When I ssh to git#github.com, I get a message that looks like this:
Hi <my username>! You've successfully authenticated, but GitHub does not provide shell access.
The connection is then closed. I understand this is intentional behavior, but how do they do it? Is there a config option in sshd_config? Is it a different or proprietary package to manage ssh connections? How do they change the message to include the username?
I have no idea what to look up to find these answers. Any searches involving TTY allocation seem to only return troubleshooting for servers that shouldn't be doing that.
It's either that the user shell is set to /bin/false (or something else that does nothing) and there is a sshd "banner" or "motd" (message of the day) that has that message,
or that the user shell is set to a program that emits that message and exits.
Related
I'm trying to connect to a redis server from two different servers, call them server1 and server2
From server1 I cannot login, using the right or the wrong password I always get:
user#server1:~$ redis-cli -h my-redis-server.com
my-redis-server.com:6379> auth rightpassword
(error) WRONGPASS invalid username-password pair
From server2 I can login
user#server2:~$ redis-cli -h my-redis-server.com
my-redis-server.com:6379> auth rightpassword
OK
But the funny thing is the error when trying to login from server2 with the wrong password is different
user#server2:~$ redis-cli -h my-redis-server.com
my-redis-server.com:6379> auth wrongpassword
(error) ERR invalid password
Using the monitor command on the redis server the login attempts from server1 are not printed while the login attempts (successful or not) from server2 are printed.
It seems the firewall is not blocking connections from server1 and also the redis server is configured to accept connections from server1 "bind 0.0.0.0". I mean, it actually looks like connections are accepted from server1 but somehow redis is refusing to run commands from server1 :-/ From what I've seen, redis doesn't have a way of blocking access per IP other than the "bind" config, and even that should return a connection refused rather than a wrong password error. I also think if the firewall was blocking, I should get a connection refused.
Geez, I must be missing something. Does anybody has a clue about what could be going on here?
PS: wonder why even redis has two different wrong password errors :-|
With Redis version 6+, they have added the ability of Access Control Lists (ACLs) for allowing users access to specific commands (read, write, key-constrained, etc.) based on the permissions of the user.
This may be why this error is being displayed:
(error) WRONGPASS invalid username-password pair
The AUTH command is slightly different for Redis version 6+:
AUTH command documentation: https://redis.io/commands/auth/
AUTH [username] password
ACL Documentation:
https://redis.io/docs/manual/security/acl/
If both of the Redis server versions are the same (i.e. 6+) then I would guess that server #2 has the default user enabled, which is why the AUTH command works. The concept of the default user is Redis' way of maintaining backwards compatibility with versions previous to 6. The current way that server #2 is operating is the default configuration for Redis. From what you mentioned in your original post, it seems like server #1 has the default user disabled and instead another user was created, possibly with different permissions.
For server #1, you may be able to run:
whoami
This should return the username that could be used for this command:
AUTH [username] password
It may also be helpful to run:
ACL LIST
to view the current users and their permissions
I have written an application for SSH, but the originally used library is no longer developed and has old methods of encryption. Thus, it is not usable for contemporary devices. I am looking for alternatives and I found Chilkat.
I am able to start connecting to the device (Cisco switch for instance), but communication behaves in strange ways.
The basic principle of my program is based on talking client (my program) and server (Cisco switch). After the login is done, I get prompt saying that I would get into priviledged mode by command enable. I recongize this need by sign > at the end of prompt. I send command enable and awaiting prompt Password: After I get it I a send password. I am using two components and timer in this time :
success = ssh.ChannelSendString(channelNum, commandToSend & Chr(13), "ansi")
and
auxStr = ssh.GetReceivedText(channelNum, "ansi")
when I get word Password: in receiving text, I send password string like a commandToSend
but I get % Access denied
I am pretty sure that the password is OK; it seems like one extra enter is sent via connection, because during next returned text is this message :
Translating "passwordString"...domain server (255.255.255.255)
it indicates that passwordString was sent into the switch after message
% Access denied
not like an answer to Password: prompt.
I made debugging in the code to see what my program is sending to switch, but everything seems to be correct. Maybe some mistake in chilkat component ?
Has anybody similar experience ? Or explanation of this behaviour and advice how to solve it, please ?
Send the "enable" command (or just "ena") followed by a single CHR(13). Then get the output from the SSH server, which should be the "Password:" prompt. Then send the password followed by the CHR(13). Then get the output. The send each command terminated by a single CHR(13) and get the output after each command.
My code is
c = Net::SSH.start("192.168.x.x", "admin", :password=>"xyz")
puts c.exec "sh run"
c.close
Executing this I get "Error getting tty, exiting". What is the issue here, please help me.
Thanks,
Jade
This is happening because admin user on remote host doesn't have shell associated with it, so when you login ssh is getting that error while running the command.
Login to the remote machine and set a valid shell for the admin user or use a different user who has valid shell associated with it.
Also its good practice to specify the full path of the binary that you need to invoke, so instead of 'sh' its better to us '/bin/sh'.
I have set env.user and env.password,but when I use:
run('ssh-copy-id -i $HOME/.ssh/id_rsa.pub server1')
it still asks me for the password,why?
env.user and env.password are used to ssh to remote server and then run the command inside run () at the remote server.
They are not used for the remote command itself (running in the remote server).
So ssh-copy-id doesn't know anything about the user or password.
If this is not what you mean, I would advice you to edit the question and make things more clear, like providing more context of what you are trying to accomplish: pasting the function that contains this 'run' for example.
Hi I've the following script that make an ssh login to my server.
spawn ssh presnetwork#192.168.244.14
expect "*(yes/no)?"
send "yes"
expect "password:"
send "pwd\n"
close
it works fine but it doesn't pass 'pwd' value to system, so script goes timeout and quit.
Any suggestions?
You could try with "KbdInteractiveAuthentication" set to "no"
(ssh -o KbdInteractiveAuthentication="no" presnetwork#192....). SSH by default uses Keyboard Interactive Authentication, which is something expect might not understand.
I would strongly recommend that you use public key authentication instead (as already recommended by Flo). It is way easier to handle, and way more secure, and way more comfortable. If you are just looking for a way to login to a remote server without having to enter the password everytime, take a look at ssh-agent, which will store the password for you after you entered it once in your desktop session. If you really don't want to enter your password, use pam_ssh, where your desktop login password will be used.
By default, the expect command is not yet installed. So, you to install it to acquire correct output.