DBeaver ssh tunnel invalid private key - ssh

Just want to leave it here, so the link to the solution won't be lost.
I have a private 4096-byte RSA key (probably it was generated using this guide https://help.github.com/en/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent).
I've got an error while trying to establish a new connection through an ssh tunnel using DBeaver (6.1.2).
invalid privatekey: [B#540.....

So at first I've found this solution: https://github.com/rundeck/rundeck/issues/4813#issuecomment-492358649 But I didn't really want to recreate my key, cause it was already in use on several servers.
After an hour of googling I've found another suggestion: to use another SSH implementation via the sshj extension: https://github.com/dbeaver/dbeaver/issues/3917#issuecomment-410616717 It can be installed via the built-in package manager: Help -> Install New Software -> https://dbeaver.io/update/sshj/latest/ And it works great!

This error is due to the format of the SSH private key. By default, ssh-keygen is creating a private key using the OpenSSH format—with this header:
-----BEGIN OPENSSH PRIVATE KEY-----
But DBeaver only accept keys using the older PEM format—with this header:
-----BEGIN RSA PRIVATE KEY-----
You can either generate a key directly with the correct header using:
ssh-keygen -t rsa -b 2048 -m PEM
Or you can convert an existing key (careful! this overwrite the existing key, you can just copy the private key and apply the command on the copy):
ssh-keygen -p -m PEM -f id_rsa
There is an open issue on DBeaver's GitHub.

The above suggestions didn't help for me. But in the latest versions of DBeaver, you just have to update implementation to SSHJ, under Advanced settings:
That worked for me!

I got the SSH Tunnel to work on
DBeaver Community Edition Version 7.3.4.202101310933
macOS Catalina version 10.15.7
by doing the following:
in shell:
create private 4096-byte RSA key at default location ~/.ssh/id_rsa using
ssh-keygen -t rsa -b 4096
in DBeaver:
click Help > Install New Software
click Add ...
enter Name: SSHJ
enter Location: https://dbeaver.io/update/sshj/latest/
click Next and go thru the entire SSHJ installation process
(I failed to do this on my first attempt)
click Save
click Restart DBeaver
on SSH Tunnel tab of Connection Settings
use Authentication Method: Public Key
use Private Key: ~/.ssh/id_rsa
(OpenSSH NOT PEM, as others have advised)
enter Passphrase
select Save Password
select Implentation: SSHJ
click Test tunnel configuration
modal dialog is displayed that says
Connected!
Client version: SSHJ_0.27.0
Server version: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
click OK

Related

How can I connect MySQL Workbench using a password protected private ssh key?

I'm  having troubles connecting my Workbench through SSH using my password protected key, I don't know where I have to put my password key in Workbench, it tells me "Access denied for 'none'. Authentication that can continue: publickey".
I have my credentials correct (I can connect via terminal SSH using the same user) so it makes me think that is because my ssh key is protected by password.
Where do can I put my password in Workbench?
I just came across this issue. I had a key to access an old VPN that worked since 2016.
Now I changed servers and decided to create a new key, which works fine on terminal but MySQL Workbench would give me the same error as you're getting. I copied the old key to the new server and it worked fine on the Mysql Workbench which I couldn't understand.
Comparing both keys I noticed that the old key starts like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info:
whereas the new key don't contain those two first lines. Then after researching a bit I learned that you have to generate the key in the PEM format in order to have those two lines at the header, so the command to generate has to include the -m PEM option and should look like this:
ssh-keygen -m PEM -t rsa -b 8192
Now Mysql Workbench works fine with that key. =]

SSH Service Connection - Cannot parse privateKey: Unsupported key format

I'm trying to setup a release pipeline to copy files over to a linux server via ssh. However when I try to run the release I get the following error during the copy task:
Failed to connect to remote machine. Verify the SSH service connection details. Error: Cannot parse privateKey: Unsupported key format.
I've tried generating the key multiple times with ssh-keygen -t rsa and uploaded or copied the contents of the private key directly into the Private Key text area in the service connection. All to no avail.
It seems like I'm missing something simple as I can't find much mention of others having issue with this.
According to this issue description one should disable preview features of service connections in Azure DevOps. Then edit your SSH Service connection and instead of pasting key source it should possible to upload a key file. This way there is no Cannot parse privateKey error.
Please use ssh-keygen -m PEM -t rsa -b 2048 to generate your keys (the PEM format is required). Additionally, when I didn't specify bits with the -b option Azure told me the key file was too long.

