While creating eks cluster using EKSCTL it is throwing error like error decoding SSH public key
Permission of pem file is 400
Command i am executing
eksctl create cluster --name=thirdekscluster --ssh-access --ssh-public-key=mysshkey.pem --nodegroup-name=standard-workers --node-type=t3.medium --nodes=3 --nodes-min=1 --nodes-max=4 --node-ami=auto
Error:
[ℹ] using region ap-south-1
[ℹ] setting availability zones to [ap-south-1a ap-south-1c ap-south-1b]
[ℹ] subnets for ap-south-1a - public:xxxxx/19 private:xxxx/19
[ℹ] subnets for ap-south-1c - public:xxxxx/19 private:xxxx/19
[ℹ] subnets for ap-south-1b - public:xxxxx/19 private:xxxx/19
[ℹ] nodegroup "standard-workers" will use "ami-01b6a163133c31994" [AmazonLinux2/1.12]
[✖] computing fingerprint for key "mysshkey.pem":
error decoding SSH public key:
"-----BEGIN RSA PRIVATE KEY
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----"
err: illegal base64 data at input byte 0
I had the same ploblem, in my case I was trying to use the private key instead of public. (key was created directly on aws ec2 console panel)
Solution:
ssh-keygen -y -f .pem >> <> .pem (just an ilustrative name).
Thanks for your response, but i sorted out myself.
created cluster using - eksctl create cluster --name=thirdekscluster --ssh-access=true --ssh-public-key=sreeeks --nodegroup-name=standard-workers --node-type=t3.medium --nodes=3 --nodes-min=1 --nodes-max=4 --node-ami=auto
The SSH part in the command should be like --ssh-access=true
I used Bitvise Client Key Management to export in OpenSSH format. After that, eksctl worked!
For me it worked as I removed the BOM by copying the public key to a different txt file.
eksctl create cluster --ssh-access --ssh-public-key=~/.ssh/id_rsa.pub --nodegroup-name=standard-workers --node-type=t3.medium --nodes=2 --nodes-min=1 --nodes-max=2
This should definitely work.
Related
I'm trying to setup a release pipeline to copy files over to a linux server via ssh. However when I try to run the release I get the following error during the copy task:
Failed to connect to remote machine. Verify the SSH service connection details. Error: Cannot parse privateKey: Unsupported key format.
I've tried generating the key multiple times with ssh-keygen -t rsa and uploaded or copied the contents of the private key directly into the Private Key text area in the service connection. All to no avail.
It seems like I'm missing something simple as I can't find much mention of others having issue with this.
According to this issue description one should disable preview features of service connections in Azure DevOps. Then edit your SSH Service connection and instead of pasting key source it should possible to upload a key file. This way there is no Cannot parse privateKey error.
Please use ssh-keygen -m PEM -t rsa -b 2048 to generate your keys (the PEM format is required). Additionally, when I didn't specify bits with the -b option Azure told me the key file was too long.
I want to be able to execute shell commands on remote nodes using Rundeck and I found this video that explains how to do that but I don't understand the private-key part and how to configure it. I keep getting the following error:
Authentication failure connecting to node: "test-001". Make sure your
resource definitions and credentials are up to date. Failed:
AuthenticationFailure: Authentication failure connecting to node:
"test-001". Make sure your resource definitions and credentials are up
to date.
I have a remote server set up and I configured the resource.xml file like the following:
<node name="test-001" description="demo for test" tags="demo" hostname="10.10.10.10:22" osFamily="unix" osName="Linux" osVersion="2.6.32" username="demo" />
Do I need to add the ssh-key value to the xml file? If so, do I have to copy the public or private keys from the Rundeck server to the host server?
Also, the username demo has a password too, so how can I define it?
Rundeck host server connects to the node by means of private key authentication which is exactly similar to SSH private key authentication. Follow these steps to add a node to your server rundeck.
Open up the resources.xml file and add the following.
