Feature #17015: Add ability to get private keys or use existing key pairs when provisioning on EC2 - Foreman

Feature #17015

Add ability to get private keys or use existing key pairs when provisioning on EC2

Added by Ondřej Pražák over 6 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Shlomi Zadok

Category:

Compute resources - EC2

Target version:

1.15.0

Difficulty:

Triaged:

Bugzilla link:

1333604

Pull request:

https://github.com/theforeman/foreman/pull/4024

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1333604
Description of problem:

After configuring AWS EC2 as a compute resource and provisioning a virtual machine, the user cannot SSH onto the virtual machine because foreman has generated an SSH key pair itself used to provision the machine.

The user should be able to view and download these keys through the Foreman web gui (as a minimum).
They should also be able to use existing pairs already configured in AWS or should be given the option to generate their own.

This entails a potential security risk as it is not obvious if a keypair is generated per virtual machine OR per compute resource.

Here is the work around to get the key to SSH to the machine:

1) Run the command hammer compute-resources list

2) Take note of the compute-resource (can vary depending on how many you have or have had, the number increments even after they have been deleted).

3) Now run su to the postgres user, CD to tmp and run the following command:

echo 'select secret from key_pairs where compute_resource_id = &lt;Compute Resource ID&gt;;' |  psql -d foreman  -t | sed -e 's/^[ \t]*//'| sed 's/+$//' | sed "s/[[:blank:]]*$//" > /tmp/&lt;Key Pair Name&gt;.pem

Where the Compute Resource ID and Key Pair Name have been replaced.

You can verify the integrity of key using this command: openssl rsa -in <Key Pair Name>
If the key is not displayed, or it asks you for a pass phrase, there is an issue with the key.

4) You should have a pem file which can now be used to log into your EC2 machine. Depending on your AMI, try the following command:

ssh -i <Key Pair Name>.pem ec2-user@<EC2 VM Hostname or IP>

For regular RHEL AMI, the initial user is ec2-user, it may be different depending on the AMI used.

Steps to Reproduce:
1. Setup AWS Compute Resource and users, provision a VM.
2. > Try to connect to the machine via SSH, not possible without key.
3. Run work around to get key, but it should be easier!

Actual results:

Key pairs are not visible to user unless they run database queries.

Expected results:

User should be able to get their key pair easily.

Related issues

Associated revisions

Revision 59e7136a (diff)
Added by Shlomi Zadok about 6 years ago

Fixes #17015 - Adds Key pairs controller

History

#1 Updated by Ondřej Pražák over 6 years ago

Subject changed from AWS Compute Resource Enhancement: Add ability to get private keys or use existing key pairs when provisioning on EC2 to AWS Compute Resource Enhancement: Add ability to get private keys or use existing key pairs when provisioning on EC2
Target version set to 115

#2 Updated by Ondřej Pražák over 6 years ago

Related to Feature #8319: ec2 compute sould be able to use existing ssh keys added

#3 Updated by Dominic Cleal over 6 years ago

Subject changed from AWS Compute Resource Enhancement: Add ability to get private keys or use existing key pairs when provisioning on EC2 to Add ability to get private keys or use existing key pairs when provisioning on EC2
Description updated (diff)

Very hard to read with code formatting!

#4 Updated by Shlomi Zadok over 6 years ago

Assignee set to Shlomi Zadok
Target version changed from 115 to 1.4.2

#5 Updated by Marek Hulán over 6 years ago

Target version changed from 1.4.2 to 1.4.4

#6 Updated by The Foreman Bot over 6 years ago

Status changed from New to Ready For Testing
Pull request https://github.com/theforeman/foreman/pull/4024 added

#7 Updated by Marek Hulán over 6 years ago

Target version changed from 1.4.4 to 1.10.1

#8 Updated by Ohad Levy about 6 years ago

Related to Feature #17841: expose key_pair info via API added

#9 Updated by Shlomi Zadok about 6 years ago

Status changed from Ready For Testing to Closed
% Done changed from 0 to 100

Applied in changeset 59e7136a2ac14317071d9ae86d7f0472e6413c86.

#10 Updated by Dominic Cleal about 6 years ago

Legacy Backlogs Release (now unused) set to 209

#11 Updated by Dominic Cleal almost 6 years ago

Related to Bug #19631: ActiveRecord::RecordNotSaved when deleting compute resources with key pairs added

Also available in: Atom PDF

Related to Foreman - Feature #8319: ec2 compute sould be able to use existing ssh keys	New	2014-11-07
Related to Foreman - Feature #17841: expose key_pair info via API	New	2016-12-25
Related to Foreman - Bug #19631: ActiveRecord::RecordNotSaved when deleting compute resources with key pairs	Closed	2017-05-23

Project

General

Profile

Issues

Custom queries