Pivotal Knowledge Base

Follow

Troubleshooting Guide on Configuring and Using CF SSH

Environment 

Product Version
Pivotal Cloud Foundry® (PCF) 1.6, 1.7, 1.8 and 1.9

Overview

Unable to ssh into an application container using:

cf ssh <app_name>

Symptoms

There can be multiple reasons why cf ssh is unable to connect to the application container. Here is a list of possible error messages.

  • Error opening SSH connection: dial tcp 10.7.19.185:2222: getsockopt: connection timed out
  • Error opening SSH connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
  • Error opening SSH connection: dial tcp <load balancer ip>:2222: getsockopt: connection refused
  • Error: SSH session allocation failed: ssh: rejected: administratively prohibited 
    (SSH is not supported on windows cells)

Resolution

Start with this checklist to confirm the platform is properly configured for cf ssh and that the user trying to ssh to the application container has the correct permissions to do so.

  1. Please check the elastic runtime tile configuration to make sure SSH is enabled for application containers. Go to the Ops Manager Web UI and click on the Elastic Runtime tile. Proceed to the `Application Containers` configuration page. Make sure the checkmark is present in the `Allow SSH access to app containers` checkbox. Here is a screenshot for reference. 
  2. cf ssh requires cf cli version 6.13 or higher. Please run cf version to verify the cf cli version installed.
  3. Verify that the application is allowing SSH:  
    cf target -o <org> -s <space> - Target the org and space where the application resides
    cf ssh-enabled <app_name>
    If SSH is not enabled for this application, please enable it by running the following:
    cf enable-ssh <app_name>
  4. Verify the space is allowing SSH where the application resides:
    cf target -o <org> -s <space> - Target the org and space where the application resides
    cf space-ssh-allowed <space_name>
    If SSH is not allowed in this space please enable it by running the following:
    cf allow-space-ssh <space_name>
  5. Any user attempting to SSH to an application container, including the admin user, needs to be assigned SpaceDeveloper permissions to the space, where the application resides. This can be granted in the Apps Manager web UI or by using cf cli.
     
    Here is a screenshot of the apps manager web UI. Select the correct org and then click on Members. Assign SpaceDeveloper permissions to the user which requires cf ssh access and save changes.
  6. Alternatively, cf cli can be used to change the permissions as well.
    cf target -o <org> -s <space> - Target the org and space where the application resides
    Example:  cf target -o system -s system
    cf set-space-role <user> <org_name> <space_name> SpaceDeveloper
    Example: cf set-space-role admin system autoscaling SpaceDeveloper - This is an example of giving the admin user SpaceDeveloper permission to the autoscaling space in the system org.
  7. Also, ensure that there is a DNS entry for ssh.<system-domain> when using a remote cloud services such as Microsoft Azure, Amazon Web Service, or Google Cloud Platform.

Follow the checklist above and resolve issues if found. Please open a ticket with Pivotal Support if unable to identify the problem using the steps above.

Additional Information

Here are the articles created for specific cf ssh errors that require more steps than listed above. There is also an article for performing the cf ssh command with verbose mode turned on. This will provide additional information about the ssh failure. See the links below.

Comments

Powered by Zendesk