Chef - SSH without password
Solution 1
Fixed it!
So when you are using hosted chef you need to pass in a private key with the bootstrap and have the public key in your autherized_keys file....
- install the ChefSDK
- SCP your starter kit from hosted Chef
- extract the starter kit to
~/chef-repo
- generate a new keypair:
ssh-keygen
- add the public key to your autherized_keys file:
$ cat id_rsa.pub >> authorized_keys
run the knife bootstrap with the following:
sudo knife bootstrap {{server-ip}} --ssh-user {{your-server-user}} -i ~/.ssh/id_rsa --sudo --node-name web1
That should work!
I would also suggest that the user you pass as the --ssh-user has passwordless sudo access.
Solution 2
I'm not aware of anyone that uses the keys provided from Hosted Chef Server or on-premises Chef Server as their SSH authentication keys as Tim is suggesting.
The keys provided by the Chef server are typically only used by Chef client tools such as chef-client and knife for authenticating to the Chef server's API.
Creating a separate key pair for SSH authentication, as Tim's first response and James ultimate answer suggest, is the right way to go. This can either be done manually or by using Chef to configure the system with the appropriate SSH keys.
Solution 3
What you need are ssh keys.
Initially the 'node1' server (referred to as below) will need a password set for your 'centos' user (referred to as below). Once you have set a password for that user follow the instructions below.
To set it up login on the client server (the one running chef) as the chef user and run
ssh-keygen -t rsa
Follow the instructions (just press enter when asked for a password)
Then run the following command
ssh-copy-id <targetuser>@<targetserver>
Follow the on screen instructions, and that's all there is to it.
Chef should then pick up that ssh key automatically.
EDIT:
For Hosted Chef the process is a little different. In Chef Manage go to Administration>Users> and select your username. In there you should see a public key.
Login on your target server as the target user then check if you have the ~/.ssh directory
ls ~/.ssh
If that says "ls: cannot access ~/.ssh: No such file or directory" run
mkdir ~/.ssh
Then using you command-line file editor of choice (I prefer VIM) create the file ~/.ssh/authorized_keys and copying the public key you found on Hosted Chef into that file.
EDIT: If your public key is in the format starting:
-----BEGIN PUBLIC KEY-----
You will first need to convert that into the SSH public key format.
To do so create a file on your local machine called publickey.pem and copy your publickey into it. Then open a terminal into that location and run:
ssh-keygen -f publickey.pem -i -m PKCS8
Hope this helps. Tim.
Related videos on Youtube
James McDougall
Updated on September 18, 2022Comments
-
James McDougall over 1 year
When executing:
knife bootstrap {{IP}} --ssh-user centos --ssh-password '' \ --sudo --use-sudo-password --node-name node1 \ --run-list 'recipe[learn_chef_httpd]'
I am getting the following error:
ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user centos@{{IP}}@{{IP}}
I am trying to connect to centos user which has no password, because I want to use SSH-Key Auth.
I have tried passing a number of permutations:
knife bootstrap {{IP}} -x centos -i .chef/james-chef-validator.pem --sudo --run-list 'recipe[learn_chef_httpd]'
all without success...
if running with -VV:
... DEBUG: allowed methods: publickey,gssapi-keyex,gssapi-with-mic DEBUG: none failed DEBUG: trying publickey DEBUG: connecting to ssh-agent ERROR: could not connect to ssh-agent ERROR: all authorization methods failed (tried none, publickey) ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user centos@{{IP}}@{{IP}}
Any ideas?
-
Mike over 9 yearsdoes the client have the ssh public key for the user you are using to bootstrap?
-
James McDougall over 9 yearsI believe this are in the StarterKit .chef/ directory?
-
-
James McDougall over 9 yearsDoes this assume we're serving chef? We're currently using chef SaaS
-
Tim Armstrong-Ooi over 9 yearsI didn't realise you where using hosted chef Answer edited
-
James McDougall over 9 yearsHi Tim, I have tried that and I am still getting the same error, I am trying this on CentOS7, but that public key format is different to what I would expect for a public key.
-
Matthew Haworth over 9 yearsI've had this issue too, but like James, I can't quite fathom the ssh key part. The public key they provide is of the form
--- BEGIN PUBLIC KEY -----
however my authorized_keys seem to looks more likessh-rsa ....
-
Tim Armstrong-Ooi over 9 yearsMy mistake I forgot to tell you how to convert it
-
Tim Armstrong-Ooi over 9 yearsConversion information added
-
Robert over 7 yearsIt always prompt for password. I am able to connect using the ssh user@ipaddress -i .ssh/id_rsa but knife command always prompt for password. Any idea? Thank you.