<node name="rundeck node2" description="Rundeck node2" tags="node2" hostname="10.1.0.1" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.11.10-03111015-generic" username="leo" ssh-keypath="/var/lib/rundeck/node2.key"/>
You can change the SSH user name in node and private key file name. In addition to that, you can change all the other naming parameters too like node name and tags etc.
Now get into your node server.
Create a ssh user, here its leo
switch to user leo. Generate a SSH key
ssh-keygen
Append the public key to authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ pwd
/home/leo/.ssh
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa.pub >> authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ chmod g-w authorized_keys
Copy the private key
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa
Save the private key to the file "/var/lib/rundeck/node2.key" on rundeck host. Now the authentication is okay and ready to execute adhoc commands from rundeck dashboard
Documentation is fairly all over the place with different versions having different keywords and there being no warnings in case you are using the wrong one.
The relevant documentation is here:
https://docs.rundeck.com/2.11.3/plugins-user-guide/ssh-plugins.html
You need to specify:
ssh-authentication: privateKey
...and:
ssh-keypath: /path/directly/to/.ssh/id_rsa
(Assuming you are using filesystem key storage.)
Remove passphrase from your keys with:
ssh-keygen -p -m PEM -f /path/to/your/.ssh/id_rsa
...and do not forget to mke sure the id_rsa file is owned by rundeck and has suitably restricted permissions.
In my case I had a passpharse in my private key. Make sure your private key passpharse is empty.
So I am working with Jenkins and I need to use the Jenkins CLI, but I cannot get the authentication figured out.
I was following their rather short description here: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI which said I need to convert my .ppk file from Putty into openssh format. They link you to this post here How to convert SSH keypairs generated using PuttyGen(Windows) into key-pairs used by ssh-agent and KeyChain(Linux) and I followed those instructions and tried with the file it generated, but I end up with a file that is a single line and looks like:
ssh-rsa [KEY]
When I use this file with the Jenkins CLI I get this error:
Exception in thread "main" java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing
at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138)
at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313)
at hudson.cli.PrivateKeyProvider.loadKey(PrivateKeyProvider.java:143)
at hudson.cli.PrivateKeyProvider.loadKey(PrivateKeyProvider.java:126)
at hudson.cli.PrivateKeyProvider.readFrom(PrivateKeyProvider.java:107)
at hudson.cli.CLI._main(CLI.java:440)
at hudson.cli.CLI.main(CLI.java:387)
I am really not familiar with ssh keys at all and have been searching around for a while with no luck. Can anyone instruct me on how to get my .ppk file into the correct format to use with the Jenkins CLI? Thanks!
You have to generate a public SSH key on your machine and to declare this SSH key on your Jenkins server.
To generate a public key on your machine (with no passphrase):
ssh-keygen -t rsa
The default location for your public key is:
/Users/your.user/.ssh/id_rsa.pub
Copy your public SSH key (ssh-rsa XXXXXXXX your.email#domain.com).
Next, go on your Jenkins server and edit your Jenkins user information (via the top right corner, by clicking on your username).
Go to the "SSH Public Keys" section and paste your public key.
You should be able to access your Jenkins server with the CLI.
I've tested this configuration on my Jenkins server and it works.
brunolavit#MBP ~/Downloads$ java -jar jenkins-cli.jar -s http://myjenkinsserver.mydomain.com:8080/ version
1.577
When I create a new Amazon EC2 server, I connect to it using ssh as usual.
I see the typical warning:
$ ssh myserver
The authenticity of host 'ec2-12-34-567-890.compute-1.amazonaws.com (12.34.567.890)' can't be established.
ECDSA key fingerprint is 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07.
Are you sure you want to continue connecting (yes/no)?
How do I verify the fingerprint before I sign in?
Ideally an answer is based on something besides the original creation console log -- because the log may get flushed out after a system restart, or during a large system installation script that generates a lot of output, or the connection is to an older system with keys that weren't tracked at creation time.
Amazon EC2 console now has a web-based terminal (which presumably guarantees secure connection). Go to Actions > Connect > EC2 Instance Connect > Connect on Instances page. In the terminal, use ssh-keygen command to display a fingerprint of any number of host keys algorithms. The following example shows SHA-256 and MD5 fingerprints of Ed25519 hostkey:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key -E md5
The previous answer, before the web-based terminal was introduced:
As #joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init script):
If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.
When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199 is the private IP):
$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519)
2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA)
256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)
If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.
I have prepared Guide for connecting to EC2 instance safely using WinSCP.
Here are two solutions that worked for me during the creation of the EC2 system.
Solution 1: Use the Amazon EC2 dashboard
Go to https://console.aws.amazon.com
Tap "EC2" link.
Tap "Instances" in the left column
Tap the instance name you want
Tap the select button "Actions" and choose "Get System Log" (a.k.a. "Console Output")
In the console output, you should see the keys being generated
Solution 2: Use the AWS EC2 command line
You can use the aws command or ec2-get-console-output command. Both are available for download from Amazon.
To use your EC2 private key pem file, certificate pem file, region, and instance:
ec2-get-console-output \
--private-key pk-ABCDEF1234567890.pem \
--cert cert-ABCDEF1234567890.pem \
--region us-east-1c \
i-e706689a
The output shows the ssh host key fingerprints like this:
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 e0:79:1e:ba:2e:3c:71:87:2c:f5:62:2b:0d:1b:6d:7b root#ip-10-243-118-182 (DSA)
ec2: 256 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07 root#ip-10-243-118-182 (ECDSA)
ec2: 2048 ce:ec:3b:d3:34:3f:f3:45:76:81:9e:76:7a:d9:f5:e8 root#ip-10-243-118-182 (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----
The aws tool works similarly.
Note: these solutions only work during creation time, or when you can get the console logs. For a broader solution that works any time, see Martin's answer.
i have my access key, secret key, and the downloaded cert pem file.
i understand SSH requires a private key file in order to establish a terminal SSH connection to my instance.
what i did find through Google is that i need to use puttygen to convert my cert pem file into a private key file:
http://www.techrepublic.com/blog/datacenter/connect-to-amazon-ec2-with-a-private-key-using-putty-and-pageant/5085
however, all the instructions i found are based on a GUI puttygetn and i only have the CL version because i am running Linux Fedora 16 on my laptop. i did yum PuTTy, which came with a GUI but puttygen only has a CL version. what i tried to do in puttygen is as follows:
>puttygen cert-***.pem -o default.pem
puttygen: error loading `cert-***.pem': file does not begin with OpenSSH key header
can anybody point what i am doing wrong and how i can use CL puttygen to convert my cert file to a private key file that is usable by SSH to connect to my instances?
thanks in advance
If you are running Linux at the command line, why are you needing to make a ppk with puttygen? Basically the keypair you get from AWS IS in pem format suitable for using in ssh command line.
So if you saved your .pem file from Amazon as /path/to/aws.pem, all you need to do is
ssh -i /path/to/aws.pem user#hostname.com
The ssh private key is completely different from the X.509 certificate and private key. It's a little confusing because folks often save the ssh private key generated by EC2 in a ".pem" file just like the cert and pk use.
You can't convert or use the X.509 certificate or private key for ssh as you tried to do.
You can generate an ssh private key (sometimes called a "keypair") through Amazon EC2 on the AWS console or through the AWS command line tools (ec2-add-keypair). If you are using Putty, you may still need to convert to PPK format as your referenced article describes, but you are converting the ssh key .pem file, not the X.509 private key or certificate.
If you know how to generate your own ssh key locally (or have already done so) then I recommend doing this and uploading the ssh public key to EC2.
When you run an EC2 instance, you then specify the ssh keypair name so that EC2 makes the ssh public key available to the instance, letting you securely ssh in to your new server.