Regularily loosing SSH connection rights on Hetzner Cloud - ssh

I have a strange issue regarding my setup login into my hetzner cloud via SSH.
initial situation
I have made a fresh SSH Key, added that to a fresh Hetzner Cloud solution and made the initial login into the cloud. I was able to access the cloud via terminal with the command ssh root#MY_IP
the issue
When I retry to access my server with ssh root#MY_IP a few days after I've made the setup, I get the following error message: root#MY_IP: Permission denied (publickey).
I haven't made any changes in the meantime, didn't to anything with the ssh connection, didn't created new ssh key, nothing. I don't understand why it just denies my connection try since it was working fine before.

Probably your ssh-agent was configured in a different shell?
Try listing your stored keys with
ssh-add -l
If you don't see the one you created for this specific machine/cluster, try adding it again with:
ssh-add <absolute_path_to_your_private_key>
If your agent is not even running, start it in the background with:
eval "$(ssh-agent -s)"

Related

How to SSH between 2 Google Cloud Debian Instances

I have installed ansible in on of my GCE Debian VM Instance(1). Now I want to connect to another GCE Debian VM instance(2).
I have generated the public key on Instance 1 and copied the .pub key manually to the the authorized key of instance 2.
But, when I try to do the ssh from 1 to 2 it gives permission denied.
Is there any other way round? I am a little new to this, trying to learn.
is there any step by step guide available? and also what is the exact ip address to do ssh on? will it be the internal IP or the External IP taken by GCE when the Instance is started.
I'm an Ansible user too and I manage a set of compute engine servers. My scenario is pretty close to yours so hopefully this will work for you as well. To get this to work smoothly, you just need to realise that ssh public keys are metadata and can be used to tell GCE to create user accounts on instance creation.
SSH public keys are project-wide metadata
To get what you want the ssh public key should be added to the Metadata section under Compute Engine. My keys look like this:
ssh-rsa AAAAB3<long key sequence shortened>Uxh bob
Every time I get GCE to create an instance, it creates /home/bob and puts the key into the .ssh/authorized_keys section with all of the correct permissions set. This means I can ssh into that server if I have the private key. In my scenario I keep the Private Key only in two places, LastPass and my .ssh directory on my work computer. While I don't recommend it, you could also copy that private key to the .ssh directory on each server that you want to ssh from but I really recommend getting to grips with ssh-agent
Getting it to work with Ansible
The core of this is to tell Ansible not to validate host checking and to connect as the user specified in the key (bob in this example). To do that you need to set some ssh options when calling ansible
ansible-playbook -ssh-common-args='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' -u bob
Now Ansible will connect to the servers mentioned in your playbook and try to use the local private key to negotiate the ssh connection which should work as GCE will have set things up for you when the VM is created. Also, since hostname checking is off, you can rebuild the VM as often as you like.
Saying it again
I really recommend that you run ansible from a small number of secure computers and not put your private key onto cloud servers. If you really need to ssh between servers, look into how ssh-agent passes identity around. A good place to start is this article.
Where did you say the metadata was?
I kind of glossed over that bit but here's an image to get you started.
From there you just follow the options for adding a public key. Don't forget that this works because the third part of the key is the username that you want GCE and Ansible to use when running plays.
It's quite simple if you have two instances in google cloud platform, automatically you have the guest environment installed (gcloud command line), with it you can ssh through all you ssh inside your project:
Just run the following command line for inside your instance A to reach the Instance B
[user#Instance(1)]$ gcloud compute ssh Instance(2) --zone [zone]
That it, if it's not working let me know, and verify if your firewall rule let internal traffic.

ssh to compute engine keeps asking for a paraphrase

Just added a new machine on google cloud and ran the google config.
While I can successfully connect to the machine, any attempt to log in via ssh keeps prompting me for paraphrase. Even more, it happens on my other instances too.
Not sure why.
I tried:
eval "$(ssh-agent -s)"
ssh-add
But that made no difference.
Thoughts?
made a mistake with a private key (added the wrong one!).
Ran ssh-add ~/.ssh/google_compute_engine and problem was solved.

Unable to connect to Google Compute Engine using "in browser" SSH

After changing two passwords, root and the default user, suddenly we notice now that the "in browser" link on Google Compute Engine fails to connect via SSH.
Strangely, however, if we use the SSH command from the command line that Google provides (i.e. $ gcloud compute ssh VM-NAME --zone VM-ZONE) - SSH works.
It appears SSH is working - but the "in browser" SSH link no longer connects. What might have gone wrong and how do we fix this?
ADDENDUM:
Of note, a commenter below suggests it is not related to passwords but purely SSH keys - so it looks the answer to this question might rest around if there is a way to regenerate SSH keys on GCE instances. We are searching. If anyone knows code to regenerate SSH keys for GCE please post.
GCE VMs, by default, don't allow for SSH connections with clear-text password: it uses keys instead. You can specify approved keys during VM instantiation, or at a later time, but one that is always present is the key to the user account you used when creating the machine.
As long as you haven't modified /etc/ssh/sshd_config, this should continue to be the case. Either way, one more option you can use to connect via SSH to your instance is to run the following command:
$ gcloud compute ssh VM-NAME --zone VM-ZONE
while logged in with your authorized user account.
ADDENDUM - In lieu of regenerating previous keys, you can add additional, locally-generated SSH keys on both the project, as well as on the VM level. The first applies to all VMs and grants access to project owners and editors, while the second only applies to the VM in question. Both methods add the SSH entered to the Metadata server, from which the get uploaded to the VM prior to SSH connection to all / the VM.
You can do this from the Developers Console:
project-level SSH keys - go to your project -> Compute -> Compute Engine -> Metadata -> "SSH KEYS" (top of the screen) -> click on "Edit"
VM-level SSH keys - go to your project -> Compute -> Compute Engine -> VM instances -> click on the instance name -> "SSH keys" section (scroll down) -> click "Add SSH key"
We discovered the cause was a chown command we had executed on a directory for the primary user that Google creates on the Google Compute Engine instance.
By reversing that chown back to the Google created user, Google's in-browser SSH began working again.
We used chown on an entire user directory and also an ssh config file back to the Google created user using:
chown -R user_name_com /home/user_name_com
and also on this file
chown user_name_com /etc/ssh/ssh_config
where user_name_com was our gmail email address user.

