I've used ssh-keygen to generate a ssh key pair, and then ssh-copy-id to copy the public key to the remote server. This has worked for all systems in my local network. I followed instructions similar to this link
However, on bitbucket and github, I see this additional step of adding the private key to the ssh-agent using ssh-add <private key>
This page explains what this additional step but why is that not needed for my local network when it is needed for github and bitbucket?
Thanks
The "Adding your SSH key to the ssh-agent" documented on GitHub (same on GitLab) is only there if you generate a private SSH key protected by a passphrase (meaning, encrypted)
The idea is that, for a private SSH key used for authenticating to a remote public service like GitHub or GitLab, it is better to have an encrypted key, which makes it less dangerous if said key is leaked.
This is different for a private SSH key used inside a LAN (in your local network): using a passphrase is still a good idea but not mandatory: if the SSH key leak, you still need access to the LAN in order to use it.
Related
When I mint an ssh key locally the fingerprint/pub key are trailed with my_email#my_machine.
ssh-ed25519 AAA...xyz my_email#my_machine.net
For instance.
I'll upload this to GitHub deploy key and the private key to my K8s server. But I'm not sure if that tail bit is relevant.
I assume this is pulled by ssh-keygen from some config on my machine.
What is this tail end of the pub key? And can I avoid it while still minting the keys locally?
But I'm not sure if that tail bit is relevant.
It should not be relevant for unencrypted keys.
As noted in "Where does SSH agent get the names it uses for keys?":
ssh-add attempts to read the comment in the private key file. If it fails, it uses the filename as a comment for further prompts:
But in your case (GitHub deploy key), this should not matter.
Therefore, that comment bit (the ==... trailing part of the public SSH key) can be ignored.
I am trying to configure a SSH Key-Based Authentication and after i created one, i want to copy the SSH Public Key to my server. When i give the following command on git bash : ssh-copy-id username#remote_host , i am asked for a password.
remote_host must be the floating_ip of the VM that i am trying to connect to ?
Which password should i type in ?
It would be really helpful if you could answer my questions.
On the first SSH operation (here an ssh-copy-id), you would need the password of the remote account, in order for the command to add your public kay to said remote user account ~/.ssh/authorized_keys.
Only then subsequent SSH commands would work without asking for password (only passphrase, if your private key is passphrase-protected, and if you have not added the private key to an ssh agent, for caching said passphrase).
I am trying to connect to a server through SSH, using a private key that is required for the connection to succeed.
ssh -i <path-to-my-private-key> <user>#<server-ip>
It works. However, even if I don't use the private key, or if I use the wrong one, it works too, while it should not. Why does it work?
If you mean you can successfully log in to your server by running ssh ubuntu#<my-ec2-url> without using the -i <path-to-my-private-key> option, it is likely that you are running ssh-agent.
ssh-agent caches private keys in memory so that they can be used for authentication without having to enter the password on every connection.
As #jarmod points out, it is also possible that you have configured a private key for your target host in your ~/.ssh/config file. For example:
Host my-ec2-url
IdentityFile ~/.ssh/something-not-named-id_rsa
...although this is less likely, because unless you had created an unprotected private key, this would still prompt you for a key passphrase (and it would obviously need to match the public keys you have configured on the remote host).
I'm having a problem; git returns this alert:
The authenticity of host 'bitbucket.org (104.192.143.2)' can't be established.
RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1
Are you sure you want to continue connecting (yes/no)?
When I choose yes, it returns this:
Warning: Permanently added 'bitbucket.org,104.192.143.2' (RSA) to the list of known hosts.
ssh_packet_read: Connection closed
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
What is the problem?
Where must I add the RSA number? Please, I'm desperate. :(
The authenticity of host 'bitbucket.org (104.192.143.2)' can't be established. RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1 Are you sure you want to continue connecting (yes/no)?
