I have a linux device which supports authentication with a certificate and a private key.
I have tried to connect with:
k = paramiko.RSAKey.from_private_key_fil("path to privte key")
client.connect(server,port,user, key_filename ="path to certificate file", pkey=k)
I cannot connect in any way to the device.
Under windows with OPEN SSH I can connect to the device with :
ssh root#192.168.0.2 -p 22 -o IdentityFile=C:\client_key\client_key -o CertificateFile=C:\client_key\OTCsigned_certificate
I have solved the issue by :
Renaming the key and the certificate as id_rsa and id_rsa-cert.pub.
At argument key_filename i passed the certificate and alongside with it the paramiko loads also the private key.
It is finally working.
Br,
Related
I want to add my ssh public key to the ESXi 7 host, so that I can login via ssh without using password.
But the esx host keep prompting me for the password.
I have tried the following:
Scenario A
When using the "normal" way of adding ssh keys to a host.
Make a ssh key pair with ssh-keygen -t rsa
Push ssh public key to ESXi host with ssh-copy-id root#esx.host
Now try login to esx host using ssh root#esx.host
This will prompt you for a password again.
Reason for failing
The ssh key is added to the esx hosts ~/.ssh/authorized_keys - but the SSH service, expect to find the keys in /etc/ssh/keys-root/authorized_keys.
Scenario B
Adding the the right place
Copy the key into esx by cat ~/.ssh/id_rsa.pub | ssh root#esx.host 'cat >>/etc/ssh/keys-root/authorized_keys'
Try login again with ssh root#esx.host
Still asking for password.
Scenario B is failing for a reason
Reason for failing
The ssh key is generated with by default 2048 bits, but should be 4096 bits.
Final Solution
# Generate the 4096 ssh key
ssh-keygen -t rsa -b 4096
# Copy the public key the right place on the esx host
cat ~/.ssh/id_rsa.pub | ssh root#esx.host 'cat >>/etc/ssh/keys-root/authorized_keys'
# Then login
ssh root#esx.host
Tada - now logged in without using password
Password:
The time and date of this login have been sent to the system logs.
WARNING:
All commands run on the ESXi shell are logged and may be included in
support bundles. Do not provide passwords directly on the command line.
Most tools can prompt for secrets or accept them from standard input.
VMware offers supported, powerful system administration tools. Please
see www.vmware.com/go/sysadmintools for details.
The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
[root#esx.host:~]
Just want to leave it here, so the link to the solution won't be lost.
I have a private 4096-byte RSA key (probably it was generated using this guide https://help.github.com/en/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent).
I've got an error while trying to establish a new connection through an ssh tunnel using DBeaver (6.1.2).
invalid privatekey: [B#540.....
So at first I've found this solution: https://github.com/rundeck/rundeck/issues/4813#issuecomment-492358649 But I didn't really want to recreate my key, cause it was already in use on several servers.
After an hour of googling I've found another suggestion: to use another SSH implementation via the sshj extension: https://github.com/dbeaver/dbeaver/issues/3917#issuecomment-410616717 It can be installed via the built-in package manager: Help -> Install New Software -> https://dbeaver.io/update/sshj/latest/ And it works great!
This error is due to the format of the SSH private key. By default, ssh-keygen is creating a private key using the OpenSSH format—with this header:
-----BEGIN OPENSSH PRIVATE KEY-----
But DBeaver only accept keys using the older PEM format—with this header:
-----BEGIN RSA PRIVATE KEY-----
You can either generate a key directly with the correct header using:
ssh-keygen -t rsa -b 2048 -m PEM
Or you can convert an existing key (careful! this overwrite the existing key, you can just copy the private key and apply the command on the copy):
ssh-keygen -p -m PEM -f id_rsa
There is an open issue on DBeaver's GitHub.
The above suggestions didn't help for me. But in the latest versions of DBeaver, you just have to update implementation to SSHJ, under Advanced settings:
That worked for me!
I got the SSH Tunnel to work on
DBeaver Community Edition Version 7.3.4.202101310933
macOS Catalina version 10.15.7
by doing the following:
in shell:
create private 4096-byte RSA key at default location ~/.ssh/id_rsa using
ssh-keygen -t rsa -b 4096
in DBeaver:
click Help > Install New Software
click Add ...
enter Name: SSHJ
enter Location: https://dbeaver.io/update/sshj/latest/
click Next and go thru the entire SSHJ installation process
(I failed to do this on my first attempt)
click Save
click Restart DBeaver
on SSH Tunnel tab of Connection Settings
use Authentication Method: Public Key
use Private Key: ~/.ssh/id_rsa
(OpenSSH NOT PEM, as others have advised)
enter Passphrase
select Save Password
select Implentation: SSHJ
click Test tunnel configuration
modal dialog is displayed that says
Connected!
