SSH Service Connection - Cannot parse privateKey: Unsupported key format - ssh

I'm trying to setup a release pipeline to copy files over to a linux server via ssh. However when I try to run the release I get the following error during the copy task:
Failed to connect to remote machine. Verify the SSH service connection details. Error: Cannot parse privateKey: Unsupported key format.
I've tried generating the key multiple times with ssh-keygen -t rsa and uploaded or copied the contents of the private key directly into the Private Key text area in the service connection. All to no avail.
It seems like I'm missing something simple as I can't find much mention of others having issue with this.

According to this issue description one should disable preview features of service connections in Azure DevOps. Then edit your SSH Service connection and instead of pasting key source it should possible to upload a key file. This way there is no Cannot parse privateKey error.
Please use ssh-keygen -m PEM -t rsa -b 2048 to generate your keys (the PEM format is required). Additionally, when I didn't specify bits with the -b option Azure told me the key file was too long.

Related

PyCharm says remote host ID has changed, but ssh-keyscan does not

This morning PyCharm started warning me:
Warning: remote host identification has changed! IT IS
POSSIBLE THAT SOMEONE IS DOING SOMETHING
NASTY! Someone could be eavesdropping on you
right now (man-in-the-middle-attack)! It is also
possible that the host key has just been changed. The
fingerprint for the ssh-ed25519 key sent by the
remote host is
[redacted A]
Do you want to update the key in
/Users/[myhome]/.ssh/known_hosts and resume
connecting?
Then it asks if I want to change ~/Users/[myhome]/.ssh/known_hosts.
The target host is used as an sftp to transfer my code to the remote server. Its name is an alias for two data transfer nodes. I can look at their ssh public keys using ssh-keyscan -t ed25519 alias.remotehost.com and I get a key that matches the one in my known_hosts file. I can also connect to a different remote server, at which time I do not get a warning about changed ssh keys, and ssh-keyscan the original remote host and I get the same keys in known_hosts.
The key that PyCharm says is new does not match any of the now twice confirmed ssh keys. The format of the PyCharm-message-derived key is even totally different from the keys from ssh-keyscan.
What is going on? I don't want to just blast through a security warning, and I'd like some guidance on where to look to see why PyCharm is giving me this warning that I cannot confirm otherwise.
The reason is not necessarily a security issue. Did you double-check your SSH configuration, in particular the known_hosts file used by PyCharm is the same you're checking?
https://man.openbsd.org/ssh_config#UserKnownHostsFile
You may want to take a look at the PyCharm SSH Configurations ... Connection Parameters; for example the different format you're seeing might be related to storing hosts in hash format option (to be confirmed):
https://www.jetbrains.com/help/pycharm/settings-tools-ssh-configurations.html
You can try to recreate a SSH configuration from scratch as described here:
https://www.jetbrains.com/help/pycharm/create-ssh-configurations.html
If you're 100% sure that the key in the known_hosts file is the right one and matches your target server's, this will remove the entry in known_hosts file and you should be again prompted to accept the server key on the next connection:
ssh-keygen -R <host>
(where host is your target server, IP or hostname: "alias.remotehost.com" in your example; you can provide the path for the file using -f <path>)
References
ssh remote host identification has changed
https://stackabuse.com/how-to-fix-warning-remote-host-identification-has-changed-on-mac-and-linux/
https://youtrack.jetbrains.com/issue/CPP-19720

Add a remote node in rundeck

I want to be able to execute shell commands on remote nodes using Rundeck and I found this video that explains how to do that but I don't understand the private-key part and how to configure it. I keep getting the following error:
Authentication failure connecting to node: "test-001". Make sure your
resource definitions and credentials are up to date. Failed:
AuthenticationFailure: Authentication failure connecting to node:
"test-001". Make sure your resource definitions and credentials are up
to date.
I have a remote server set up and I configured the resource.xml file like the following:
<node name="test-001" description="demo for test" tags="demo" hostname="10.10.10.10:22" osFamily="unix" osName="Linux" osVersion="2.6.32" username="demo" />
Do I need to add the ssh-key value to the xml file? If so, do I have to copy the public or private keys from the Rundeck server to the host server?
Also, the username demo has a password too, so how can I define it?
Rundeck host server connects to the node by means of private key authentication which is exactly similar to SSH private key authentication. Follow these steps to add a node to your server rundeck.
Open up the resources.xml file and add the following.
<node name="rundeck node2" description="Rundeck node2" tags="node2" hostname="10.1.0.1" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.11.10-03111015-generic" username="leo" ssh-keypath="/var/lib/rundeck/node2.key"/>
You can change the SSH user name in node and private key file name. In addition to that, you can change all the other naming parameters too like node name and tags etc.
Now get into your node server.
Create a ssh user, here its leo
switch to user leo. Generate a SSH key
ssh-keygen
Append the public key to authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ pwd
/home/leo/.ssh
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa.pub >> authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ chmod g-w authorized_keys
Copy the private key
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa
Save the private key to the file "/var/lib/rundeck/node2.key" on rundeck host. Now the authentication is okay and ready to execute adhoc commands from rundeck dashboard
Documentation is fairly all over the place with different versions having different keywords and there being no warnings in case you are using the wrong one.
The relevant documentation is here:
https://docs.rundeck.com/2.11.3/plugins-user-guide/ssh-plugins.html
You need to specify:
ssh-authentication: privateKey
...and:
ssh-keypath: /path/directly/to/.ssh/id_rsa
(Assuming you are using filesystem key storage.)
Remove passphrase from your keys with:
ssh-keygen -p -m PEM -f /path/to/your/.ssh/id_rsa
...and do not forget to mke sure the id_rsa file is owned by rundeck and has suitably restricted permissions.
In my case I had a passpharse in my private key. Make sure your private key passpharse is empty.

