You are not logged in.

Pages: 1

#1 2024-01-26 00:53:22

chuckd333
Member
Registered: 2023-03-09
Posts: 28

Can SSH but virsh -c qemu+ssh://... ERROR: Perm. Denied (public key)

I have Arch laptop and Arch home server (changed from previous setup question i had). I use libvirt and qemu. And eventually/hopefully virt-manager to run VMs.

My server and laptop have the same (not sure if laptop needs the same) sshd_config:

$ cat /etc/ssh/sshd_config
...
Port 42####

# Authentication:

#LoginGraceTime 2m

PermitRootLogin no

#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
...

I can SSH from laptop terminal to server no problem with my private/public key pair no password or root login. Also AthorizedKeyfile on server is present:

$ ssh -i ~/.ssh/ed25519 chris@192.168.1.## -p 42###

But when I try to try to use virsh for system or session from LAPTOP I receive the public key error:

$ virsh -c qemu+ssh://chris@192.168.1.##:42###/system
error: failed to connect to the hypervisor
error: Cannot recv data: chris@192.168.1.##: Permission denied (publickey).: Connection reset by peer

$ virsh -c qemu+ssh://chris@192.168.1.##:42###/session
error: failed to connect to the hypervisor
error: Cannot recv data: chris@192.168.1.##: Permission denied (publickey).: Connection reset by peer
$ journalctl     //same error for session and system
...
Jan 25 18:06:05 arch polkitd[462]: Registered Authentication Agent for unix-process:1237:24897 (system bus name :1.52 [/usr/bin/pkttyagent --process 1237 --notify-fd 4 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 25 18:06:05 arch polkitd[462]: Unregistered Authentication Agent for unix-process:1237:24897 (system bus name :1.52, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

So "unregistered auth agent".

But in SERVER libvirtd.conf:

unix_sock_group = "libvirt"
auth_unix_ro = "none"
auth_unix_rw = "none"

And in SERVER qemu.conf:

user = "chris"
# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
group = "libvirt-qemu"

Also chown as per https://wiki.archlinux.org/title/Virt-m … figuration:

# chown $USER:libvirt-qemu /var/lib/libvirt/images/     //same for /qemu
# ls -al /var/lib/libvirt/
drwxr-xr-x 2 root  root         4.0K Jan 17 15:37 boot/
drwxr-xr-x 2 root  root         4.0K Jan 17 15:37 ch/
drwxr-xr-x 2 root  root         4.0K Jan 17 15:37 dnsmasq/
drwxr-xr-x 2 root  root         4.0K Jan 17 15:37 filesystems/
drwxr-xr-x 2 chris libvirt-qemu 4.0K Jan 24 22:29 images/
drwxr-xr-x 3 root  root         4.0K Jan 24 22:09 lockd/
drwxr-xr-x 2 root  root         4.0K Jan 17 15:37 lxc/
drwxr-xr-x 2 root  root         4.0K Jan 17 15:37 network/
drwxr-x--x 8 chris libvirt-qemu 4.0K Jan 24 22:10 qemu/
drwxr-xr-x 2 root  root         4.0K Jan 17 15:37 swtpm/

SSH file permissions on LAPTOP:

(laptop ~/.ssh) $ ls -al 
total 32K
-rw------- 1 chris chris 399 Jan 24 21:00 ed25519
-rw-r--r-- 1 chris chris  92 Jan 24 21:00 ed25519.pub
-rw------- 1 chris chris 834 Jan 24 20:49 known_hosts
-rw-r--r-- 1 chris chris  94 Jan 24 20:48 known_hosts.old

SSH file permissions on SERVER:

(sever ~/.ssh) $ ls -al
total 16K
-rw------- 1 chris chris  92 Jan 24 21:25 authorized_keys
-rw-r--r-- 1 chris chris  92 Jan 24 21:01 ed25519.pub
-rw------- 1 chris chris 834 Jan 24 20:50 known_hosts
-rw-r--r-- 1 chris chris  94 Jan 24 20:50 known_hosts.old

Running services on SERVER:

