dkeyexch failure on AIX
In
2015, I wrote about “Open a HMC LPAR console from the AIX command line using
dconsole!”. Here’s the link to the post: http://gibsonnet.net/blog/cgaix/html/Open%20a%20HMC%20LPAR%20console%20from%20the%20AIX%20command%20line%20using%20dconsole!.html
In
that post I mentioned using dkeyexch to exchange ssh keys between an AIX host and the HMC.
More
recently I received a Slack message from an IBM colleague asking for some help
with dkeyexch, because it was
failing.
Here’s
the Slack message:
“Hi
@cg, how are you?
There
was a block on port 22 and I applied a rule and I still can't authenticate the
Object Type hmc and because of that I can't authenticate with the hmc, what do
you think could be happening? Would you help me?
# dkeyexch
-f /export/mynim/passwd/hmc_passwd -I hmc -H phmc1
OpenSSH_9.2p1,
OpenSSL 1.1.1t 7 Feb 2023
2760-287 [dkeyexch] Internal error - exchange script returns unknown
error: 1
# telnet
phmc1 22
Trying...
Connected
to phmc1.
Escape
character is '^]'.
SSH-2.0-OpenSSH_8.0
1:10
Thanks
in advance for your help!!!”
First
we looked at the log file for dsm, dkeyexch.log.052 (see below). All we
could see was a message saying, “timed out waiting for test message”.
# pwd
/var/ibm/sysmgt/dsm/log
# ls
-ltr
total
24
-rw-r--r-- 1 root
system 6374 Feb 21 18:42 dkeyexch.log.052
# cat
dkeyexch.log.052
18:26:18:
Wed Feb 21 2024
18:26:18:
main: Process id is 6816130
18:26:18:
main: Target = phmc1
18:26:18:
main: InterfaceType = hmc
18:26:18:
main: Operation = add
18:26:18:
main: Parsing password file
18:26:18:
parse_pswd_file: attempting to open password file
18:26:18:
parse_pswd_file: reading password file into list
18:26:18:
main: checking status of local keys
18:26:18:
get_local_keys: opening /.ssh/id_rsa.pub
18:26:18:
get_local_keys: cannot open /.ssh/id_rsa.pub
18:26:18:
get_local_keys: opening /.ssh/id_dsa.pub
18:26:18:
get_local_keys: cannot open /.ssh/id_dsa.pub
18:26:18:
get_local_keys: returning status 0
18:26:18:
main: get_local_keys returns 0
18:26:18:
main: calling gen_local_keys to generate any needed keys
18:26:18:
gen_local_keys: invoked with operand 0
18:26:18:
gen_local_keys: Generating local RSA public key to prefix /.ssh/id_rsa
18:26:28:
gen_local_keys: RSA key generated - reading key file
18:26:28:
gen_local_keys: reading /.ssh/id_rsa.pub
18:26:28:
gen_local_keys: Generating local DSA public key to prefix /.ssh/id_dsa
18:26:28:
gen_local_keys: DSA key generated - reading key file
18:26:28:
gen_local_keys: reading /.ssh/id_dsa.pub
18:26:28:
main: back from gen_local_keys
18:26:28:
main: calling test_ssh
18:26:28:
test_ssh: setting local environment to C
18:26:28:
test_ssh: checking for /usr/bin/ssh
18:26:28:
test_ssh: test if OpenSSH package installed
18:26:28:
test_ssh: OpenSSH is installed on this system
18:26:28:
test_ssh: recover SSH version
18:26:28:
test_ssh: Message returned from ssh -V is OpenSSH_9.2p1, OpenSSL 1.1.1t 7 Feb 2023
18:26:28:
test_ssh: sending test message to target
18:27:48:
test_ssh: timed out waiting for test message
This
led me to suspect that dkeyexch was unable to process the initial prompt to add the HMC's
identity for the SSH login. So, we tried this from your AIX system first:
# ssh
hscroot@phmc1
This
would add the HMCs SSH identity to the known_hosts file on AIX, then run
the dkeyexch command.
# ssh
hscroot@phmc1
The
authenticity of host 'phmc1 (10.1.1.24)' can't be established.
ED25519
key fingerprint is SHA256:f167/sH0Lwl+5chWP7QEl+nP6U0ehuAPTHD+V05z8lA.
This
key is not known by any other names.
Are
you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning:
Permanently added 'phmc1' (ED25519) to the list of known hosts.
(hscroot@phmc1)
Password:
Last
login: Thu Feb 1 02:53:18 2024 from
10.8.12.35
hscroot@phmc1:~>
exit
exit
Connection
to phmc1 closed.
Then
the dkeyexch command ran
successfully and the SSH key exchange worked as expected.
# dkeyexch
-f /tmp/cg/hmc_passwd -I hmc -H phmc1
OpenSSH_9.2p1,
OpenSSL 1.1.1t 7 Feb 2023
#
# ssh
hscroot@phmc1 whoami
hscroot