CF ssh command - how does it work? - ssh

When I login to bluemix, I supply credentials. So my understanding is that there is https connectivity underlying.
I am using cf ssh command to access a bluemix instance. When I added a -v flag, I saw a trace of very first API call.
I am confused about the ssh part because though I did not supply a ssh credential, the ssh is working. My understanding is that the ssh connectivity normally requires ssh credentials. I understand that multiple users can access the instance via ssh. However I am not sure where the ssh credentials come from for the ssh connectivity.

cf ssh basically does an ssh under the hood (using Golang's ssh APIs - it does not call out to an external ssh command) using a username and password as credentials.
The username passed in is the process guid of your app (which is the same as your app guid when using the CC V2 APIs). The password is a one time authorization code it retrieves from UAA (it calls cf ssh-code under the hood).
See also http://docs.cloudfoundry.org/devguide/deploy-apps/ssh-apps.html#other-ssh-access.
cf ssh -v logs the initial HTTP API communication with CC and UAA, but does not log the TCP level calls to the SSH endpoint.

Related

How do I set up a proxy server that will SSH tunnel into a VPC I have in AWS for a Hibernate MySQL connection for me?

I have a microservice, let's call it RdsConnector, I want to test locally that is normally deployed on a machine on AWS. It connects to a MySQL instance, which is also in AWS, without any SSH tunnelling as they are in the same VPC. To connect to that MySQL instance from my local machine, I can use SSH tunnelling to get into the VPC I have set up in AWS. This is what that configuration looks like:
I could set up my microservice to also connect through SSH (optionally, perhaps), but I don't want to do that. Then I would have a different configuration running it locally vs in the cloud. What I want to do instead is set up some kind of proxy server on my local machine that will take the SSH credentials and do that SSH tunnelling, exposing the VPC MySQL endpoint locally. Then RdsConnector will just use that local endpoint, and I won't have to have a different config for RdsConnector just for local testing.
I'm not very familiar with the networking technologies in use here. I just know that there's no public IPs for my VPC, so I have to SSH in. I imagine that what I want is possible, but I have no idea what the moving parts would be.
Ok this turned out to be quite simple actually! The ssh program can do this for you, this is how I configure it with Mac OS ssh:
ssh -N -i "/Users/foo/aws_ssh_key.pem" \
-L "localhost:5990:stack-name-vpc-db.asdfqwerty.us-east-1.rds.amazonaws.com:3306" \
foo#12.34.567.890
With the -L flag, it'll proxy stuff over the SSH connection for you from the given endpoint to the provided endpoint on the other side. That -N flag is optional, it just turns off the regular SSH console since we only want to run a proxy server. The microservice can treat localhost:5990 as if it were the regular MySQL endpoint.

Is serverpilot making a ssh connection without ssh key, despite password authentication is disabled?

Following the basic instructions to secure the server, I took the following steps:
added a ssh-key
disabled password authentication
disabled rootlogin
created another user with sudo
As an another user I've no problem in accessing my server through terminal.
Now, I've also added my server on serverpilot [serverpilot.io], and my curiosity lies in the fact that without ssh key the server can't be accessed then how the user serverpilot is accessing the server with password and without sshkey which is not shared with serverpilot.

Google Cloud server (GCE), custom image, SSH login issue

I'm playing with Google Compute Engine(GCE) as I'm planning to migrate the cloud service provider from Rackspace(reason: GCE has good upgrade plans with best discount price).
I have few issues with GCE and one of them is Ubuntu os/image not supported by default. But there is an alternate method to run any linux distro in GCE, which is called Building an image from scratch for uploading custom images and creating instances(servers) from uploaded image.
I could able to create and run the instances from the Ubuntu image I uploaded to GCE following the link hagikuratakeshi.hatenablog.com. This is simply running ubuntu in general. I didn't face any problem but google's gcutil tool prompts for ssh passphrase and adds the key in GCE meta data but accepts only password logins(then why it prompts for passphrase).
I want to strictly follow Building an image from scratch as recommended by google. But after following all the steps, I could not able to login to my server instance via SSH. I guess this happens when I install Google Compute Engine image packages: google-startup-scripts_1.1.2-1_all.deb, google-compute-daemon_1.1.2-1_all.deb & python-gcimagebundle_1.1.2-1_all.deb. These packages/scripts make some changes to the instance at the startup and also to SSH configuration which are Strongly recommended. Once I strictly follow the link or once I install these packages I could not able to establish SSH connection once the instance is rebooted. The error message similar to the one below is shown while trying to connect:
test#machine1:~$ gcutil --service_version="v1" --project="mypro-555" ssh --zone="asia-east1-a" "server-instance-1"
INFO: Running command line: ssh o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no -i /home/test/.ssh/google_compute_engine -A -p 22 test#101.167.xxx.xxx -
ssh: connect to host 101.167.xxx.xxx port 22: Connection refused
NOTE: The user account test is available and common on both local and GCE server!.
My main problem is SSH connection when I strictly follow the steps. If I upload the fresh image and then follow the recommended steps connecting SSH, I could not do SSH again once I restart the instance (or) if I setup everything in the uploaded image before uploading, the created instance will be running but I could not able to connect atleast ones and the error is same.
Anybody using GCE with your custom image?, are you allowed to connected even after following the recommended settings?. Anyone already fixed this SSH issue?. Please post your comments!
EDIT 1
I could not figure out from the logs and here is the output of gcutil getserialportoutput server-instance-1.
The key here is that your ssh client says "connection refused". This indicates that there is indeed a machine at that IP address, but it's not accepting SSH connections. There are a few possible explanations:
The ssh daemon isn't running, or is listening on the wrong interface
Your instance is configured with a firewall that's denying SSH traffic
The GCE firewall rule to allow SSH traffic has been removed

Server Refuses SSH key

I purchased shared hosting from Vexxhost.I wanted to host my Rails application with them.I was given cpanel details.I generated SSH keys using the cPanel and converted it to .ppk format.Next, i downloaded the key.But when i try SSH login using Putty, i get the message Server Refused Our Key.Then i'm prompted for the password.When i enter password, message is displayed: Shell access is not available for your account.Contact support.I did contact support, but no reply.Am I doing any mistake in the procedure?
I haven't used cpanel to generate ssh keys, usually I do it at the ubuntu console. Is it possible that the ppk conversion has encoding issues? or it not done right?
Do you have access to a linux box? It would be simpler to test it there.
I have configured a server myself with ssh access, and if user does not have ssh access they are presented with user/pass. So it appears that your ssh credentials are denied, but your password is recognized as accurate. Authentication is happening.
About the issue of shell support. It could be that they enable shell support only if you connect with valid ssh credentials - in which case, you need to contact support.
Or, your account does not have ssh access, and you still need to contact support.
hope it helps

Tunneling to an internal corporate SSH server behind a gateway

I am trying to do the following. I have an internal ssh server at work (e.g. internal#192.168.1.13). This server is behind a gateway (external#gateway.work.com).
I would like to ssh to internal#internal-ssh.work.com from my home machine. To do so, I have been first doing ssh to log into the external gateway, and then from there I will log into the internal machine. the account names on the two systems are different.
I was wondering if this can be done in one step through some type of SSH tunneling. I have tried a few approaches that adapt what I see in different places, but keep getting error messages.
You can use
ssh -t external#gateway.work.com ssh internal#192.168.1.13
and you will need to either have public key crypto set up, or enter your external password, then your internal password.