SourceTree asks password for SSH authentication at each restart

In SourceTree I'm using OpenSSH as authentication and created + added my SSH keys (on Windows) like this:
ssh-keygen -t rsa -C "my#email.com"
(and entered filename, password etc)
Added the key to the SSH agent:
eval "$(ssh-agent)"
ssh-add id_rsa
Added the SSH key to GitLab using
cat id_rsa.pub to print my public key
Added the public key to SourceTree by "Tools > Add SSH key" followed by the password ("Tools > options > SSH client configuration" I've selected OpenSSH).
After these steps I'm able to push and pull code.
However, each time I restart SourceTree a terminal pops-up and I have to re-enter my password again*. How can I make SourceTree / the SSH agent remember this password?
ps. my keys are saved in a directory like /d/MyName/Gitlab/ instead of ~/.ssh/ but that shouldn't be a problem, right?
EDIT:
*The message shown in the terminal:
SourceTree is loading your SSH key into the agent for authentication Please enter your passphrase if prompted to do so Enter passphrase for D:\MyName\GitLab\.ssh\id_rsa:
EDIT2:
This solution didn't solve my problem either:
You can use the Windows OpenSSH ssh-agent to manage your keys.
The problem is that Sourcetree on windows wants to start its own instance of the ssh-agent instead of using the already running service. Even if you can get that to work it will still prompt for your key passphrase on startup because Sourcetree's ssh-agent process doesn't save your keys to the the Windows keychain.
There are heaps of instructions on how to use Pageant as your ssh agent, but that is not why you're here. You're here because you want to use the OpenSSH agent, with OpenSSH formatted keys, with passphrases but without being prompted for said passphrase all over the place.
The trick is to proxy all requests to Pageant through to your OpenSSH agent.
Install OpenSSH.
Start the ssh-agent service and set to automatic.
Add your private keys to the agent with
ssh-add <key_file>
Add your public keys to the hosts you want to authenticate with.
Test that you can authenticate via ssh:
ssh -T git#github.com
Your private keys will now be loaded when you log in to your Windows account and you won't have to provide passphrases ever again.
To allow programs and libraries such as Sourcetree, WinSCP and Fabric that normally use Pageant to instead have keys provided by the ssh-agent there is an awesome program https://github.com/ndbeals/winssh-pageant
Follow instructions to install winssh-pageant, schedule it as a task to start on windows startup.
Now all calls to Pageant's NamedPipe will be proxied to the OpenSSH agent.
The last step to get SourceTree working with OpenSSH is a bit counter-intuitive.
Go to Tools | Options | General and set the SSH Client to PuTTY/Plink and uncheck the "Automatically start SSH agent when Sourcetree opens".
I solved this issue following these steps:
Find the path to Pageant (in my case was in C:\Users\{my-user}\AppData\Local\SourceTree\app-3.3.8\tools\putty\pageant.exe)
Do Window key + R or type run in Windows bar
In the text box put shell:startup
Make a shortcut of your pageant and paste it in the window that just opened
Right click on the shortcut and click on Properties
In Shortcut tab, in target put your-sourcetree-pageant-path\pageant.exe id_rsa.ppk
In Start in put C:\Users\{my-user}\.ssh and click ok
Note that your id_rsa.ppk must be inside C:\Users\{my-user}\.ssh directory
If for some reason your id_rsa.ppk is protected by a passphrase and you are sure you won't have security issues. Just remove the passphrase.
To remove the id_rsa.ppk's passphrase, follow these steps
Open PuttyGen
Go to Conversions => Import key
Remove the passphrase
Save the private key & public key
Replace the protected id_rsa.ppk with the unprotected id_rsa.ppk
Hope that helped!
You manually start your agent and set environment variables in order for commands to find it.
Whenever you start your a command (like SourceTree) without those environment variables set, that command is not able to access the agent and therefore asks for your password.
Making your agent start on system startup should solve things.
If ssh cannot reach the agent it will also look into ~/.ssh/ therefor if you place you keys there it should work, too. (Have a look at man ssh.)
After did below test, the password never asked for me.
To test whether your SSH key was added correctly, run the following command in your terminal (replacing gitlab.com with your GitLab's instance domain):
ssh -T git#gitlab.com
The first time you connect to GitLab via SSH, you should verify the authenticity of the GitLab host that you're connecting to. For example, when connecting to GitLab.com, answer yes to add GitLab.com to the list of trusted hosts:
The authenticity of host 'gitlab.com (35.231.145.151)' can't be established.
ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gitlab.com' (ECDSA) to the list of known hosts.
NOTE: Note: For GitLab.com, consult the SSH host keys fingerprints, section to make sure you're connecting to the correct server. For example, you can see the ECDSA key fingerprint shown above in the linked section.
Once added to the list of known hosts, you should validate the authenticity of GitLab's host again. Run the above command once more, and you should only receive a Welcome to GitLab, #username! message.
If the welcome message doesn't appear, you can troubleshoot the problem by running ssh in verbose mode with the following command:
ssh -Tvvv git#gitlab.com

