'Could not download .tar.gz from manager' error when trying to add forwarder

[ihuxn4hi]

Hi there,

I'm just getting started with Security Onion and so far have stood up a manager and am in the process of doing the same for forwarder and search nodes. But when I go through the process of adding a sensor to an existing deployment, everything goes well until the 'How would you like to access the internet?' screen. I select 'Direct' and it tries to pull down the Security Onion tarball from the manager using the soremote user's SSH key but there isn't an ~soremote/.ssh/authorized_keys file on the manager.

root@so-forwarder [/usr/local/git/securityonion]
# bash so-setup-network 
Getting started...
Gathering the management IP. 
soremote@so-manager: Permission denied (publickey).
Could not determine version of Security Onion running on manager so-manager. Please check your network settings and run setup again.
soremote@so-manager: Permission denied (publickey).
Could not download .tar.gz from manager, please check your network settings and verify the file /opt/so/repo/.tar.gz exists on the manager.

root@so-manager [/home/soremote]
# ls -alhF
total 20K
drwxr-xr-x 2 soremote soremote 4.0K Jan 27 15:28 ./
drwxr-xr-x 6 root     root     4.0K Jan 27 15:28 ../
-rw-r--r-- 1 soremote soremote  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 soremote soremote 3.7K Feb 25  2020 .bashrc
-rw-r--r-- 1 soremote soremote  807 Feb 25  2020 .profile

Connectivity isn't the issue as the logs on the manager show the SSH session:

root@so-manager [/var/log]
# grep soremote *.log
auth.log:Jan 27 15:28:39 so-manager groupadd[31559]: group added to /etc/group: name=soremote, GID=947
auth.log:Jan 27 15:28:39 so-manager groupadd[31559]: group added to /etc/gshadow: name=soremote
auth.log:Jan 27 15:28:39 so-manager groupadd[31559]: new group: name=soremote, GID=947
auth.log:Jan 27 15:28:39 so-manager useradd[31565]: new user: name=soremote, UID=947, GID=947, home=/home/soremote, shell=/bin/sh, from=/dev/pts/0
auth.log:Jan 27 17:44:18 so-manager sshd[122717]: Connection closed by authenticating user soremote 10.0.210.50 port 60330 [preauth]
auth.log:Jan 27 17:44:18 so-manager sshd[122892]: Connection closed by authenticating user soremote 10.0.210.50 port 60332 [preauth]
auth.log:Jan 27 17:44:38 so-manager sshd[123864]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys soremote SHA256:REDACTED/R+M failed, status 22
auth.log:Jan 27 17:44:39 so-manager sshd[123864]: Connection closed by authenticating user soremote 10.0.210.50 port 58920 [preauth]
auth.log:Jan 27 17:44:39 so-manager sshd[123880]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys soremote SHA256:REDACTED/R+M failed, status 22
auth.log:Jan 27 17:44:39 so-manager sshd[123880]: Connection closed by authenticating user soremote 10.0.210.50 port 58930 [preauth]
auth.log:Jan 27 17:44:39 so-manager sshd[123916]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys soremote SHA256:REDACTED/R+M failed, status 22
auth.log:Jan 27 17:44:39 so-manager sshd[123916]: Connection closed by authenticating user soremote 10.0.210.50 port 58940 [preauth]
auth.log:Jan 27 17:47:17 so-manager sshd[127873]: Connection closed by authenticating user soremote 10.0.210.50 port 45738 [preauth]
auth.log:Jan 27 17:47:17 so-manager sshd[127875]: Connection closed by authenticating user soremote 10.0.210.50 port 45748 [preauth]
auth.log:Jan 27 17:47:19 so-manager sshd[127907]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys soremote SHA256:REDACTED/R+M failed, status 22
auth.log:Jan 27 17:47:19 so-manager sshd[127907]: Connection closed by authenticating user soremote 10.0.210.50 port 45758 [preauth]
auth.log:Jan 27 17:47:19 so-manager sshd[127923]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys soremote SHA256:REDACTED/R+M failed, status 22
auth.log:Jan 27 17:47:19 so-manager sshd[127923]: Connection closed by authenticating user soremote 10.0.210.50 port 45774 [preauth]
auth.log:Jan 27 17:47:20 so-manager sshd[127939]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys soremote SHA256:REDACTED/R+M failed, status 22
auth.log:Jan 27 17:47:20 so-manager sshd[127939]: Connection closed by authenticating user soremote 10.0.210.50 port 45780 [preauth]

And the file is present:

root@so-manager [/opt/so/repo]
# ls -lh
total 51M
-rw-r--r-- 1 root root 51M Jan 27 16:02 2.3.200.tar.gz

Can I manually copy over/create the authorized_keys file or what should I do here? It also doesn't seem to be grabbing the version number properly according to the filename ('.tar.gz') but I can symlink that if need be.

Thank you!

[ihuxn4hi]

Looking in /root/sosetup.log, I saw a reference to /root/.ssh/so.key so I grabbed /root/.ssh/so.key.pub, added it to ~soremote/.ssh/authorized_keys on the master and tried again and the install was able to proceed.