clustershell icon indicating copy to clipboard operation
clustershell copied to clipboard

Published 20 hours ago verified publisher icon cea-hpc

clush: support password-based authentication

Open thiell opened this issue 13 years ago • 6 comments

support password-based authentication for initial connection to nodes

thiell avatar Aug 24 '12 07:08 thiell

Some update?

judovana avatar Jun 08 '16 10:06 judovana

Kind of :) If you really want to use password-based authentication with clustershell, you can try sshpass. It is supported in 1.7.1. Please see #241, #242 and #244 and 6e4e131f454b2ac37cfcd93e1a17d9a39bbbe951 for the details or just check out this nice doc:

  • http://www.getreu.net/public/downloads/doc/Secure_Computer_Cluster_Administration_with_SSH/#distribute-keys-clustershell

thiell avatar Jun 08 '16 23:06 thiell

As @thiell said, there is a couple of workarounds for this feature. Anyway, I think we need to support of interactively provided password in future releases.

@thiell: could we imagine, when using a special option (--password?) reading if on the command line, and writing it to each workers?

degremont avatar Jun 09 '16 08:06 degremont

Support for entering a password for keys with a passphrase would be appreciated too. Doing something like this works around it:

ssh_path: 'sshpass -f plain_text_file_with_password.txt -P Enter ssh'
ssh_options: '-i /some/non-default/key.pem -oBatchMode=no'

...but really defeats the purpose.

kkost avatar Mar 15 '19 21:03 kkost

I don't catch why the following approach does not work:

$ export SSHPASS="$(pass [...])"  # use passstore to define the password
# check direct SSH works - OK
$ sshpass -e ssh myserver 'whoami'  
# repeat with clush - Not OK 
$ clush -O ssh_path='sshpass -e ssh' -w myserver 'whoami'
myserver: Permission denied (publickey,password).
clush: myserver: exited with exit code 255

Most likely the SSHPASS variable is not passed to the clush processes. Any suggestion?

Falkor avatar Apr 26 '22 20:04 Falkor

Whoops, just missed the ten year anniversary of this ticket.

I realize there are situations where you don't like passwords, but in the enterprise there are common tasks that require it. (Example: Installing ssh keys on a few hundred fresh Dells, whose idracs all are hit with root/calvin). This sort of thing is literally the last reason we have expect installed on our servers, and I would love to move past it.

cseraphine avatar Sep 06 '22 20:09 cseraphine

10-year anniversary gift ;) With clustershell 1.9, you will be able to enable the new sshpass clush mode to support password-based authentication:

# enable sshpass mode
cp /etc/clustershell/clush.conf.d/sshpass.conf.example /etc/clustershell/clush.conf.d/sshpass.conf

# use clush -m sshpass or --mode sshpass (this will prompt for a password and authenticate all nodes via sshpass)
clush -m sshpass -w <nodes> uptime

of course the password must be the same on all specified <nodes>

thiell avatar Nov 23 '22 17:11 thiell

There is an issue here. If I install the clush via pip install --user ClusterShell. The clush.conf.d dir is under ~/.local/etc/clustershell. However, the confdir in ~/.local/etc/clustershell/clush.conf is still /etc/clustershell/clush.conf.d. Therefore, the sshpass mode is not detected even if I do cp ~/.local/etc/clustershell/clush.conf.d/sshpass.conf.example ~/.local/etc/clustershell/clush.conf.d/sshpass.conf.

yh882317 avatar Dec 01 '22 06:12 yh882317

@yh882317

in ~/.local/etc/clustershell/clush.conf you have the default confdir:

confdir: /etc/clustershell/clush.conf.d $CFGDIR/clush.conf.d

correct?

If /etc/clustershell/clush.conf doesn't exist, $CFGDIR should theorically be defined as ~/.local/etc/clustershell and your configuration should be found.

Do you have a /etc/clustershell/clush.conf on this system? If not, this might be a bug.

thiell avatar Dec 01 '22 06:12 thiell

in ~/.local/etc/clustershell/clush.conf you have the default confdir: confdir: /etc/clustershell/clush.conf.d $CFGDIR/clush.conf.d correct?

Yes

Do you have a /etc/clustershell/clush.conf on this system?

No, there is no such file. I only did pip install --user ClusterShell. It is intended to be installed for github local runner. I'd prefer not to bother the system etc space.

yh882317 avatar Dec 01 '22 06:12 yh882317

I just tried like you and my sshpass mode was found. To see which directories are found and parsed, can you try to use debug mode (-d) with a dummy command, like this?

$ clush -w localhost -m sshpass -d true

you should see something like this:

ClushConfig parsed: ['/home/sthiell/.local/etc/clustershell/clush.conf', '/etc/clustershell/clush.conf.d/sshpass.conf', '/etc/clustershell/clush.conf.d/sudo.conf']
Available run modes: sshpass sshpass-file sudo

thiell avatar Dec 01 '22 06:12 thiell

you_hu@bayonet001:~/projectsdeployment$ clush -w localhost -m sshpass -d true DEBUG:root:clush: STARTING DEBUG Changing max open files soft limit from 1048576 to 8192 User interaction: True Create STDIN worker: False ClushConfig parsed: ['/home/you_hu/.local/etc/clustershell/clush.conf'] Available run modes: ERROR: invalid mode "sshpass" (available: )

More info: system distro is ubuntu22.04

yh882317 avatar Dec 01 '22 06:12 yh882317

Got it, thanks @yh882317 for your help finding the issue. I was able to reproduce if I remove completely /etc/clustershell. We'll fix this.

As a workaround – for now – you can change confdir to point explicitly to your clush.conf.d (use full path), like this:

confdir: /home/you_hu/.local/etc/clustershell/clush.conf.d

thiell avatar Dec 01 '22 07:12 thiell