_rsa.pub
So far so good. So then I run
$ ssh-copy-id -p 3457 me#server #running on non standard port
The authenticity of host '[server]:3457 ([104.131.226.216]:3457)' can't be established.
RSA key fingerprint is 1c:52:db:19:22:b8:47:18:24:ad:07:2f:e5:d3:c4:8e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
me#server's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '3457' 'me#server'"
and check to make sure that only the key(s) you wanted were added.
I run ssh -p '3457' 'me#server' and see that ~/.ssh/authorized_keys shows that the keys match. I logout, trying sshing in again. But it STILL asks me for a password -- even after running sudo service ssh restart on server. I'm not sure what else I can do. What are the next steps?

Make sure you have that key already loaded in your session
$ ssh-add
It should print ~/.ssh/id_rsa
In case you get an error saying "couldn't get a connection to the authentication agent" then execute
$ eval $(ssh-agent)
and repeat ssh-add
The former should be enough, but I also reccomend having an ssh config file. For this, edit (or create) an ~/.ssh/config file with contents
Host server
HostName 104.131.226.216
User me
Port 3457
IdentityFile ~/.ssh/id_rsa

Are the file access permissions for the authorized_keys file 644 (-rw-r--r--)?
(I would leave this as a comment, but I don't have enough points)

eval ssh-agent
After that, add identity to key file
ssh-add $HOME/.ssh/xxx.pem
After execution of above command it should not prompt you for a password
You need to do this every time if you use a new bash prompt. For that one do one thing.
Edit the above lines in $HOME/.bashrc file