Pivotal Knowledge Base

Follow

gpssh-exkeys Fails with Error: "Permission denied" During Local Key Exchange

Environment

 Product  Version
 Pivotal Greenplum  4.2.8.1
 OS  RHEL 6.x

Symptom

gpssh-exkeys command returns the following error:

[root@mdw gpadmin]# gpssh-exkeys -f /home/gpadmin/gpconfigs/hostfile_exkeys
[STEP 1 of 5] create local ID and authorize on local host
... /root/.ssh/id_rsa file exists ... key generation skipped
[ERROR mdw.company.com] authentication check failed:
Permission denied (publickey,password).
[ERROR] cannot establish ssh access into the local host?

Cause and Resolution

  • During the keyexchange, gpssh-exkeys will first attempt to authenticate locally before proceeding to exchange keys with the cluster. In this case, the above error was caused because PermitRootLogin was set to no in /etc/ssh/sshd_config.
  • PermitRootLogin no
    1. Comment out PermitRootLogin in /etc/ssh/sshd_config
      #PermitRootLogin no
    2. Restart sshd
      service sshd restart
  • Another cause for this error could be related to permissions for the user home directory. If "StrictModes" is set to "no" (by default) in "/etc/ssh/sshd_config", the required permissions for SSH are as follows:
    chmod g-w /home/your_user
    chmod 700 /home/your_user/.ssh
    chmod 600 /home/your_user/.ssh/authorized_keys

Comments

  • Avatar
    Mike Berendsen

    Another cause of this error is also an incorrect /etc/hosts entry for localhost hostname.

    For example mdw IP address inside /etc/hosts is incorrect. Make sure all IP addresses inside /etc/hosts are correct if these steps have not helped.

  • Avatar
    Brendan Stephens

    Similar issue, whereby we couldn't use public key authentication to log in...
    ssh -vvv -o PreferredAuthentications=publickey sdwX

    The problem was SELinux related - the home directory of the user security contexts.
    Tested by using the restorecon tool: restorecon -Rv /home (or /root)
    -- then disabled selinux.

Powered by Zendesk