When I mint an ssh key locally the fingerprint/pub key are trailed with my_email#my_machine.
ssh-ed25519 AAA...xyz my_email#my_machine.net
For instance.
I'll upload this to GitHub deploy key and the private key to my K8s server. But I'm not sure if that tail bit is relevant.
I assume this is pulled by ssh-keygen from some config on my machine.
What is this tail end of the pub key? And can I avoid it while still minting the keys locally?
But I'm not sure if that tail bit is relevant.
It should not be relevant for unencrypted keys.
As noted in "Where does SSH agent get the names it uses for keys?":
ssh-add attempts to read the comment in the private key file. If it fails, it uses the filename as a comment for further prompts:
But in your case (GitHub deploy key), this should not matter.
Therefore, that comment bit (the ==... trailing part of the public SSH key) can be ignored.
Related
I've used ssh-keygen to generate a ssh key pair, and then ssh-copy-id to copy the public key to the remote server. This has worked for all systems in my local network. I followed instructions similar to this link
However, on bitbucket and github, I see this additional step of adding the private key to the ssh-agent using ssh-add <private key>
This page explains what this additional step but why is that not needed for my local network when it is needed for github and bitbucket?
Thanks
The "Adding your SSH key to the ssh-agent" documented on GitHub (same on GitLab) is only there if you generate a private SSH key protected by a passphrase (meaning, encrypted)
The idea is that, for a private SSH key used for authenticating to a remote public service like GitHub or GitLab, it is better to have an encrypted key, which makes it less dangerous if said key is leaked.
This is different for a private SSH key used inside a LAN (in your local network): using a passphrase is still a good idea but not mandatory: if the SSH key leak, you still need access to the LAN in order to use it.
I am trying to connect to a server through SSH, using a private key that is required for the connection to succeed.
ssh -i <path-to-my-private-key> <user>#<server-ip>
It works. However, even if I don't use the private key, or if I use the wrong one, it works too, while it should not. Why does it work?
If you mean you can successfully log in to your server by running ssh ubuntu#<my-ec2-url> without using the -i <path-to-my-private-key> option, it is likely that you are running ssh-agent.
ssh-agent caches private keys in memory so that they can be used for authentication without having to enter the password on every connection.
As #jarmod points out, it is also possible that you have configured a private key for your target host in your ~/.ssh/config file. For example:
Host my-ec2-url
IdentityFile ~/.ssh/something-not-named-id_rsa
...although this is less likely, because unless you had created an unprotected private key, this would still prompt you for a key passphrase (and it would obviously need to match the public keys you have configured on the remote host).
I'm having a problem; git returns this alert:
The authenticity of host 'bitbucket.org (104.192.143.2)' can't be established.
RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1
Are you sure you want to continue connecting (yes/no)?
When I choose yes, it returns this:
Warning: Permanently added 'bitbucket.org,104.192.143.2' (RSA) to the list of known hosts.
ssh_packet_read: Connection closed
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
What is the problem?
Where must I add the RSA number? Please, I'm desperate. :(
The authenticity of host 'bitbucket.org (104.192.143.2)' can't be established. RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1 Are you sure you want to continue connecting (yes/no)?
This is normal and it's safe to say yes. ssh is being overly paranoid by asking you to confirm it. You can turn it off by setting StrictHostKeyChecking to no in your ssh config.
Remembering the public key of each server you connect to is a security feature of ssh to protect you from a man-in-the-middle attack. It goes something like this:
The first time you ssh to a host its public key (that's all that SHA256:zzXQ... stuff) is remembered, usually in ~/.ssh/known_hosts.
Every time thereafter ssh will check that the same host is still using the same key. This authenticates that bitbucket.org is still the same server you were talking to the first time.
If the keys don't match it could mean one of two things. First is that the server admin reinstalled their ssh server and forgot to keep the same key. This is common for small sites, but unlikely for something like bitbucket.org.
The second possibility is that the ssh server has been hijacked. It doesn't matter how. One common way is for a rogue DNS server to return their own malicious IP address instead of the real address for bitbucket.org. Common enough on public wifi connections.
As for why it won't connect after confirming, it's right there in the error message.
$ git clone git#bitbucket.org:RobeJablonski/sda-robert.git
Cloning into 'sda-robert'...
conq: repository access denied.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
The repository exists, that can be verified, so you don't have access rights (neither do I). Bitbucket determines who you are using your ssh key. This means you're not logging in with the right key. It has to be the same key as is associated with your account on BitBucket.