SSH config to restore user ssh access?

I have been locked out of ssh. I'm on the Google Cloud, so I can move the hd over and change the ssh config files, but after a few attempts, I cannot login still. The problem began shortly after I changed the password to the primary account, but since SSH was not using password authentication, I am surprised that affected SSH. I tried turning password authentication on, generating new keys, have Google's platform generate new keys, etc, but nothing has allowed me to log in.
I keep getting this error, regardless of key combo or whether or not password authentication is on.
Permission denied (publickey).
I have a slightly older backup (a couple hours, before the issue), and it's telling me too many authentication failures for any user (regarless of user#domain.com).
I was wondering if there are any config setting I can set to be able to log back in.
Not sure this belongs stackoverflow or serverfault but..
Try adding -vv to your ssh command. It shows a lot more debugging info
For example:
ssh -vv username#host
See if that gets you any hints! It could be a number of things, it searching for private key in the wrong place, etc.
The issue could be ssh keys saved in your local computer. Can you move the ssh keys from .ssh/ to a different directory in your local computer and see if that resolves the issue.
Or can you enable password authentication for your ssh and use -o flag with ssh command which forces non-key authentication to confirm if the issue was with the key: ssh -o PubkeyAuthentication=no username#
You also set MaxAuthTries to higher number in your sshd_config.

Calling SSH command from Jenkins

Jenkins keeps using the default "jenkins" user when executing builds. My build requires a number of SSH calls. However these SSH calls fails with Host verification exceptions because i haven't been able connect place the public key for this user on the target server.
I don't know where the default "jenkins" user is configured and therefore cant generate the required public key to place on the target server.
Any suggestions for either;
A way to force Jenkins to use a user i define
A way to enable SSH for the default Jenkins user
Fetch the password for the default 'jenkins' user
Ideally I would like to be able do both both any help greatly appreciated.
Solution: I was able access the default Jenkins user with an SSH request from the target server. Once i was logged in as the jenkins user i was able generate the public/private RSA keys which then allowed for password free access between servers
Because when having numerous slave machine it could be hard to anticipate on which of them build will be executed, rather then explicitly calling ssh I highly suggest using existing Jenkins plug-ins for SSH executing a remote commands:
Publish Over SSH - execute SSH commands or transfer files over SCP/SFTP.
SSH - execute SSH commands.
The default 'jenkins' user is the system user running your jenkins instance (master or slave). Depending on your installation this user can have been generated either by the install scripts (deb/rpm/pkg etc), or manually by your administrator. It may or may not be called 'jenkins'.
To find out under what user your jenkins instance is running, open the http://$JENKINS_SERVER/systemInfo, available from your Manage Jenkins menu.
There you will find your user.home and user.name. E.g. in my case on a Mac OS X master:
user.home /Users/Shared/Jenkins/Home/
user.name jenkins
Once you have that information you will need to log onto that jenkins server as the user running jenkins and ssh into those remote servers to accept the ssh fingerprints.
An alternative (that I've never tried) would be to use a custom jenkins job to accept those fingerprints by for example running the following command in a SSH build task:
ssh -o "StrictHostKeyChecking no" your_remote_server
This last tip is of course completely unacceptable from a pure security point of view :)
So one might make a "job" which writes the host keys as a constant, like:
echo "....." > ~/.ssh/known_hosts
just fill the dots from ssh-keyscan -t rsa {ip}, after you verify it.
That's correct, pipeline jobs will normally use the user jenkins, which means that SSH access needs to be given for this account for it work in the pipeline jobs. People have all sorts of complex build environments so it seems like a fair requirement.
As stated in one of the answers, each individual configuration could be different, so check under "System Information" or similar, in "Manage Jenkins" on the web UI. There should be a user.home and a user.name for the home directory and the username respectively. On my CentOS installation these are "/var/lib/jenkins/" and "jenkins".
The first thing to do is to get a shell access as user jenkins in our case. Because this is an auto-generated service account, the shell is not enabled by default. Assuming you can log in as root or preferably some other user (in which case you'll need to prepend sudo) switch to jenkins as follows:
su -s /bin/bash jenkins
Now you can verify that it's really jenkins and that you entered the right home directory:
whoami
echo $HOME
If these don't match what you see in the configuration, do not proceed.
All is good so far, let's check what keys we already have:
ls -lah ~/.ssh
There may only be keys created with the hostname. See if you can use them:
ssh-copy-id user#host_ip_address
If there's an error, you may need to generate new keys:
ssh-keygen
Accept the default values, and no passphrase, if it prompts you to add the new keys to the home directory, without overwriting existing ones. Now you can run ssh-copy-id again.
It's a good idea to test it with something like
ssh user#host_ip_address ls
If it works, so should ssh, scp, rsync etc. in the Jenkins jobs. Otherwise, check the console output to see the error messages and try those exact commands on the shell as done above.