I have created a ssh key for my droplet at digital oceans. After few days I have deleted the key from security page and still I am able to ssh using putty with that key. Is it necessary to delete the key from authorized_keys file. If so, then what is the use of adding/deleting ssh keys to droplet on their above mentioned security page?
Question at digital ocean - https://www.digitalocean.com/community/questions/how-to-remove-ssh-keys-for-the-droplet
As the digital tutorial page says
"You can create new DigitalOcean droplets with an SSH key already set up on them by adding your computer’s SSH key to the control panel.".
To setup a ssh key for the droplet it is needed to add your newly created key to the droplet's control panel.
You are able to access the droplet even after you deleted the ssh from security page because now the ssh also resides inside your droplet's ~/.ssh/ folder(remote machine).
To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public key must be copied to a file within the user's home directory at ~/.ssh/authorized_keys. This file contains a list of public keys, one-per-line, that are authorized to log into this account.
When a client connects to the host, wishing to use SSH key authentication, it will inform the server of this intent and will tell the server which public key to use. The server then check its authorized_keys file for the public key, generate a random string and encrypts it using the public key.
So, it necessary to delete the key from authorized_keys file to stop ssh access to the remote machine.
After the droplet creation security page lists the keys just to show what all ssh keys you used for all your droplets.Deleting them from security page will not prohibit you from accessing your droplet.
Related
I am using Zabbix 4.0.
Trying to make a discovery rule for another remote linux server with SSH agent.
It asks for privatekey file and public key file. I understand it asks for privatekey file.
I put the private key file for remote server into the zabbix server .ssh director.
But why does zabbix also wants us to enter public key file. Privatekey file should be enough
to connect to remote server.
It is probably the public key of the server (aka hostkey), that is needed to verify that Zabbix is connecting to the legitimate server.
Does the remote machine that I will be ssh'ing into require it's own private key to be generated so that I can ssh into it from a local machine.
Yes. It is called Host Key and it needs to exists before you ssh into the machine. It is used to validate the identity of the server and prevent Man in the Middle Attacks.
I want to access to a server (hosted in Lonex) trough SSH (for file handling). For this I use PuTTY. To do so safely, I use Pagent, it needs a public and a private key.
In the server, under the ssh folder in the root directory there are two files:
id_rsa - which has the private key.
id_rsa.pub - which has a public key.
Given this information, if posible, I would like to generate the necessary files for Pagent.
What I have tried:
Using PuTTYgen to import/load a local copy of the file id_rsa. This successfully generated the the .ppk file needed for Pagent. I referred to the .ppk file in connection -> ssh -> auth. In this .ppk file appears the public and the private key. But when I use PuTTY to connect, having the generated .ppk added to Pagent, an alert prompts stating that I do not have the server's host key cached in the registry and then shows the server's rsa key fingerprint, which I know to not be the right one from the one shown in Pagent. The fact that this alert prompts tells me that my Pagrent key is not correct. Am I correct?
Comments:
- Given that the host already has a public/private key pair I believe I should generate a local private key given the same public key from the host. I could not accomplished this (I read about ssh-keygen commands but I did not find out how to get what I wanted done).
- The ISP suggested that everything I need is in this link: http://sourceforge.net/apps/trac/sourceforge/wiki/SSH%20keys#KeyGeneration:PuTTY
I could not find the use to it given that I do not have a form where I should place a public key generated locally by me and also the fact that it does not consider the situation where I already have a public key generated in the host.
- I asked the ISP if it was possible to add a public key generated locally by me to the authorized_keys2 file and they told me no due to the fact that it is a shared hosting.
Your question really boils down to this:
The fact that this alert prompts tells me that my Pagrent key is not
correct. Am I correct?
No; this is not correct. Your agent (Pageant) is likely set up correctly. As you said,
an alert prompts stating that I do not have the server's host key
cached in the registry and then shows the server's rsa key
fingerprint,
That prompt is for the server's host key, not your user's private key. Pageant only caches your user's private key, not the host's public key (or public key fingerprint). Pageant's purpose is to hold your private key so that the server can identify you; the purpose of the prompt that you saw was for PuTTY to allow you to verify that the server that you're connecting to is really the server you meant to connect to (i.e. that you're not connecting to an attacker's machine).
I use dsa key with passphrase to login via ssh into CentOS 6 remote server. Unfortunately I forgot the passphrase.
Is there a way to reset or retrieve passsphrase?
I still do have access to root of remote server through webmin.
no, the keyfile itself does not hold any data that would aid you in breaking/recovering (quite the same) the encryption. if you did not back up the information otherwise, you cannot recover it.
you however simply install a new key.
I set up an ec2 instance. In the security group, I opened up SSH 'tcp' port 80 for 0.0.0.0/0 (all open for testing purposes). I associated the instance with a private key. I downloaded the key and passed it while ssh-ing, but the RSA isn't authenticating. Any ideas?
ssh -i mykey.pem root#mydnsinfo.amazonaws.com
The authenticity of host 'mydns.amazonaws.com(IP)' can't be established.
RSA key finger print is FINGERPRINT
Are you sure you want to continue connecting (yes/no)?
Thank you in advance!!!
This is normal. Your SSH complains about the unknown host key. It always does when connecting to the new host for the first time. Just answer yes, connect and try again.
It should not complain for the second time.
The private key that you downloaded is for your 'root' account not for the whole host.
Securely configured EC2 instances will include the server SSH key fingerprint in the console output that you can access over SSL before you try to connect over SSH. Then when you connect over SSH you need to make sure the fingerprint matches the console. You MUST do this to be able to securely connect to public EC2 instances.
Public EC2 instances generate new server SSH key on each boot. This means that unless you do what I described above, you will be faced with unknown host key warning a lot, and if you ignore that warning you will be throwing security out of the door; you just never know where you will be connecting to.