I'm trying to auto load key to ssh-agent so that I don't need to ssh-add all the key manually one by one...
Here's my ~/.ssh/config --
Host *
UseKeychain yes
AddKeysToAgent yes
IdentityFile /home/i331281/.ssh/git_pri_key
Host jenkins
HostName jenkins1.myorg.org
UseKeychain yes
AddKeysToAgent yes
IdentityFile /home/i331281/.ssh/jenkins_pri_key
But I found after I login ssh-agent with -- "ssh-agent bash"
the key list is always empty --
> ssh-add -l
The agent has no identities.
My ssh client's version is -- OpenSSH_7.2p2, OpenSSL 1.0.2p-fips 14 Aug 2018 -- so I think it should support that "AddKeysToAgent" option.
Please kind have check if my .ssh/config is wrong? and how to fix it? Thanks
Regards
Eisen
Related
I've found that when running ssh from the command line on my system is different than running it from the ~/.ssh/config file. But I'm not sure how to fix it or if its a problem with the program itself.
I have a server (blueberry.local) and a client (xps.local). Both have a user named bob. Both can resolve each-other with the host command from either box.
The server is running sshd with the following configuration (/etc/ssh/sshd_config):
UsePAM yes
Banner none
AddressFamily any
Port 22
X11Forwarding no
PermitRootLogin no
GatewayPorts no
PasswordAuthentication no
KbdInteractiveAuthentication no
PrintMotd no
AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms sntrup761x25519-sha512#openssh.com,curve25519-sha256,curve25519-sha256#libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305#openssh.com,aes256-gcm#openssh.com,aes128-gcm#openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
LogLevel INFO
UseDNS no
And from my client I'm running ssh with this configuration (~/.ssh/config):
Host blueberry.stark.local
Port 22
HostName blueberry.local
IdentityFile ~/.ssh/blueberry_rsa
IdentitiesOnly yes
When running ssh from the command line like this:
ssh bob#blueberry.local -i ~/.ssh/blueberry_rsa
The command works and I can successfully connect via ssh to the server.
However, when running ssh from the command line using the client configuration like this:
ssh bob#blueberry.local
I get an authentication error:
bob#blueberry.local: Permission denied (publickey).
What's going on here? I've tried to remove configuration properties and the like but it never works.
What's even stranger is that I have another client configuration just like that that works without any issues at all...
The issue is likely caused by two factors:
Based on your example command, your Host and HostName values are mixed up:
Host <this should be what you type on the CLI>
...
HostName <The real hostname of the server>
...
This means ssh isn't actually going to use any of the configuration you provided. Making the following change should work.
Host blueberry.local
Port 22
HostName blueberry.stark.local
IdentityFile ~/.ssh/blueberry_rsa
IdentitiesOnly yes
This is most likely if the following command works with the configuration you posted:
ssh bob#blueberry.starlink.local
If you expected ssh to just try all of your private keys until it found the right one, (~/.ssh/blueberry_rsa), its likely you haven't added it to your ssh-agent (you can confirm by running ssh-add -L and check the output.
by default ssh will check these paths, then any additional keys in the agent:
~/.ssh/id_rsa
~/.ssh/id_ecdsa
~/.ssh/id_ecdsa_sk
~/.ssh/id_ed25519
~/.ssh/id_ed25519_sk
~/.ssh/id_xmss
~/.ssh/id_dsa
Its likely you only have ~/.ssh/id_rsa in your agent which is what is throwing the
When in trouble, its always helpful to run ssh -vvv <rest of your command> to see whats happening under the hood 😉.
I've tried a multitude of things to get this working but despite having the AddKeysToAgent variable set to yes in my ssh_config the keys are not getting added.
This is my ssh-config:
Host *
AddKeysToAgent yes
Host remote
HostName /*hostname for remote here*/
User dcaglar2
IdentityFile ~/.ssh/personal_laptop
IdentitiesOnly yes
Host git
HostName github.com
User git
IdentityFile ~/.ssh/git
IdentitiesOnly yes
and running
ssh-add -l
returns
The agent has no identites.
I've checked the man pages ssh, ssh_config, but wasn't able to find anything.
I know that I can add a line to my .bashrc as a substitute but I just want to know what's wrong at this point.
From the description of AddKeysToAgent in the ssh_config manual:
If this option is set to yes and a key is loaded from a file, the key and its passphrase are added to the agent with the default lifetime, as if by ssh-add(1).
If I'm not mistaken, a key will be added to the agent the first time it's used. So try connecting to a remote and then run ssh-add -l again, you should then see the corresponding key in the output.
One of my weekly scripts won't log into a LAN server now. I added another entry into ~/.ssh/config and the crontab entry isn't taking. I just tried fixing it by specifically adding that server parameters (it was represented by a wildcard entry when the crontab was working)
Load key "/Users/rich/.ssh/id_rsa": Permission denied
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
How can I fix this so the cron has access to that box? I tried copying over the key after my local change.