How to make a Password-Less Login from Windows to Linux using OpenSSH?

I installed the OpenSSH on my Windows 7 Machine. I want to connect to the remote Linux machine without typing password. I followed the bellow instructions but the SSH needs password to establish the connection yet.
Open CMD and run: ssh-keygen -t rsa (The public and private keys are generated in the C:\Users\user.ssh) folder
Copy the id_rsa.pub content into /home/kouhi/.ssh/authorized_keys in my Linux remote machine
In Linux Machine run: chmod 700 .ssh
In Linux Machine run: chmod 644 .ssh/authorized_keys
When I try to Ssh kouhi#remote.com the connection ask me the password yet.
Also I tied Ssh -i C:\Users\user.ssh\id_rsa kouhi#remote.com
Also I get the following reply when run the ssh command:
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0644 for 'C:\\Users\\user\\id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: C:\\Users\\user\\id_rsa
As per this other question:
Right-click on the [private key file], select Properties then Security. Click Advanced, then Edit. Uncheck "Inheritable" and choose "Remove" in the dialog. Remove any explicit permissions left, add a "Full Access" permission to your username.
Step 1 : Open your windows powershell
Step 2 : Type command ssh-keygen -t rsa
Step 3 : Now a private and public is generated and we have to copy this
public key into the remote linux server.For that do the below
steps.
- Copy the public key stored C:\Users\User/.ssh/id_rsa.pub
(Don't copy through GUI as it will give error,use powershell
itself)
Step 4 : Now login to your remote server using your ID and password
Step 5 : Now paste the copied public key in /.ssh/authorized_keys
using vim editor.
Step 6 : Now login from your windows powershell without password
TIPS : Try ssh restart , clear your earlier generated keys in authorised key folder and id_rsa.pub if you get errors and do as fresh