$ systemctl --type=service
  UNIT                                                  LOAD   ACTIVE SUB     DESCRIPTION                                       
  dbus-broker.service                                   loaded active running D-Bus System Message Bus
  getty@tty1.service                                    loaded active running Getty on tty1
  kmod-static-nodes.service                             loaded active exited  Create List of Static Device Nodes
  libvirtd.service                                      loaded active running libvirt legacy monolithic daemon
  sshd.service                                          loaded active running OpenSSH Daemon
  systemd-boot-random-seed.service                      loaded active exited  Update Boot Loader Random Seed
  systemd-boot-update.service                           loaded active exited  Automatic Boot Loader Update
  systemd-fsck@dev-disk-by\x2duuid-84DD\x2dD90A.service loaded active exited  File System Check on /dev/disk/by-uuid/84DD-D90A
  systemd-journal-flush.service                         loaded active exited  Flush Journal to Persistent Storage
  systemd-journald.service                              loaded active running Journal Service
  systemd-logind.service                                loaded active running User Login Management
  systemd-machined.service                              loaded active running Virtual Machine and Container Registration Service
  systemd-modules-load.service                          loaded active exited  Load Kernel Modules
  systemd-network-generator.service                     loaded active exited  Generate network units from Kernel command line
  systemd-networkd.service                              loaded active running Network Configuration
  systemd-random-seed.service                           loaded active exited  Load/Save OS Random Seed
  systemd-remount-fs.service                            loaded active exited  Remount Root and Kernel File Systems
  systemd-resolved.service                              loaded active running Network Name Resolution
  systemd-sysctl.service                                loaded active exited  Apply Kernel Variables
  systemd-tmpfiles-setup-dev-early.service              loaded active exited  Create Static Device Nodes in /dev gracefully
  systemd-tmpfiles-setup-dev.service                    loaded active exited  Create Static Device Nodes in /dev
  systemd-tmpfiles-setup.service                        loaded active exited  Create Volatile Files and Directories
  systemd-udev-trigger.service                          loaded active exited  Coldplug All udev Devices
  systemd-udevd.service                                 loaded active running Rule-based Manager for Device Events and Files
  systemd-update-utmp.service                           loaded active exited  Record System Boot/Shutdown in UTMP
  systemd-user-sessions.service                         loaded active exited  Permit User Sessions
  systemd-userdbd.service                               loaded active running User Database Manager
  systemd-vconsole-setup.service                        loaded active exited  Virtual Console Setup
  user-runtime-dir@1000.service                         loaded active exited  User Runtime Directory /run/user/1000
  user@1000.service                                     loaded active running User Manager for UID 1000
  virtlogd.service                                      loaded active running libvirt logging daemon

And finally SSH-AGENT and SSH-ADD on both SERVER and LAPTOP (diff. PIDs obviously):

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXYUR1nP/agent.5673; export SSH_AUTH_SOCK;
SSH_AGENT_PID=5674; export SSH_AGENT_PID;
echo Agent pid 5674;

$ ssh-add
Could not open a connection to your authentication agent.

What am I missing?

Offline

#2 2024-01-26 23:31:03

chuckd333
Member
Registered: 2023-03-09
Posts: 28

Re: Can SSH but virsh -c qemu+ssh://... ERROR: Perm. Denied (public key)

After going back to basics and allowing SSH root login and password login and troubleshooting, turns out using virt-manager on laptop, I can only access qemu on the server with a password. And I had to install x11-ssh-askpass package on laptop.

I also commented out the auth lines in libvirtd_config. Not sure if that was necessary.

When I had Void Linux and libvirt/qemu/kvm on the server, I was able to "virsh -c qemu+ssh..." from laptop without a password.

The problem now is my server allows: 

$ cat /etc/ssh/sshd_config
PasswordAuthentication yes

How can I fix this?

[EDIT] I just tried to install a VM using virt-manager and I am now constantly asked for a password. It seem for every elevated command when starting up an .iso I have to provide authentication.

Both LAPTOP and SERVER are using Arch

Last edited by chuckd333 (2024-01-26 23:41:42)

Offline

#3 2024-01-27 20:49:06

chuckd333
Member
Registered: 2023-03-09
Posts: 28

Re: Can SSH but virsh -c qemu+ssh://... ERROR: Perm. Denied (public key)

https://www.reddit.com/r/qemu_kvm/comme … &context=3

After posting the initial post, I also ran the eval $(ssh-agent -c) command but I was still unable to connect.

I rebooted server and laptop and ran the ssh-agent command again and it worked:

[chris@arch.laptop][~]
$  ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXN8xmnw/agent.1538; export SSH_AUTH_SOCK;
SSH_AGENT_PID=1539; export SSH_AGENT_PID;
echo Agent pid 1539;

[chris@arch.laptop][~]
$  eval $(ssh-agent -c)
Agent pid 1569

[chris@arch.laptop][~]
$  ssh-add ~/.ssh/ed25519
Identity added: /home/chris/.ssh/ed25519 (chris@arch)

[chris@arch.laptop][~]
$  virsh -c qemu+ssh://chris@192.168.1.10:220/system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh #

The virt-manager GUI still wont connect with "qemu+ssh..." so in order to make that work I have to run:

virt-manager -c qemu+ssh://chris@192.168.1.10:220/system

If someone is able to offer input on how to connect from vitr-manager GUI, that'd be great. I'll leave as unsolved for a day or so in case someone can answer that then i'll come back and mark as solved.

Offline

Pages: 1

Board footer

Powered by FluxBB