root password change on one node : vnc not working anymore

nicolaspetitjean · Mar 31, 2021

Hello,
I have a 4 nodes cluster:
- node1
- node2
- node3
- node4
I wanted to change root password of node3, so i typed in shell :

Code:

$ passwd

But it did not work : after logout, the new password was not working, but the old one yes. So i assumed i changed password of the wrong node, because the new password is working with node4.
Anyway, for now, i have some troubles :
- node1 is ok
- node2 is ok
- node3 can only access vnc console of its own vms
- node4 can access vnc console of node3 and node4
Is there a way to fix that ?
Thanks

Moayad · Apr 1, 2021

Hi,

nicolaspetitjean said:
- node3 can only access vnc console of its own vms

also the shell for node3?

are you accessing the node3 using ssh? if so - with the old password?

have you tried on a different browser to access node3 and node4?

nicolaspetitjean · Apr 1, 2021

How to load console from node shell ? I did not know we can do that !
-> node3 is available through ssh and web interface with old password
-> node4 throught ssh and web interface with new password. It is the reason i think i changed password of the wrong node.
I tried with safari and firefox. Each time i have this error : Failed to run vncproxy

nicolaspetitjean · Apr 1, 2021

I did some researches. From node4, if i type (135 is ID of VM on node 1):

Code:

/usr/bin/ssh -e none -T -o BatchMode=yes 192.168.0.2 /usr/sbin/qm vncproxy 135

I get this respoonse :

Code:

Host key verification failed.

Moayad · Apr 1, 2021

please try pvecm updatecerts --force on your nodes

nicolaspetitjean · Apr 1, 2021

On every nodes ? A more verbose response from prev command :

Code:

OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Deprecated option "useroaming"
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 65022.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.2:65022 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:BcXFq9NCFs8VxoGNYICHyWIzI87bjap4U03FyKwOPew
debug1: checking without port identifier
Host key verification failed.

Moayad · Apr 1, 2021

nicolaspetitjean said:
On every nodes ?

yes.

nicolaspetitjean said:

Code:

OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Deprecated option "useroaming"
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 65022.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.2:65022 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:BcXFq9NCFs8VxoGNYICHyWIzI87bjap4U03FyKwOPew
debug1: checking without port identifier
Host key verification failed.

Is the above output from the pvecm updatecerts --force commands?

nicolaspetitjean · Apr 1, 2021

Moayad said:
yes.

Is the above output from the pvecm updatecerts --force commands?

No it is tihe output of :

Code:

/usr/bin/ssh -v -e none -T -o BatchMode=yes 192.168.0.2 /usr/sbin/qm vncproxy 135

nicolaspetitjean · Apr 1, 2021

Oh god, after updatecerts i have this error :

Capture d’écran 2021-04-01 à 14.44.03.png

Moayad · Apr 1, 2021

have you edit the /etc/hostname and/or /etc/hosts files?

please check the journalctl -f

nicolaspetitjean · Apr 1, 2021

yes i edited

Code:

/etc/hosts

, i removed public ip and added local ones :

Code:

#135.125.x.x    ______.ip-135-125-x.eu    node1
192.168.0.1    nsxxxxxx.ipxx-xxx-xxx.eu      node1
192.168.0.2    nsxxxxxx.ipxx-xxx-xxx.eu      node2
192.168.0.3     nsxxxxxx.ipxx-xxx-xxx.eu      node3
192.168.0.4    nsxxxxxx.ipxx-xxx-xxx.eu      node4

Is it bad practice ? The error does not show up in node1&2.

nicolaspetitjean · Apr 1, 2021

UPDATE.
This afternoon i wanted to migrate a vm from node4 to node3, and got this error :

Code:

Host key verification failed.
command '/usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=nsxxxxxx' root@192.168.0.3 pvecm mtunnel -migration_network xxx.xxx.x.x/24 -get_migration_ip' failed: exit code 255

So i added host alias :

Code:

ssh -o 'HostKeyAlias= nsxxxxxx' root@192.168.0.3

And again that error:

Code:

Warning: the RSA host key for 'nsxxxxxx' differs from the key for the IP address '[192.168.0.3]:65022'
Offending key for IP in /root/.ssh/known_hosts:1
Matching host key in /etc/ssh/ssh_known_hosts:12

So i delete the offending key. And i found out that there is 2 known_hosts files (

Code:

/root/.ssh/known_hosts

and

Code:

/etc/ssh/ssh_known_hosts

) ?
Anyway after that, i added all alias (node1, 2 & 3) and now node seems to be ok. I gonna do the same for node3.

PS: how to create inline bbcode ?

Search

Search

root password change on one node : vnc not working anymore

nicolaspetitjean

Member

Moayad

Proxmox Staff Member

nicolaspetitjean

Member

nicolaspetitjean

Member

Moayad

Proxmox Staff Member

nicolaspetitjean

Member

Moayad

Proxmox Staff Member

nicolaspetitjean

Member

nicolaspetitjean

Member

Moayad

Proxmox Staff Member

nicolaspetitjean

Member

nicolaspetitjean

Member

We value your privacy