Convert PEM to PPK file format

Is there a way to convert PEM files to PPK files? (you may guess that Amazon EC2 gives me a PEM file, and I need to use the PPK format for SSH connectivity).
Use PuTTYGen
Creating and Using SSH Keys
Overview
vCloud Express now has the ability to create SSH Keys for Linux servers. This function will allow the user to create multiple custom keys by selecting the "My Account/Key Management" option. Once the key has been created the user will be required to select the desired SSH Key during the “Create Server” process for Linux.
Create and Use SSH Keys
Create keys
Navigate to “My Account”
Select “Key Management”
Create New Key.
During the key creation process you will be prompted to download your private key file in .PEM format. You will not be able to download the private key again as it is not stored in vCloud Express.
The “Default” checkbox is used for the API.
Deploy server and select key
Connect
SSH (Mac/Linux)
Copy .PEM file to the machine from which you are going to connect.
Make sure permissions on .PEM file are appropriate (chmod 600 file.pem)
Connect with ssh command: ssh vcloud#ipaddress –i privkey.pem
Putty (Windows)
Download Putty and puttygen from - here
Use puttygen to convert .PEM file to .PPK file.
Start puttygen and select “Load”
Select your .PEM file.
Putty will convert the .PEM format to .PPK format.
Select “Save Private Key” A passphrase is not required but can be used if additional security is required.
Connect with Putty.
Launch Putty and enter the host IP address. If connecting to the 10.X private address you must first establish an SSL VPN connection.
Navigate to Connection/SSH/Auth
Click “Browse” and select the .PPK file you exported from puttygen.
Click “Open.” When connection comes up enter username (default is vcloud).
Instructions copied from here
I'm rather shocked that this has not been answered since the solution is very simple.
As mentioned in previous posts, you would not want to convert it using C#, but just once. This is easy to do with PuTTYGen.
Download your .pem from AWS
Open PuTTYgen
Click "Load" on the right side about 3/4 down
Set the file type to *.*
Browse to, and Open your .pem file
PuTTY will auto-detect everything it needs, and you just need to click "Save private key" and you can save your ppk key for use with PuTTY
Enjoy!
If you have Linux machine just install puttygen in your system and use use below command to convert the key
pem to ppk use below command:
puttygen keyname -o keyname.ppk
Below command is use to convert ppk to pem not pem to ppk
puttygen filename.ppk -O private-openssh -o filename.pem
Download puttygen
Then open puttygen
click load
Set the file type to . all files
Save PrivateKey
and then u can just save any name that file became an ppk file
To SSH connectivity to AWS EC2 instance, You don't need to convert the .PEM file to PPK file even on windows machine, Simple SSH using 'git bash' tool. No need to download and convert these softwares - Hope this will save your time of downloading and converting keys and get you more time on EC2 things.
Convert .pem file to .ppk for Windows 10
You need to do following:
1. Download PuTTYGen with Pageant.
2. Press "load" button and select your ".pem" file.
3. Press "save private key" button and save your ".ppk" file.
4. Open Pageant and press "add key" button. Just all. Keep running Pageant in background.
5. Now login through SSH or SFTP without selecting password field.
Save YourPEMFILE.pem to your .ssh directory
Run puttygen from Command Prompt
a. Click “Load” button to “Load an existing private key file”
b. Change the file filter to “All Files (.)
c. Select the YourPEMFILE.pem
d. Click Open
e. Puttygen shows a notice saying that it Successfully imported foreign key. Click OK.
f. Click “Save private key” button
g. When asked if you are sure that you want to save without a passphrase entered, answer “Yes”.
h. Enter the file name YourPEMFILE.ppk
i. Click “Save”
PuTTYgen for Ubuntu/Linux and PEM to PPK
sudo apt install putty-tools
puttygen -t rsa -b 2048 -C "user#host" -o keyfile.ppk
I used a trial version of ZOC Terminal Emulator and it worked. It readily accepts the Amazon's *.pem files.
The trick is though, that you need to specify "ec2-user" instead of "root" for the username - despite the example shown in the EC2 console, which is wrong! ;-)
sudo yum install putty
sudo apt-get install putty-tools
To convert your .pem file to a .ppk file
sudo puttygen pemKey.pem -o ppkKey.ppk -O private
To convert a .ppk file to a .pem file
sudo puttygen ppkkey.ppk -O private-openssh -o pemkey.pem
I had the same issue with PuttyGen not wanting to import an openSSH private key. I tried everything and what I found out was the old version of PuttyGen did not support importing OpenSSH. Once I downloaded the latest Putty, puttygen then allowed it to import the openssh private key just fine. I now have a hole in the side of my desk for pounding my head against it for the past hour.