I just created my first VPS host on OVHcloud. When I ssh for the first time I see:
The authenticity of host 'X.X.X.X (X.X.X.X)' can't be established.
ECDSA key fingerprint is SHA256:<the-fingerprint>.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Is there a way to verify this fingerprint? I know that people most of the time ignore the possibility of a MITM here and skip the check. But most of the time the first connection happens within an internal network, which isn't the case here.
Alternatively I'd be happy to upload an ssh public key to the server using the web manager. But I haven't found a way to do that.
The answer is yes.
I just discovered you can connect to the KVM directly from the OVH manager, thus connecting through tty1.
Go to your OVH manager, and in your VPS page, there should be a part that says "Name". There is then an option in the dropdown menu, "KVM" which let's you locally connect to your VPS through a QEMU instance.
You can get your fingerprints after logging in in this manner.
The answer is no for both questions:
When OVH spawn your VPS, they don't check/gather the auto generated ECDSA key (the ones in /etc/ssh/ssh_hosts_ecdsa*). So for the first connection, there is no way to verify this fingerprint.
For the SSH key upload through the OVH Manager, this is sadly not possible neither. You have to upload it by yourself with ssh-copy-id root#vpsXXX.
Note that it's possible on OVH's Public Cloud Instances, but not for VPS
Related
I have a machine that I want to setup an SFTP connection to. The SSH server is running properly, I can ssh into it from my client computer, and I can SFTP in from my smartphone. I'm just a bit confused on how to properly configure the ~/.netrc file. The server computer is running Ubuntu, the client computer is running OSX.
Here are my main requirements for what I'm trying to configure:
Alias. I don't have a DNS name for the computer I'm connecting to, just the IP address. ~/.ssh/config is great because it basically assigns aliases to connections, and then specifies the hostname, port, etc. Looking at the man page for ~/.netrc, I don't see a way to do this.
Private Key. This SFTP connection is validated using a private key. I don't see anything in the ~/.netrc man page about how to specify the key.
If ~/.netrc is the wrong way to go, what alternatives would be better?
I tried to connect to Ubuntu Server from Windows 8 using PuTTY.
At first, it asked me some registration of key. I accepted the pop up request. After that whenever I access Ubuntu Server there will be no registration, because already registered.
What I want is I want that registered key from Windows 8 location and remove them, so that when try to connect PuTTY will ask me to register keys again.
I don't know where those SSH keys or certificates are stored in Windows 8. Please help me to find certificates and remove them. I tried my C:\ I couldn't find any SSH folder or certificates.
It's called SSH host key. It's not a certificate.
PuTTY stores them to Windows registry under a key:
[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys]
See Verifying the host key chapter in PuTTY documentation to understand the purpose and importance of verifying the SSH host key.
I'm working on a project that requires me to run my code on a remote Unix server, that is not available to connect to directly (you first have to log in to the "gate" node and then to this server).
What's really bad is that they disabled key authentication, so each time I need to ssh into it, I have to type in my password twice. It's really annoying and I wonder what's the best way to transfer my local modifications of source files to this server, compile and run them without having to provide those passwords so many times.
I have no sudo access to any of those servers (neither to this "gate", nor to this target server). Any ideas on how to make the whole process more efficient?
EDIT: Martin Prikryl provided a great answer below, but it's suitable for Windows and I'm on a Mac :) I guess it might be a good thing to have it documented here also for *NIX systems.
You are looking for SSH tunneling.
WinSCP SFTP client supports one-hop SSH tunneling natively.
See the Tunnel page on WinSCP Advanced Site Settings dialog.
I assume that after you transfer the file, you need to open SSH terminal to compile the file.
You may be able to make use of WinSCP Console window for that step.
Alternatively, if you need/want to use a real SSH terminal client, make use of an existing SSH tunnel, created by WinSCP, and connect with PuTTY (or any other SSH client) over it.
In the Local tunnel port of WinSCP Tunnel page, select a fixed port number (instead of the default Autoselect). In PuTTY enter "localhost" to Host Name and the selected port in Port.
