Re: SSH to machines from add-user

[Rick Harding]

I worked with Tom on this in IRC and got to the bottom of it. We hit a
corner case of the superuser. The folks that own the controller themselves
are a bit special. While technically they're the boss and can juju status
any model in the controller, they don't see all the models by default in
juju models and the like. It'd make being the controller admins a real
pain.

Likewise, we don't auto add the ssh key of every superuser to every machine
in every model regardless of the owner. We take the tact that supserusers
can sudo around and do anything, but by default commands only allow them to
do things on models they've been given model level access to directly.

Tom was setting up a controller, adding a user, and granting them superuser
on the controller. However, as the user had no direct share/access to the
model in question it could not ssh to the machines in the model.

I think we can be more clear here around the error messaging as we know the
user is a superuser and why the request failed.

On Fri, May 11, 2018 at 6:11 AM Tom Barber  wrote:

> Hello folks
>
> IRC has failed me so lets try the wider world.
>
> We have a multinode manual cloud deployed. We have juju add-user 2 new
> users and also juju add-ssh-key for those users.
>
> We know the ssh key works because
>
> ssh ubuntu@
>
> works fine and we can sudo -i etc and do stuff.
>
> But
>
> juju ssh 
>
> says:
>
> ERROR permission denied (unauthorized access)
> 11:05:18 DEBUG cmd supercommand.go:459 error stack:
> permission denied (unauthorized access)
> github.com/juju/juju/rpc/client.go:149:
> github.com/juju/juju/api/apiclient.go:924:
> github.com/juju/juju/api/sshclient/facade.go:109:
> github.com/juju/juju/cmd/juju/commands/ssh_common.go:257:
> github.com/juju/juju/cmd/juju/commands/ssh_common.go:141:
> github.com/juju/juju/cmd/juju/commands/ssh.go:117:
>
> I've looked at the code and it claims we can
>
> juju ssh ubuntu@ -i 
>
> that fails with the same error.
>
> If I tail the target servers auth.log there isn't even a failed login
> attempt which strikes me as a little weird considering it says
>
> permission denied (unauthorized access)
>
> Which does make me question... what permission is denied?
>
>
> --
>
>
> Spicule Limited is registered in England & Wales. Company Number:
> 09954122. Registered office: First Floor, Telecom House, 125-135 Preston
> Road, Brighton, England, BN1 6AF. VAT No. 251478891.
>
>
>
>
> All engagements
> are subject to Spicule Terms and Conditions of Business. This email and
> its
> contents are intended solely for the individual to whom it is addressed
> and
> may contain information that is confidential, privileged or otherwise
> protected from disclosure, distributing or copying. Any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Spicule Limited. The company accepts no
> liability for any damage caused by any virus transmitted by this email. If
> you have received this message in error, please notify us immediately by
> reply email before deleting it from your system. Service of legal notice
> cannot be effected on Spicule Limited by email.
>
> --
> Juju mailing list
> Juju@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
-- 
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju

SSH to machines from add-user

[Tom Barber]

Hello folks

IRC has failed me so lets try the wider world.

We have a multinode manual cloud deployed. We have juju add-user 2 new 
users and also juju add-ssh-key for those users.


We know the ssh key works because

ssh ubuntu@

works fine and we can sudo -i etc and do stuff.

But

juju ssh 

says:

ERROR permission denied (unauthorized access)
11:05:18 DEBUG cmd supercommand.go:459 error stack:
permission denied (unauthorized access)
github.com/juju/juju/rpc/client.go:149:
github.com/juju/juju/api/apiclient.go:924:
github.com/juju/juju/api/sshclient/facade.go:109:
github.com/juju/juju/cmd/juju/commands/ssh_common.go:257:
github.com/juju/juju/cmd/juju/commands/ssh_common.go:141:
github.com/juju/juju/cmd/juju/commands/ssh.go:117:

I've looked at the code and it claims we can

juju ssh ubuntu@ -i 

that fails with the same error.

If I tail the target servers auth.log there isn't even a failed login 
attempt which strikes me as a little weird considering it says


permission denied (unauthorized access)

Which does make me question... what permission is denied?


--


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.





All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.


--
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju