andrew found out today that certain of our servers require special handling for getting on the mgmt interface
example: ssh -oKexAlgorithms=diffie-hellman-group14-sha1 -oCiphers=aes256-cbc root@labvirt1005.mgmt.eqiad.wmnet
labcontrol1003.mgmt.eqiad.wmnet labcontrol1004.mgmt.eqiad.wmnet labmon1001.mgmt.eqiad.wmnet labnodepool1002.mgmt.eqiad.wmnet labpuppetmaster1001.mgmt.eqiad.wmnet labpuppetmaster1002.mgmt.eqiad.wmnet labsdb1001.mgmt.eqiad.wmnet labsdb1003.mgmt.eqiad.wmnet labsdb1009.mgmt.eqiad.wmnet labsdb1010.mgmt.eqiad.wmnet labsdb1011.mgmt.eqiad.wmnet labtestcontrol2003.mgmt.codfw.wmnet labtestmetal2001.mgmt.codfw.wmnet labtestnet2002.mgmt.codfw.wmnet labtestneutron2002.mgmt.codfw.wmnet labtestpuppetmaster2001.mgmt.codfw.wmnet labtestservices2002.mgmt.codfw.wmnet labtestservices2003.mgmt.codfw.wmnet labtestvirt2003.mgmt.codfw.wmnet labvirt1001.mgmt.eqiad.wmnet labvirt1002.mgmt.eqiad.wmnet labvirt1003.mgmt.eqiad.wmnet labvirt1004.mgmt.eqiad.wmnet labvirt1005.mgmt.eqiad.wmnet labvirt1006.mgmt.eqiad.wmnet labvirt1007.mgmt.eqiad.wmnet labvirt1008.mgmt.eqiad.wmnet labvirt1009.mgmt.eqiad.wmnet labvirt1010.mgmt.eqiad.wmnet labvirt1011.mgmt.eqiad.wmnet labvirt1012.mgmt.eqiad.wmnet labvirt1013.mgmt.eqiad.wmnet labvirt1014.mgmt.eqiad.wmnet
This doesn't seem to be the case for me, maybe openssh version/configuration? Proof:
$ ssh -vvv root@labsdb1009.mgmt.eqiad.wmnet OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017 debug1: Reading configuration data <FILTERED> debug1: <FILTERED> line 1: Applying options for * debug1: <FILTERED> line 15: Applying options for *.wmnet debug1: Reading configuration data <FILTERED> debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Executing proxy command: exec ssh -a -W labsdb1009.mgmt.eqiad.wmnet:22 bast1001.wikimedia.org debug1: permanently_drop_suid: 1000 debug1: identity file <FILTERED> type 1 debug1: key_load_public: No such file or directory debug1: identity file <FILTERED>-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u2 debug1: Remote protocol version 2.0, remote software version mpSSH_0.2.1 debug1: no match: mpSSH_0.2.1 debug2: fd 5 setting O_NONBLOCK debug2: fd 4 setting O_NONBLOCK debug1: Authenticating to labsdb1009.mgmt.eqiad.wmnet:22 as 'root' debug3: hostkeys_foreach: reading file "<FILTERED>" debug3: record_hostkey: found key type RSA in file <FILTERED> debug3: load_hostkeys: loaded 1 keys from labsdb1009.mgmt.eqiad.wmnet debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com ,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com ,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com, aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com, aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,ssh-dss debug2: ciphers ctos: aes256-ctr,aes256-cbc,aes128-cbc,3des-cbc debug2: ciphers stoc: aes256-ctr,aes256-cbc,aes128-cbc,3des-cbc debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-md5 debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-md5 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group14-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1000/2048 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ssh-rsa SHA256:<FILTERED> debug3: hostkeys_foreach: reading file "<FILTERED>" debug3: record_hostkey: found key type RSA in file <FILTERED> debug3: load_hostkeys: loaded 1 keys from labsdb1009.mgmt.eqiad.wmnet debug1: Host 'labsdb1009.mgmt.eqiad.wmnet' is known and matches the RSA host key. debug1: Found key in <FILTERED> debug2: bits set: 1008/2048 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks debug2: key: <FILTERED> (<FILTERED>), explicit, agent debug2: key: <FILTERED> (<FILTERED>), agent debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: password,publickey debug3: start over, passed a different list password,publickey debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: <FILTERED> debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: password,publickey debug1: Offering RSA public key: <FILTERED> debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: password,publickey debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password root@labsdb1009.mgmt.eqiad.wmnet's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 52 debug1: Authentication succeeded (password). Authenticated to labsdb1009.mgmt.eqiad.wmnet (via proxy). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug3: send packet: type 90 debug1: Entering interactive session. debug1: pledge: proc debug3: receive packet: type 91 debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug3: send packet: type 98 debug1: Sending environment. debug3: Ignored env KDE_MULTIHEAD debug3: Ignored env GS_LIB debug3: Ignored env KDE_FULL_SESSION debug1: Sending env LC_ALL = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env LS_COLORS debug1: Sending env LANG = es_ES.UTF-8 debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env DISPLAY debug3: Ignored env PROFILEHOME debug3: Ignored env SHELL_SESSION_ID debug3: Ignored env COLORTERM debug3: Ignored env XDG_VTNR debug3: Ignored env SSH_AUTH_SOCK debug3: Ignored env XDG_SESSION_ID debug3: Ignored env USER debug3: Ignored env DESKTOP_SESSION debug3: Ignored env GTK2_RC_FILES debug3: Ignored env PWD debug3: Ignored env HOME debug3: Ignored env SSH_AGENT_PID debug3: Ignored env XCURSOR_SIZE debug3: Ignored env QT_ACCESSIBILITY debug3: Ignored env XDG_SESSION_TYPE debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env KONSOLE_DBUS_SESSION debug3: Ignored env XDG_SESSION_DESKTOP debug3: Ignored env KONSOLE_DBUS_WINDOW debug3: Ignored env TERM debug3: Ignored env SHELL debug3: Ignored env KONSOLE_DBUS_SERVICE debug3: Ignored env XDG_SESSION_CLASS debug3: Ignored env XDG_SEAT_PATH debug3: Ignored env XCURSOR_THEME debug3: Ignored env XDG_CURRENT_DESKTOP debug3: Ignored env GPG_AGENT_INFO debug3: Ignored env QT_LINUX_ACCESSIBILITY_ALWAYS_ON debug3: Ignored env KONSOLE_PROFILE_NAME debug3: Ignored env XDG_SEAT debug3: Ignored env SHLVL debug3: Ignored env COLORFGBG debug3: Ignored env LANGUAGE debug3: Ignored env GTK_RC_FILES debug3: Ignored env WINDOWID debug3: Ignored env LOGNAME debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env XDG_RUNTIME_DIR debug3: Ignored env XAUTHORITY debug3: Ignored env XDG_SESSION_PATH debug3: Ignored env QT_AUTO_SCREEN_SCALE_FACTOR debug3: Ignored env PATH debug3: Ignored env KDE_SESSION_UID debug3: Ignored env KDE_SESSION_VERSION debug3: Ignored env SESSION_MANAGER debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug3: send packet: type 98 debug2: callback done debug2: channel 0: open confirm rwindow 1048576 rmax 2048 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 User:root logged-in to ILOMXQ62005Z0.(<FILTERED>)
On Tue, Jan 16, 2018 at 7:31 PM, Chase Pettet cpettet@wikimedia.org wrote:
andrew found out today that certain of our servers require special handling for getting on the mgmt interface
example: ssh -oKexAlgorithms=diffie-hellman-group14-sha1 -oCiphers=aes256-cbc root@labvirt1005.mgmt.eqiad.wmnet
labcontrol1003.mgmt.eqiad.wmnet labcontrol1004.mgmt.eqiad.wmnet labmon1001.mgmt.eqiad.wmnet labnodepool1002.mgmt.eqiad.wmnet labpuppetmaster1001.mgmt.eqiad.wmnet labpuppetmaster1002.mgmt.eqiad.wmnet labsdb1001.mgmt.eqiad.wmnet labsdb1003.mgmt.eqiad.wmnet labsdb1009.mgmt.eqiad.wmnet labsdb1010.mgmt.eqiad.wmnet labsdb1011.mgmt.eqiad.wmnet labtestcontrol2003.mgmt.codfw.wmnet labtestmetal2001.mgmt.codfw.wmnet labtestnet2002.mgmt.codfw.wmnet labtestneutron2002.mgmt.codfw.wmnet labtestpuppetmaster2001.mgmt.codfw.wmnet labtestservices2002.mgmt.codfw.wmnet labtestservices2003.mgmt.codfw.wmnet labtestvirt2003.mgmt.codfw.wmnet labvirt1001.mgmt.eqiad.wmnet labvirt1002.mgmt.eqiad.wmnet labvirt1003.mgmt.eqiad.wmnet labvirt1004.mgmt.eqiad.wmnet labvirt1005.mgmt.eqiad.wmnet labvirt1006.mgmt.eqiad.wmnet labvirt1007.mgmt.eqiad.wmnet labvirt1008.mgmt.eqiad.wmnet labvirt1009.mgmt.eqiad.wmnet labvirt1010.mgmt.eqiad.wmnet labvirt1011.mgmt.eqiad.wmnet labvirt1012.mgmt.eqiad.wmnet labvirt1013.mgmt.eqiad.wmnet labvirt1014.mgmt.eqiad.wmnet
-- Chase Pettet chasemp on phabricator https://phabricator.wikimedia.org/p/chasemp/ and IRC
Cloud-admin mailing list Cloud-admin@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/cloud-admin
cloud-admin@lists.wikimedia.org