I added another user's public ssh-key to my dokku server, but they can't login using ssh root#appname.com.
I can see their ssh-key in authorized_keys and also if I run sshcommand list dokku or sshcommand list root.
I have checked in the sudoers config, and it seems that all ssh-keys are given root permissions:
$ cat sudoers
/...
# User privilege specification
root ALL=(ALL:ALL) ALL
I am using the dokku-acl plugin, but haven't found anything in the docs that would help.
The server is an Aliyun ECS (China).
Feel like I am missing something simple. Any advice is very much appreciated!
root ssh access and dokku ssh access are governed separately. The user's public key should be added as is to the /root/.ssh/authorized_keys file, whereas the /home/dokku/.ssh/authorized_keys file should only be managed by the subcommands of the ssh-keys plugin (included with Dokku).
You may wish to remove the entries from both files manually, then add the entries back as described above. For dokku user access - which would grant the ability to push code as well as perform remote commands via ssh dokku#host $command - you can use the command dokku ssh-keys:add to add a specific user:
echo "PUBLIC_KEY_CONTENTS" | dokku ssh-keys:add some-user-name
Related
I have a site on CyberPanel, user "thows3051" and want to use git to manage my site. But when I try ssh -T git#github.com I get git#github.com: Permission denied (publickey)..
If I ssh into the server on that user ssh thows3051#mysite.com, into the .ssh directory, there is a thows3051.pub file which I copied the contents into the repo on github under "deploy keys".
EDIT
Was able to explicitly use the correct key with ssh -i ~/.ssh/thows3051 -T git#github.com which shows You've successfully authenticated....
So my question is why isn't the user using the right ssh key?
Thanks in advance
Was able to fix it. I'm not sure what key was being used, if any?
But if you create a file in ~/.ssh/config, you can put the following inside:
IdentityFile ~/.ssh/thows3051
And it will use that key.
Note that you can set specific keys for certain hosts, for example:
Host github.com
IdentityFile ~/.ssh/github.key
I have built an MF container image and pushed it. I have copied the file in (Mac) ~/.ssh/id_rsa.pub to mfpf-server/usr/ssh before building the image.
I am trying to connect using the command in Mac terminal:
ssh -i ~/.ssh/id_rsa admin#public_ip
It says:
Permission denied (publickey).
Any idea? What is the user I shall use?
your problem is very probably related to the permissions of the pub key copied on the container or to the configuration of your key.
You could check the permissions of key copied on the container, sshd is really strict on permissions for the authorized_keys files: if authorized_keys is writable for anybody other than the user or can be made writable by anybody other than the user, sshd will refuse to authenticate (unless sshd is configured with StrictModes no)
Moreover such a problem won't be showed using ssh -v, it will showed only on daemon logs (on the container)
From man sshd(8):
~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in
as this user. The format of this file is described above. The
content of the file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by
others.
If this file, the ~/.ssh directory, or the user's home directory
are writable by other users, then the file could be modified or
replaced by unauthorized users. In this case, sshd will not
allow it to be used unless the StrictModes option has been set to
“no”.
So I suggest you to check about the files and directories permissions.
Then check that the content of your pub key has been copied correctly on authorized_keys listing
/root/.ssh/authorized_keys
To access the container with the ssh key you need to use the "root" user.
ssh -i ~/.ssh/id_rsa root#<ip address>
Trying to connect Cloud9 to my Digital Ocean droplet and I'm getting:
Cloud9 couldn't connect to SSH server
I've added the ssh public key into my .ssh/authorized_keys file and I know I can connect via ssh. Is there any way to get more info than just that is can't connect?
David
You need to add public key from your profile to .ssh/authorized_keys (not hosts) and make sure that .ssh/authorized_keys file belongs to you and have can be read written only by the owner (should say -rw------- when doing ls -la ~/.ssh)
To get a bit more info, you can try SSHing into your server from one of your other Cloud9 workspaces. Since your Cloud9 SSH key is the same across all workspaces, you'll be able to check if your key has been properly added to the server this way.
I wasn't able to figure out how to get more info on this but I was able to figure out that it was permissions on the .ssh/authorized_keys file / directory. Thanks again for all the help
David
Just finished chatting with cloud9 support and got this working. It's important to note that there are THREE items that require specific permissions:
you user home folder (~) folder should be drwxr-xr-x
your ~/.ssh folder should be drwx------
your ~/.ssh/authorized_keys folder should be -rw-------
Here's in my case
check your instance security groups and ACL
check your sshd_config, ssh, and PAM auth (default is fine, but in my case I mistakenly set PubKeyAuthentication to No), I tried to mimic the ssh connection with ssh -vvv user#ip_address from another server (after putting the public key in the ~/.ssh/authorized_keys file), make sure it's -rw-------
check for the files and folders permission, especially in the ~/.ssh folder
check incoming connection errors in /var/log/auth.log
check for node js if it's installed
put the node path (use which node command)
I have to deal with a rather annoying situation. I must transfer a file via shell script using scp from one server to another. The problem is that I do not have root access on either of them. I'm not allowed to install any packages like, sshpass, ssh2, expect etc. I don't even have write permission in the home directory of the user I have to use on the second server.
Since I can't use sshpass etc. to enable my script to enter the login credentials, I thought about using an ssh keypair for auth. Actually that was my first thought, but since the user on the second server doesn't have write permissions in its home directory but only in a subsequent directory, ssh-keygen fails as it can't put the keys in ~/.ssh.
Both are Debian servers btw.
Is there any way to generate a ssh keypair and use it outside of ~/.ssh?
Any help is greatly appreciated.
On the clientside yes. However, on serverside, unless configured differently, sshd will expect your credentials in that directory.
If you can scp from the server where you can't access .ssh to the one where you can, you can use -i option to specify the keyfile location.
Do you have an alternative transport mechanism? Can you put the filn your public_html and wget it on the other side?
You can have the keypairs anywhere. What is key is that the permissions are set correctly on the keypair. The ownership needs to be set to the user chown user:user keyfile and the permissions must be chmod 400 keyfile.
Once you have your key moved and permissions set all that's left is to tell scp which key to use. You can do this by using the -i flag.
IE: scp /source/file user#host:/target/location/ -i keyfile
Edit:
As Amadan alluded to in his answer - this assumes the server you're connecting to already has the key as an authorized key on the user. If not it would require an /etc/ssh/sshd_config change that only someone with the right access can do. It might be worth trying a cat /etc/ssh/sshd_config on the server if your user has access to it at all right now. If you have read access you'll be able to discern the expected authorized_keys location. It's possible the server admin has already customized the expected key location to something you have write access to.
I have a unique problem when accessing a Cygwin based SSH Server through public key (rsa) based authentication.
If I login to the server via password auth:
ssh Administrator#domain.com
I login just fine and can then either execute:
cd //anotherpc/shareName
or cd /backup/anotherpc where this is a symlink to the aforementioned network share
This is successful and I can access anything on that share without issue.
The problem arises if i do the same thing above just after logging in using a public key authentication mechanism.
The error output is:
cd //anotherpc/shareName
-bash: cd: //anotherpc/shareName: Not a directory
Update:
The /etc/sshd_config file has the following commands having removed all commented out lines:
Port 22
StrictModes no
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation yes
Subsystem sftp /usr/sbin/sftp-server
It is extremely strange. Any help would be hugely appreciated!
Kind Regards
If you run this command before trying to access a network share, the required authentication token will be created.
net use '\machineName\shareName' /user:"DOMAIN\Username" password
For full details see:
See http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview