Deployment Architecture

How to get around AWS public key error when deploying Universal Forwarder script?

neiko
Explorer

Hi Guys

Im using rroberts' bash script to remotely deploy universal forwarders using Amazons EC2 servers, but when I execute the script I get a publickey error as below, can anyone help me fix this please? Thanks

====================
Reading host logins from /opt/splunk/bin/scripts/whereToInstallUF

Starting.
---------------------------
Installing to splunkuser@10.204.49.94
**Permission denied (publickey).**
---------------------------
Installing to splunkuser@10.196.191.204
**Permission denied (publickey).**
---------------------------
Done
====================

Heres my script (remote_deploy_uf.sh)

#!/bin/sh

# This EXAMPLE script shows how to deploy the Splunk universal forwarder
# to many remote hosts via ssh and common Unix commands.
# For "real" use, this script needs ERROR DETECTION AND LOGGING!!

# --Variables that you must set -----

# Populate this file with a list of hosts that this script should install to,
# with one host per line. This must be specified in the form that should
# be used for the ssh login, ie. username@host
#
# Example file contents:
# splunkuser@60.xx.xx.xx
# splunkker@60.xx.xx.xx
#HOSTS_FILE="$HOME/whereToInstallUF"
HOSTS_FILE="/opt/splunk/bin/scripts/whereToInstallUF"

# This should be a WGET command that was *carefully* copied from splunk.com!!
# Sign into splunk.com and go to the download page, then look for the wget
# link near the top of the page (once you have selected your platform)
# copy and paste your wget command between the ""
#WGET_CMD="wget -O splunkforwarder..."
WGET_CMD="wget -O splunkforwarder-5.0.2-149561-Linux-x86_64.tgz 'http://www.splunk.com/page/download_track?file=5.0.2/universalforwarder/linux/splunkforwarder-5.0.2-149561-Linux-x86_64.tgz&ac=&wget=true&name=wget&typed=releases&elq=e98b13cf-ab8a-442e-913e-536c44576084'"

# Set the install file name to the name of the file that wget downloads
# (the second argument to wget)
#INSTALL_FILE="splunkforwarder..."
INSTALL_FILE="splunkforwarder-5.0.2-149561-Linux-x86_64.tgz"

# After installation, the forwarder will become a deployment client of this
# host.  Specify the host and management (not web) port of the deployment server
# that will be managing these forwarder instances.
# DEPLOY_SERVER="xxx.xxx.xxx.xxx:8089"
DEPLOY_SERVER="10.xx.xx.xx:8089"

# Set the new Splunk admin password
PASSWORD="newpassword"

# ----------- End of user settings -----------

# create script to run remotely. Watch out for line wraps, esp. in the "set deploy-poll" line below.  
REMOTE_SCRIPT="
cd /opt
$WGET_CMD
tar -xzf $INSTALL_FILE
# /opt/splunkforwarder/bin/splunk enable boot-start -user splunkusername
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
/opt/splunkforwarder/bin/splunk set deploy-poll \"$DEPLOY_SERVER\" --accept-license --answer-yes --auto-ports --no-prompt  -auth admin:changeme
/opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme
/opt/splunkforwarder/bin/splunk restart
"    
echo "In 5 seconds, will run the following script on each remote host:"
echo
echo "===================="
echo "$REMOTE_SCRIPT"
echo "===================="
echo
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo
echo "Starting."

for DST in `cat "$HOSTS_FILE"`; do
  if [ -z "$DST" ]; then
    continue;
  fi
  echo "---------------------------"
  echo "Installing to $DST"

  # run script on remote host - you will be prompted for the password
  ssh "$DST" "$REMOTE_SCRIPT"

done  
echo "---------------------------"
echo "Done" 

This is my whereToInstallUF file:

root@SEACH-DEPLOY:~# cat whereToInstallUF
splunkuser@10.xx.xx.xx
splunkuser@10.xx.xx.xx
1 Solution

eashwar
Communicator

Could you please verify the permissions on the /home/ec2-user/.ssh directory and files contained in it on this instance?

To verify the permissions, you can stop the instance and detach the root volume (make note of the device that it's attached to). Then attach the volume to another instance on an available device. Create a mount point, such as /fixroot, if needed and mount the device to this mount point. Once mounted, cd to /fixroot/home/ec2-user and check the directory and file permissions. The .ssh directory should allow rwx for the user (owner) and the files should be readable only by the user.

Another thing to check while you are there is that the known_hosts file doesn't have duplicate entries for the client you are attempting to connect from.

Once you have done this, you can unmount the volume and detach it from the instance. Then attach it back to the original instance to the device that you noted in the first step and start the instance.

Please let us know the results.

http://d2930476l2fsmh.cloudfront.net/LostKeypairRecoveryOfLinuxInstance.mp4

this video may help you.

thanks to yromaneko(AWS-guy)

View solution in original post

eashwar
Communicator

Could you please verify the permissions on the /home/ec2-user/.ssh directory and files contained in it on this instance?

To verify the permissions, you can stop the instance and detach the root volume (make note of the device that it's attached to). Then attach the volume to another instance on an available device. Create a mount point, such as /fixroot, if needed and mount the device to this mount point. Once mounted, cd to /fixroot/home/ec2-user and check the directory and file permissions. The .ssh directory should allow rwx for the user (owner) and the files should be readable only by the user.

Another thing to check while you are there is that the known_hosts file doesn't have duplicate entries for the client you are attempting to connect from.

Once you have done this, you can unmount the volume and detach it from the instance. Then attach it back to the original instance to the device that you noted in the first step and start the instance.

Please let us know the results.

http://d2930476l2fsmh.cloudfront.net/LostKeypairRecoveryOfLinuxInstance.mp4

this video may help you.

thanks to yromaneko(AWS-guy)

neiko
Explorer

Thanks Eashwar, that video was excellent (thanks yromaneko!) and helped me resolve my issue. I had my public key above my private key in authorized_keys. Also i was using ubuntu (now using Amazon AMI) and I needed to chown to the splunkuser.

I have an issue with the tar part now.. I'll post a new thread 😉 Thanks again for your help

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...