Client version: SSHJ_0.27.0
Server version: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
click OK
I'm trying to setup gpg-agent forwarding in order to use pass (https://www.passwordstore.org) via ssh.
gpg version 2.2.9 both on local and remote hosts, installed by instructions:
https://gist.github.com/vt0r/a2f8c0bcb1400131ff51
On local machine
$HOME/.gnupg/gpg-agent.conf
extra-socket /home/mickey/.gnupg/S.gpg-agent.remote
Reload agent
echo RELOADAGENT | gpg-connect-agent
Export public key
gpg --export -a mickey > mickey.gpg
Sign test data
echo "test" | gpg2 --encrypt -r mickey > out.gpg
Send public key and signed data
scp *.gpg REMOTE_HOST:
Create ssh session with reverse forwarding
ssh -R /run/user/1002/gnupg/S.gpg-agent:/home/mickey/.gnupg/S.gpg-agent.remote -o "StreamLocalBindUnlink=yes" REMOTE_HOST
On remote machine
Import public key
gpg --import mickey.gpg
Trust this key ultimately
gpg --edit-key mickey
trust 5 quit
Try to decrypt
gpg --decrypt -v out.gpg
Output
gpg: public key is FED6243A3325C554
gpg: connection to agent is in restricted mode
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: encrypted with 2048-bit RSA key, ID FED6243A3325C554, created 2018-07-23
"mickey"
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: No secret key
So, agent socket forwarding is working, seems there are some problems with pinentry program. Could not find anything that worked for me in google.
UPD
Tried to add pinentry-program /usr/bin/pinentry-tty to gpg-agent.conf, new error:
gpg: public key decryption failed: Invalid IPC response
gpg: decryption failed: No secret key
It happens when GPG is confused where to read input from. Simply configuring it to look for input from tty (the terminal connected to standard input) fixes it:
export GPG_TTY=$(tty)
This method does not work when you are inside an LXC container. Instead, add this to ~/.gnupg/gpg.conf:
use-agent
pinentry-mode loopback
Then add this to ~/.gnupg/gpg-agent.conf
allow-loopback-pinentry
Then restart the agent with echo RELOADAGENT | gpg-connect-agent.
(source)
When running gpg from a script, the --batch argument must be provided.
I am given with id_rsa.pub from client. And I was told to connect to it. I tried adding the key with ssh-copy-id user#ec2-remoteserver.com
But it gave the error. Permission denied (publickey).
Then I thought of trying to connect with
ssh -i /c/Users/kdash/Desktop/id_rsa.pub user#ec2-instance.com
It now says the error
Load key "/c/Users/kdash/Desktop/id_rsa.pub": invalid format
Can anyone please help me understand how shall I add the given .pub key file and access to the remote server.
Earlier I had connected to servers with .pem files as such:
ssh -i /c/Users/kdash/Desktop/server.pem user#ec2-instance.com
I am not clear how .pub file can be used.
Client should provide you the private key to connect to server.
I am sure client must have added the public key in their ~/.ssh/authorized_keys
Once client provide you the private-key file, then you can connect as
ssh -i <private-key> user#ec2-instance.com
See example here, remote machine is adding public key in ~/.ssh/authorized_keys and then user can connect to it using private key.
So I guess, you need private key file to connect to remote ssh server.
Remote machine should never add private key in ~/.ssh/authorized_keys.
i have my access key, secret key, and the downloaded cert pem file.
i understand SSH requires a private key file in order to establish a terminal SSH connection to my instance.
what i did find through Google is that i need to use puttygen to convert my cert pem file into a private key file:
http://www.techrepublic.com/blog/datacenter/connect-to-amazon-ec2-with-a-private-key-using-putty-and-pageant/5085
however, all the instructions i found are based on a GUI puttygetn and i only have the CL version because i am running Linux Fedora 16 on my laptop. i did yum PuTTy, which came with a GUI but puttygen only has a CL version. what i tried to do in puttygen is as follows:
>puttygen cert-***.pem -o default.pem
puttygen: error loading `cert-***.pem': file does not begin with OpenSSH key header
can anybody point what i am doing wrong and how i can use CL puttygen to convert my cert file to a private key file that is usable by SSH to connect to my instances?
thanks in advance
If you are running Linux at the command line, why are you needing to make a ppk with puttygen? Basically the keypair you get from AWS IS in pem format suitable for using in ssh command line.
So if you saved your .pem file from Amazon as /path/to/aws.pem, all you need to do is
ssh -i /path/to/aws.pem user#hostname.com
The ssh private key is completely different from the X.509 certificate and private key. It's a little confusing because folks often save the ssh private key generated by EC2 in a ".pem" file just like the cert and pk use.
You can't convert or use the X.509 certificate or private key for ssh as you tried to do.
You can generate an ssh private key (sometimes called a "keypair") through Amazon EC2 on the AWS console or through the AWS command line tools (ec2-add-keypair). If you are using Putty, you may still need to convert to PPK format as your referenced article describes, but you are converting the ssh key .pem file, not the X.509 private key or certificate.
If you know how to generate your own ssh key locally (or have already done so) then I recommend doing this and uploading the ssh public key to EC2.
When you run an EC2 instance, you then specify the ssh keypair name so that EC2 makes the ssh public key available to the instance, letting you securely ssh in to your new server.