Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Change SSH private key after configurations?

avatar

Hello,

I have SUSE11 SP4 machine where I have installed and configured HDP2.3, YARN, MapReduce, etc. from Ambari UI where also I have entered the SSH private key during the cluste setup. Currently, I can log in via ssh session with this private key which is also used by Ambari. As I see a secuity risk here, if I change the private key on the machine for the user, how can I change the SSH private key in Ambari? I have tried using this article: https://cwiki.apache.org/confluence/display/AMBARI/Installing+ambari-agent+on+target+hosts but I constantly get either "HTTP/1.1 500 Server Error" using curl or "403 Full authentication is required to access this resource" using the Chrome Advanced REST client.

So my question is - is there a way after changing my user private key to change it also in Ambari?

Thank you!

1 ACCEPTED SOLUTION

avatar
Super Guru

Hi @Elitsa Milanova

If i get you correctly, the private key is only used once by ambari while bootstrap the nodes at time of registration.

Later on if you change the private key it will have no impact on your cluster. So no need to change the updated private key in ambari.

View solution in original post

6 REPLIES 6

avatar
Master Guru
@Elitsa Milanova

The SSH Key you have provided, Ambari uses it for bootstrapping new node ( installing ambari agent etc. ), If you have already added nodes and installed components on them then there should be no issues, if you want to add new node and before adding new nodes your private key got changed, there should not be an issue because at the time of adding new node, Ambari should ask you for the private key again.

See below screenshot

3602-screen-shot-2016-04-22-at-115916-am.png

Note - Passwordless SSH required between Ambari server and Ambari agent nodes only at the time of bootstrapping, once ambari-agent is up and running then communication between master and slave components happens over RPC, they don't need SSH for communication(Except for SSHFencing between two NNs if HA is configured)

avatar
Master Guru

@vpoornalingam - Please correct If my understanding is incorrect over here

avatar
Contributor

Hi @Kuldeep Kulkarni,

I have lost id_rsa private key file, now I need to add two more nodes, will it be possible to add the new datanodes? What is the solution for this? Can I generate new keygen and can I apply the new private key in Ambari?

Thanks in Advance.

Regards,

Ram

avatar
Rising Star

Elitsa,

There are two ways to register hosts with Ambari: automatically via SSH by supplying a private key to Ambari (as you have done) or manually (by running yum install ambari-agent on the host, modifying /etc/ambari-agent/conf/ambari-agent.ini's "hostname" line to the Ambari's hostname, and running "ambari agent start").

When using the SSH method, Ambari does NOT store the SSH private key that you supplied (it is used once to do passwordless SSH into the server to set up the agent and discarded). So there's no way or need to "change the private key" in Ambari.

avatar
Super Guru

Hi @Elitsa Milanova

If i get you correctly, the private key is only used once by ambari while bootstrap the nodes at time of registration.

Later on if you change the private key it will have no impact on your cluster. So no need to change the updated private key in ambari.

avatar

Yes, this is what I wanted to know. If the key is used once only during the first bootstrap then I have no security issue with the private key login.

THANK YOU!