(I'm the author of WinSCP)
I am trying to connect to Unix server from WinSCP commandline for the first time.
It closes with the the following error:
The server's host key was not found in the cache. You have no guarantee that the
server is the computer you think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 42:9e:c7:f4:7f:8b:50:10:6a:06:04:b1:d4:f2:04:6d
If you trust this host, press Yes. To connect without adding host key to the cac
he, press No. To abandon the connection press Cancel.
In the WinSCP commandline, it does not ask for any input (Yes or No). It closes with Authentication failed. If I connect through the WinSCP tool, I'll get the same error. However, I'll be able to press YES.
I also know that If I add -hostkey switch in the command line, I'll be able to connect. But, I don't want pass hostkey in my batch script as I will be connecting to various servers. So, my requirement is to pass "YES" input from the commandline in case of this error. Can someone help?
A host key fingerprint verification is a crucial step in securing your SSH connection. Even if you are using a set of sessions with your script, it does not excuse you. The fingerprint should be part of a set of information you have for each of the sessions (in addition to a hostname, an username and a password).
Skipping the fingerprint verification means that you lose any security and there's no point using an SSH/SFTP anymore.
Anyway, if you do not care about a security, you can use the -hostkey=* switch to unconditionally accept any host key.
Further references:
Where do I get SSH host key fingerprint to authorize the server?
Verifying the host key
I get this error message when trying to connect with ssh.
Disconnected: No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)
I create a instances(cent os), generated my webserver.pem, puttygen imported that and output a ppk
I have seen that it may be a permissions issue with the ~/.ssh on the server but how can i change the permissions on the server without ssh access to the server? Is there another way to connect that i am not aware of? I am quite new to the amazon ec2 stuff.
I am on a windows system right now using putty.
My security groups were incorrect. I remade the instance with the correct security groups
The below steps worked for me.
Edit sshd_config file sudo vi /etc/ssh/sshd_config.
Search for PasswordAuthentication
If it is no, change it to yes. For me it was commented. If so, uncomment it.
Restart sshd service sudo systemctl restart sshd.service
Done.
These are the basic steps generally when working with a public cloud, trying to create a Virtual Machine and connect to it.
Create a Virtual Cloud Network/ Virtual Private Cloud
Create an Internet Gateway and ensure the Route Table for the VCN has the entry to route internet bound traffic (destination 0.0.0.0/0) to the internet gateway
Create a Virtual Machine (Linux in this case), ensure it has a public IP ( VM be created in public subnet ), download the key pair (for example was in PEM format)
Create a Security Group and ensure ingress rule from source : 0.0.0.0/0, protocol: TCP, destination port: 22
Associate the VM with the Security Group at VNIC level at the time of creating the VM or post creation.
From Oracle Cloud documentation -
Just having an internet gateway alone does not expose the instances in
the VCN's subnets directly to the internet. The following requirements
must also be met:
The internet gateway must be enabled (by default, the internet gateway
is enabled upon creation). The subnet must be public. The subnet
must have a route rule that directs traffic to the internet gateway.
The subnet must have security list rules that allow the traffic (and
each instance's firewall must allow the traffic). The instance must >
have a public IP address.
Now connecting to VM using putty, basically you are doing a :
ssh user#ip_address —i private_key
a. Use puttygen and load the private PEM key that you downloaded. Once successfully imported, save the private key (optionally with a passphrase) as PPK in your local machine ( for example "your_pvt_key_name.ppk" )
b. Use putty to connect to the VM's public IP. Ensure in putty when connecting to the VM that private key is provided for authentication. In the section Connection->SSH->Auth, browse for the "your_pvt_key_name.ppk" and then go back to the Session and "Open" the VM. If the VM is on public subnet with correct route table entry, you should see the login screen. In case the VM is not available on internet, it wont connect !
c. Once you see the login screen most important and which is the probable cause of the above error, login with correct user name, such as "ec2-user" in AWS or "opc" in OCI. Using an incorrect user name results in this error.
No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)