So I'm using ssh-agent on my host and we use vagrant, virtualbox and other normal tools to setup our environment. At one point, we need to provision new machines (we build appliances) and push our key into that appliance. So far, we had been unprotecting our keys and just copying our id_rsa(.pub)? on the virtual machine. It suited us!
Recently, I started using ssh-agent on my main machine to host my keys with a password (much better obviously) but from time to time, I seem to have problems running ssh-copy-id to copy my id towards the appliance.
Most of the time, I have to just copy my protected key files to the vm and then it works but I'm sure i was able at one point to leave the virtual machine clean from any ssh keys and still use ssh-copy-id to copy my ssh-agent provided identity through the vm. It doesn't seem to be working half of the time.
Am I crazy? What could be the root cause of this? How to I solve this problem to ensure that my SSH protected id is forwarded only from my local agent into the vm and into any other appliance properly?
Related
My goal is to eliminate the private key - authentication.
I have an android application in which I connect to my google cloud virtual instance and run a couple of scripts. Now, I have the private key on the phone for testing purposes so I can connect to google cloud and do what I wrote. My question is:
How could I eliminate the private key thus making the connecting less secure but easier to test on more phones?
My final goal is to send an email to an email address and this runs the scripts on the google cloud virtual instance. Is this possible?
Thanks
You will need to edit the ssh configuration file and set PubkeyAuthentication to no in /etc/ssh/sshd_config
Then you need to restart the ssh server in order to load the new configuration: For Ubuntu: sudo service ssh restart, for Centos: sudo service sshd restart.
I'm trying to clone an EC2 instance so that I can test some things. I created an AMI and launched an instance and it seems to be running ok. However, I cannot connect to it with ssh or putty.
My live instance, which I'm making the copy of, has various users who can all log in happily with their private key. But they cannot log in with the exact same credentials to the cloned instance. I just get:
Disconnected: No supported authentication methods available (server sent: publickey)
Is there more to do than to just change the IP address from the live instance to the cloned instance?
I also cannot connect to the ec2-user login, using the private key I created during launch. One slight quirk of my live server is that I had to change the AuthorizedKeysFile setting in /etc/ssh/sshd_config in order to deal with some SFTP problems I was having. Is this likely to have messed up the connection for a cloned server? Surely all the settings are identical?
The answer was to do with the AuthorizedKeysFile setting after all. I undid the edit I made in /etc/ssh/sshd_config, took another snapshot, made another AMI, launched another instance and all was well. I didn't even need to restart the sshd service, so this didn't mess up my configuration on my live server.
I'm not entirely sure why this caused a problem, but the lesson here is that EC2 needs the AuthorizedKeysFile to be set to the default location or I guess it doesn't know where to look for the public key.
We've brought up this topic before, but curious if anyone has any new information on this issue.
We use multiple servers that are accessed behind a "management server", so when we SSH in we have to log in there first, then from there log into our destination machine so always at least 2 SSH connections. We currently use port forwarding on the management server by using : which will take us directly through to the server of interest behind the scenes so we think we're directly ssh'ing into each one.
The issue here is that it requires specific setup, and in a scalable environment where servers can be added/removed the maintenance is cumbersome. Ideally we'd just be able to ssh into multiple machines using phpseclib and run commands.
Has anyone ran into this or have advice on a solution from the scripting level? Basically we need to ssh chain and ssh into machine 1, then machine 2 from machine 1, and run commands/interact with machine 2.
$ssh = new Net_SSH2('machine1');
$ssh->login('user', 'pass');
$ssh->setTimeout(10);
$ssh->enablePTY();
$ssh->exec('ssh machine2');
echo $ssh->read();
At this point (assuming that you're using RSA authentication and that your private key is in your ~/.ssh/id_rsa file on machine) the prompt that you get back should be of machine 2.
You could connect to a machine3 as well by doing this:
$ssh = new Net_SSH2('machine1');
$ssh->login('user', 'pass');
$ssh->setTimeout(10);
$ssh->enablePTY();
$ssh->exec('ssh machine2');
echo $ssh->read();
$ssh->exec('ssh machine3');
echo $ssh->read();
I am using aws java sdk to launch EC2 instances (running Ubuntu 12.04) and run a distributed tool on them, the tool uses openMPI for message passing between the nodes and openMPI uses SSH to connect nodes with each other.
The problem is that the EC2 instances don't authenticate each other for SSH connections by default, this tutorial shows how to set up SSH by generating keys and adding them to nodes, However, when I tried to add the generated key to the slaves using the command
$ scp /home/mpiuser/.ssh/id_dsa.pub mpiuser#slave1:.ssh/authorized_keys
I still got permission denied. Also, after generating new keys, I was not able to log in using the ".pem" key that I got from amazon.
I am not experienced with SSH keys, but I would like to have some way of configuring each EC2 instance (when its firstly created) to authenticate the others, for example by coping a key into each of them. Is this possible and how It could be done?
P.S.: I can connect to each instance once it is launched and can execute any commands on them over SSH.
I found the solution, I added the amazon private key (.pem) in the image (AMI) that I use to create the EC2 instances and I changed the /etc/ssh/ssh_config file by adding a new identity file
IdentityFile /path/to/the/key/file
This made SSH recognize the .pem private key when it tries to connect to any other EC2 instance created with the same key.
I also changed StrictHostKeyChecking to no, which stopped the message "authenticity of host xxx can't be established" which requires users interaction to proceed with connecting to that host.
I have Windows and using cygwin.
I have an Amazon Ubuntu instance I can log in just fine from my system using
ssh -i keyfile \ username#AmazonHost.
However when I ssh to a CentOS server I have at my office and try to SSH to the Amazon instance from there using the same commands I always get a public key error. I have copied my keyfile over and set permissions to chmod 400 just like I did on my Cygwin client. Also on the CentOS I verified I can access the amazon instance over port 22(telnet AmazonHost 22).
Is there some other configuration on the CentOS or Office firewall that needs to be done to allow me to connect to Amazon?
If you get a public key error on one machine and not the other, then the two secret keys are different, even though you think they are the same. (Unless one machine's ssh client is totally broken.)
The file might have been corrupted in transit, but since one of the machines is Windows (though with Cygwin) and the other is Linux, my guess is that something went wrong with line endings when the key was copied from one to the other. The keys are usually encoded as text (that's how Amazon's console does it), and are fairly immune to line ending changes, but this seems to be a possible cause.
How did you transfer the file from one machine to the other? If you can adjust it, try the transfer once in binary mode and once in text mode, to see if either works. Also, just look at the files on each machine in a text editor. Do they look the same?