This is normal and it's safe to say yes. ssh is being overly paranoid by asking you to confirm it. You can turn it off by setting StrictHostKeyChecking to no in your ssh config.
Remembering the public key of each server you connect to is a security feature of ssh to protect you from a man-in-the-middle attack. It goes something like this:
The first time you ssh to a host its public key (that's all that SHA256:zzXQ... stuff) is remembered, usually in ~/.ssh/known_hosts.
Every time thereafter ssh will check that the same host is still using the same key. This authenticates that bitbucket.org is still the same server you were talking to the first time.
If the keys don't match it could mean one of two things. First is that the server admin reinstalled their ssh server and forgot to keep the same key. This is common for small sites, but unlikely for something like bitbucket.org.
The second possibility is that the ssh server has been hijacked. It doesn't matter how. One common way is for a rogue DNS server to return their own malicious IP address instead of the real address for bitbucket.org. Common enough on public wifi connections.
As for why it won't connect after confirming, it's right there in the error message.
$ git clone git#bitbucket.org:RobeJablonski/sda-robert.git
Cloning into 'sda-robert'...
conq: repository access denied.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
The repository exists, that can be verified, so you don't have access rights (neither do I). Bitbucket determines who you are using your ssh key. This means you're not logging in with the right key. It has to be the same key as is associated with your account on BitBucket.
You can find your BitBucket ssh keys in your Bitbucket settings under https://bitbucket.org/account/user//ssh-keys/. Then you have to check if ssh is using that key. You can check what it's using using ssh -v git#bitbucket.org. It will spew out a lot of stuff but you're looking for the last instance of debug1: Offering RSA public key: /Users/blah/.ssh/blah.
Once you find that, check if /Users/blah/.ssh/blah.pub matches what BitBucket thinks your ssh key is. If they don't match, then you'll have to find the matching key and configure ssh to use that key for bitbucket.org.
If you've lost the key, you should change your ssh key on bitbucket.org.
Make sure you have followed below steps in your application server:
Have you created public key:
cd ~/.ssh/
To generate keygeneration:
ssh-keygen
Copy public key value (NOT PRIVATE KEY)
cat ~/.ssh/id_rsa.pub
Install git :
sudo apt install git
ATLASSIAN SETUP :
SETTINGS -> Access keys -> Add key
https://bitbucket.org/compassitesinc/your-repository/admin/access-keys/
Make sure your email address added to the User group (with admin permission)
SETTINGS -> User and group access
Add your email address with admin access
Inside your application root directory clone your repository.
cd /var/www/html/
git clone git#bitbucket.org:organization_name/repo_application.git repo_application
You need to create an SSH key on the machine you wish to connect to GitHub or Bitbucket, then add that key to your online account. You can do this by following this:
https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html
I've added my public key to the metadata for my project in the developer's console, when I ssh into an Ubuntu VM instance I can see my public key in the file ~/.ssh/authorized_keys but when I try to use it to clone a project from Bitbucket I receive the error Permission denied (publickey)
If I ssh-add -l I just get The agent has no identities. Is there something else I'm supposed to be doing to use my existing public key on GCE instances?
You are mixing up things. There are two keys, public and private (for example ~/.ssh/id_rsa{,.pub}). You are adding public key where you want to ssh/login and store private key on you computer/computer from where you want to ssh/login.
If you want to use your key pair for cloning from BitBucket from your VM, you need to do one of these things:
Using local forwarded keys
create key pair on local machine: ssh-keygen
store public key in BitBucket
add this key pair into ssh agent: ssh-add path/to/private/key
ssh into VM with agent forwarding: ssh -K your-vm
do your clone: git clone your-repo
Using separate key pair
ssh to your VM: ssh your-vm
create key pair on VM: ssh-keygen
store public key in BitBucket
do your clone: git clone your-repo
The first solution is more useful if you don't want to have many keys and the operations with repository will not happen without your participation (cron jobs). The second one is more helpful if you want to update repo using cron and run some automation on this.