How to get the correct format key file for Jenkins CLI?

So I am working with Jenkins and I need to use the Jenkins CLI, but I cannot get the authentication figured out.
I was following their rather short description here: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI which said I need to convert my .ppk file from Putty into openssh format. They link you to this post here How to convert SSH keypairs generated using PuttyGen(Windows) into key-pairs used by ssh-agent and KeyChain(Linux) and I followed those instructions and tried with the file it generated, but I end up with a file that is a single line and looks like:
ssh-rsa [KEY]
When I use this file with the Jenkins CLI I get this error:
Exception in thread "main" java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing
at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138)
at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313)
at hudson.cli.PrivateKeyProvider.loadKey(PrivateKeyProvider.java:143)
at hudson.cli.PrivateKeyProvider.loadKey(PrivateKeyProvider.java:126)
at hudson.cli.PrivateKeyProvider.readFrom(PrivateKeyProvider.java:107)
at hudson.cli.CLI._main(CLI.java:440)
at hudson.cli.CLI.main(CLI.java:387)
I am really not familiar with ssh keys at all and have been searching around for a while with no luck. Can anyone instruct me on how to get my .ppk file into the correct format to use with the Jenkins CLI? Thanks!
You have to generate a public SSH key on your machine and to declare this SSH key on your Jenkins server.
To generate a public key on your machine (with no passphrase):
ssh-keygen -t rsa
The default location for your public key is:
/Users/your.user/.ssh/id_rsa.pub
Copy your public SSH key (ssh-rsa XXXXXXXX your.email#domain.com).
Next, go on your Jenkins server and edit your Jenkins user information (via the top right corner, by clicking on your username).
Go to the "SSH Public Keys" section and paste your public key.
You should be able to access your Jenkins server with the CLI.
I've tested this configuration on my Jenkins server and it works.
brunolavit#MBP ~/Downloads$ java -jar jenkins-cli.jar -s http://myjenkinsserver.mydomain.com:8080/ version
1.577

Satis - error with ssh2.sftp protocol

I am trying to host private composer repository with satis (http://getcomposer.org/doc/articles/handling-private-packages-with-satis.md)
It works fine through http protocol.
I want to secure it with ssh connection as described in security section (http://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#security)
But having errors when connecting with ssh2.sftp:// protocol.
Composer\Downloader\TransportException]
The "ssh2.sftp://192.168.10.30/packages.json" file could not be downloaded: Error starting up SSH connection(-43): Failed getting banner
failed to open stream: operation failed
I have already generated key pair
I added pub key to authorized_keys file on satis server.
I can connect with ssh to satis server without entering pass, so keys are working.
What i am missing or doing wrong?
UPDATE
Also i had installed ssh2 module extention. It appears on output of the command php -m | grep ssh2
Found solution myself:
I was using ssh key pair with password. Apparently ssh2.sftp do not like this. Generated new key pair without password.
Secondly need to use full path from root directory. For example:
ssh2.sftp://192.168.10.30/home/[username]/path/to/location/packages.json
source: http://us3.php.net/manual/en/function.ssh2-sftp.php#94651)

AWS EC2: generating private key file out of cert-***.pem for SSH terminal access

i have my access key, secret key, and the downloaded cert pem file.
i understand SSH requires a private key file in order to establish a terminal SSH connection to my instance.
what i did find through Google is that i need to use puttygen to convert my cert pem file into a private key file:
http://www.techrepublic.com/blog/datacenter/connect-to-amazon-ec2-with-a-private-key-using-putty-and-pageant/5085
however, all the instructions i found are based on a GUI puttygetn and i only have the CL version because i am running Linux Fedora 16 on my laptop. i did yum PuTTy, which came with a GUI but puttygen only has a CL version. what i tried to do in puttygen is as follows:
>puttygen cert-***.pem -o default.pem
puttygen: error loading `cert-***.pem': file does not begin with OpenSSH key header
can anybody point what i am doing wrong and how i can use CL puttygen to convert my cert file to a private key file that is usable by SSH to connect to my instances?
thanks in advance
If you are running Linux at the command line, why are you needing to make a ppk with puttygen? Basically the keypair you get from AWS IS in pem format suitable for using in ssh command line.
So if you saved your .pem file from Amazon as /path/to/aws.pem, all you need to do is
ssh -i /path/to/aws.pem user#hostname.com
The ssh private key is completely different from the X.509 certificate and private key. It's a little confusing because folks often save the ssh private key generated by EC2 in a ".pem" file just like the cert and pk use.
You can't convert or use the X.509 certificate or private key for ssh as you tried to do.
You can generate an ssh private key (sometimes called a "keypair") through Amazon EC2 on the AWS console or through the AWS command line tools (ec2-add-keypair). If you are using Putty, you may still need to convert to PPK format as your referenced article describes, but you are converting the ssh key .pem file, not the X.509 private key or certificate.
If you know how to generate your own ssh key locally (or have already done so) then I recommend doing this and uploading the ssh public key to EC2.
When you run an EC2 instance, you then specify the ssh keypair name so that EC2 makes the ssh public key available to the instance, letting you securely ssh in to your new server.