You can find your BitBucket ssh keys in your Bitbucket settings under https://bitbucket.org/account/user//ssh-keys/. Then you have to check if ssh is using that key. You can check what it's using using ssh -v git#bitbucket.org. It will spew out a lot of stuff but you're looking for the last instance of debug1: Offering RSA public key: /Users/blah/.ssh/blah.
Once you find that, check if /Users/blah/.ssh/blah.pub matches what BitBucket thinks your ssh key is. If they don't match, then you'll have to find the matching key and configure ssh to use that key for bitbucket.org.
If you've lost the key, you should change your ssh key on bitbucket.org.
Make sure you have followed below steps in your application server:
Have you created public key:
cd ~/.ssh/
To generate keygeneration:
ssh-keygen
Copy public key value (NOT PRIVATE KEY)
cat ~/.ssh/id_rsa.pub
Install git :
sudo apt install git
ATLASSIAN SETUP :
SETTINGS -> Access keys -> Add key
https://bitbucket.org/compassitesinc/your-repository/admin/access-keys/
Make sure your email address added to the User group (with admin permission)
SETTINGS -> User and group access
Add your email address with admin access
Inside your application root directory clone your repository.
cd /var/www/html/
git clone git#bitbucket.org:organization_name/repo_application.git repo_application
You need to create an SSH key on the machine you wish to connect to GitHub or Bitbucket, then add that key to your online account. You can do this by following this:
https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html
I've added my public key to the metadata for my project in the developer's console, when I ssh into an Ubuntu VM instance I can see my public key in the file ~/.ssh/authorized_keys but when I try to use it to clone a project from Bitbucket I receive the error Permission denied (publickey)
If I ssh-add -l I just get The agent has no identities. Is there something else I'm supposed to be doing to use my existing public key on GCE instances?
You are mixing up things. There are two keys, public and private (for example ~/.ssh/id_rsa{,.pub}). You are adding public key where you want to ssh/login and store private key on you computer/computer from where you want to ssh/login.
If you want to use your key pair for cloning from BitBucket from your VM, you need to do one of these things:
Using local forwarded keys
create key pair on local machine: ssh-keygen
store public key in BitBucket
add this key pair into ssh agent: ssh-add path/to/private/key
ssh into VM with agent forwarding: ssh -K your-vm
do your clone: git clone your-repo
Using separate key pair
ssh to your VM: ssh your-vm
create key pair on VM: ssh-keygen
store public key in BitBucket
do your clone: git clone your-repo
The first solution is more useful if you don't want to have many keys and the operations with repository will not happen without your participation (cron jobs). The second one is more helpful if you want to update repo using cron and run some automation on this.
What I want to do is to copy key to another host.
ssh-copy-id -i ~/.ssh/id_rsa user#host
I get error:
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '[homedir].ssh/id_rsa.pub':
So there is no public key. So where is it? I tried to use command
sudo find / -name id_rsa.pub
but it only found one which I generated experimentally in my test directory. I tried sending the experimental from the test directory, but then it keeps infinitely asking paraphrase and does not send when I keep pasting.
So there is something wrong.
I could regenerate using
ssh-keygen -t rsa
but then it tries to use ~./.ssh directory
and wants to overwrite private id_rsa key. I am afraid this might brake something.
So how do I get my public key file?
Just in case someone else comes here looking for an answer to the OP's question... and to directly answer that question (namely, how can you re-generate the .pub key in a situation where it is missing, and you only have the private key)...
Here is the answer:
Regenerating a .pub key from the private key
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
The -y option is the command instructing ssh-keygen to output your public key.
This will re-generate the .pub part of the pair. Just as the OP pointed out, if you simply generate a new pair, and replace the old private key, you will lose access to whatever servers you have already provided your public key to. Sure, you can go through the process of providing a new public key to those servers, but why go through that hassle if it can be easily avoided?
RSA keys work on pairs. You can generate ssh private and public keys any number of times..it does not break anything. It simply replaces the old one with a newly generated keys. This only requires you to copy the newly generated public key id_rsa.pub to your remote machine's ~/.ssh/authorized_keys file in order for you to access secure shell using rsa keys.
So generate new rsa keys on your home's .ssh directory (your old keys are replaced by new ones) and copy to the remote host's .ssh directory
cd /home/<your_username>/.ssh
ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub remote_username#host:~/.ssh/authorized_keys
then
ssh remote_username#host
Keep passphrase empty while generating your new keys unless you want to enter passphrase every time you try to make a ssh connection.
NOTE: you need to append your public key to authorized_keys file in remote host's ~/.ssh directory if it already exists holding other client's public keys.