Skip to main content

User Keys And Authorizations

Symptom: A user key lists incorrect key activity.

  • This may be caused by duplicate keys on a host. Key activity entries are matched to keys according to the key fingerprint, not the file itself. Duplicate keys share the same key activity listing.

    If applicable, the problem can be fixed by removing the unnecessary duplicate keys.

Symptom: A user key cannot be modified due to pending operation

  • Typically, the pending-operation status is automatically reset after the blocking job completes. However in some situations, such as when a job terminates abnormally, the pending-operation status may not be reset for the key, which prevents subsequent modifications to the key.

    If the pending operation of a user key is not cleared automatically, you can use the Key Manager controller to reset the pending operation of a user key. To reset the pending operation of an authorized key (replace 999 with the ID of the key):

    # /opt/sshmgr/bin/ssh-mgr-controller --reset-pending-auth-key-operation=999

    Similarly, to reset the pending operation of a private key:

    # /opt/sshmgr/bin/ssh-mgr-controller --reset-pending-private-key-operation=999

    After the pending operation is reset, you should once again be able to perform actions on the affected keys.

Symptom: Authentication fails when using authorizations from Tectia hosts

  • On Tectia hosts, the SSH Connection Broker may need to be reloaded to register new keys for use. This can be done by running the following command on the Tectia host(s) from which you are trying to authenticate:

    # ssh-broker-ctl reload

    After reloading, verify that you can authenticate using public-key authentication.

Symptom: Key operation fails due to error Key not valid anymore

  • This error occurs when trying to restore an expired authorized key. This also happens when a rollback action would cause an expired authorized key to be restored.

    Key Manager disallows restoring expired authorized keys. To restore such keys, you will first have to extend their validity periods. To do this via the Key Manager GUI:

    1. On the User keys→Authorized keys page, perform a Set Validity action on the target authorized key(s). Set the validity so that the target keys are currently valid.

    2. Perform a Restore action on the target key(s).

Symptom: Authorizations page in GUI shows keys not matching filters

  • By default, filters on the User Keys→Authorizations page operate per fingerprint: If a key matches the filter, then all the keys with the same fingerprint are displayed.

    To only display those keys or parts of authorization matching filters, enable the setting Authorizations filtering on key level under Settings→General→Frontend. Note that enabling this setting may slow down performance in large environments.

Symptom: Host-key renewal fails with update_server_config progressing to Exception handling

  • If a host-key renewal job fails with errors similar to the following:

    Job 1113961 Finished state: update_server_config progressing to Exception handling
    Job 1113961 Failed: NotImplementedError: 
    Job 1113961 Traceback:

    Ensure that the SSH configurations on the target host are in the managed state. You may verify the state of SSH configurations from the Hosts→SSH Configurations page of the Key Manager GUI.

    Rerun the job after verifying that the SSH configurations on the host are in the managed state.