Here is my ~/.ssh/config file:
Host *
AddKeysToAgent yes
UseKeychain yes
Host uiop.local
HostName uiop.local
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
User rich
Host qwer.local
HostName qwer.local
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
User rich
Host github.com
HostName github.com
User Wonderful
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
I also use rsync on a LAN box that isn't working now. With one key is present, it's assumed that key is the only one to use. But with the config file above, it still gets confused. I'm questioning if the keys are added to the agent.
Was permissions. Set to 600 on the whole .ssh directory.
I am trying to copy a demo.zip from local host to a newly initiated vagrant VM.
I tried command like this from my MAC terminal:
scp -P 2200 demo.zip vagrant#127.0.0.1:/home/vagrant
However, I get:
vagrant#127.0.0.1: Permission denied (publickey).
lost connection
And below is the log from vagrant ssh-config:
Host default
HostName 127.0.0.1
User vagrant
Port 2200
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
PasswordAuthentication no
IdentityFile /Volumes/dailystorage/program_analysis_VM/.vagrant/machines/default/virtualbox/private_key
IdentitiesOnly yes
LogLevel FATAL
The version of vagrant box is ubuntu-xenial (Ubuntu 16.04.3).
Could anyone tell what's going on here and possible ways out?
Thanks!
UPDATE: Solved by installing vagrant scp.
The name localhost normally resolves to the IPv4 loopback address 127.0.0.1
So you can try copy file from your local machine to local machine.
Try this:
scp -i /Volumes/dailystorage/program_analysis_VM/.vagrant/machines/default/virtualbox/private_key demo.zip vagrant#private_ip_address_your_remote_machine:/home/vagrant
I regenerated the key and it worked:
Generate Key Pair on master-1 node $ssh-keygen
Leave all settings to default.
View the generated public key ID at:
$cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD......8+08b vagrant#master-1
Move public key of master to all other VMs
$cat >> ~/.ssh/authorized_keys <<EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD......8+08b vagrant#master-1
EOF
I cannot for the life of me figure out why my SSH config is forwarding the wrong key. I have two keys, we'll call them home_rsa and work_rsa. I have done the following:
eval `ssh-agent`
ssh-add -K ~/.ssh/home_rsa
ssh-add -K ~/.ssh/work_rsa
Here is my ~/.ssh/config file:
Host home
ForwardAgent yes
HostName home.com
IdentityFile ~/.ssh/home_rsa
IdentitiesOnly yes
User home
Host work
ForwardAgent yes
HostName work.com
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Host bitbucket
IdentityFile ~/.ssh/home_rsa
Host bitbucket-work
IdentityFile ~/.ssh/work_rsa
Host bitbucket*
HostName bitbucket.com
User git
When I run the following…
ssh work
ssh git#bitbucket.org
…Bitbucket reports that I'm using my home user, though I'm clearly logged into my work server and should be forwarding my work key. If I add my SSH identities in the reverse order and run the same code above, Bitbucket reports I'm using my work user. Running ssh-add -l from my work server, I see that both SSH keys are being forwarded, but isn't that the job of IdentitiesOnly yes?
Really confused as to what's going on here.
Really confused as to what's going on here.
ForwardAgent option forwards the connection to your agent, with all the keys inside and does not forward your local ~/.ssh/config to remote host. What you do on the work host is controlled by your configuration on that host.
What are you trying to do with that?
You need to update your ssh keys with their equivalent bitbucket account first at their website (work user with work_rsa, user with user_rsa). Then maybe this could help.
Host bitbucket-work
HostName bitbucket.org
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Usage:
ssh bitbucket-work
sshbitbucket
As written in the accepted answer, selecting keys used for authentication is not related to what keys are forwarded. Separate ssh-agents are needed. Luckily that is easily configured.
From ssh-agent (1) we can learn that it takes a -a option to specify bind_address, and ssh_config (5) tells that ForwardAgent can be set to what turns out to be the same value.
Prepare your agents:
eval `ssh-agent -a ~/.ssh/home.agent`
ssh-add ~/.ssh/home_rsa
eval `ssh-agent -a ~/.ssh/work.agent`
ssh-add ~/.ssh/work_rsa
unset SSH_AUTH_SOCK SSH_AGENT_PID
Configure your ssh:
Host work
HostName work.example.com
ForwardAgent ~/.ssh/work.agent
IdentityAgent ~/.ssh/work.agent
Host home
HostName home.example.com
ForwardAgent ~/.ssh/home.agent
IdentityAgent ~/.ssh/home.agent
That should completely separate home and work keys. Setting IdentityAgent to a different value than ForwardAgent is left as an exercise for someone exposed to a threat level calling for such complexity.