glassfish4 create-node-ssh failed due to ssh key exchange not finished - ssh

I'm trying to create a node on a remote host(I've already created a domain).
I'm running the command:
asadmin -p <port_number> create-node-ssh --nodehost <remote_hostname> --installdir <glassfish_installed_dir_path> <node_name>
and getting the following error everytime:
remote failure: Warning: some parameters appear to be invalid.
SSH node not created. To force creation of the node with these parameters rerun the command using the --force option.
Could not connect to host <hostname> using SSH.
There was a problem while connecting to <hostname>:22
Key exchange was not finished, connection is closed.
Command create-node-ssh failed.
From the error it seems that there is some connection problem. But I can ssh to the target server and I'm using the same key_pair.
After searching for some solution (link1, link2) I found that trying to login through ssh without password could solve this.
But no luck. Now I can ssh to & from the target server without password as well. But this issue is still there.
What should I check for, in order to resolve this ?
Let me know if I'm missing out anything.

Can you try to start sshd daemon in debug mode to a different port at the remote node host:
sudo sshd -D -d -e -p 23
and try create-node-ssh command against that ssh port?:
asadmin -p <port_number> create-node-ssh --nodehost <remote_hostname> --installdir <glassfish_installed_dir_path> --sshport 23 <node_name>
I had an issue regarding glassfish ssh exchange keys because of ssh newer versions deprecating older algorithms:
Unable to negotiate with X.X.X.X port XXXXX: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
My solution was to add legacy keys to /etc/ssh/sshd_config:
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
Even if this is not your case, sshd debug will surelly give you more information.

Related

Gitlab CI/CD using ssh / knownhosts error

I'm trying to use gitlab CI/CD to auto deploy my code, after push on an specific branch (in my case 'staging' branch)
after push on 'staging' branch I see following error on jobs section in gitlab UI:
Running with gitlab-runner 15.0.0 (xxxxxx)
on deploy xxxxxx
Preparing the "ssh" executor
00:36
Using SSH executor...
ERROR: Preparation failed: ssh command Connect() error: ssh Dial() error: ssh: handshake failed: knownhosts: key is unknown
I can see gitlab from my VM and gitlab-runner registered successfully before.
I've also created ssh key and add it to gitlab-runner installation steps.
You need to check what SSH URL is used in your case.
Something like git#gitlab.com:me/myProject would look for gitlab.com SSH host keys fingerprints in an ~/.ssh/known_hosts file.
Make sure to add first in gitlab-runner server the following to ~/.ssh/known_hosts:
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
That will skip manual fingerprint confirmation in SSH.
In other words, no more "knownhosts: key is unknown".
Note that with GitLab 15.3 (August 2022), you will have an easier time finding those:
New links to SSH fingerprints
Your GitLab SSH fingerprints are now easier to find, thanks to new links on the SSH configuration page and in the documentation.
Thank you Andreas Deicha for your contribution!
See Documentation and Issue.
For people who still encounter this issue: in our case the cause was a difference between the host name in the known_host file and the one in the toml file. They must be both fully qualified or both non qualified.

How to clone gitlab repo over tor using ssh?

Error message
After having added the ssh key of a user of a GitLab server and repository that is hosted over tor, a test was performed that tried to clone a private repository (to which the testing user is added) over tor. The cloning was attempted with command:
torsocks git clone git#some_onion_domain.onion:root/test.git
Which returns error:
Cloning into 'test'... 1620581859 ERROR torsocks[50856]: Connection
refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:543)
ssh: connect to host some_onion_domain.onion port 22: Connection
refused fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository
exists.
GitLab SSH Cloning Verification
However, to verify the ssh access is available to the test user, the cloning was verified without tor using command:
git clone git#127.0.0.1:root/test.git
Which successfully returned:
Cloning into 'test'... remote: Enumerating objects: 3, done. remote:
Counting objects: 100% (3/3), done. remote: Total 3 (delta 0), reused
0 (delta 0), pack-reused 0 Receiving objects: 100% (3/3), done.
Server side hypothesis
My first guess is that it is a server-side issue that has to do with the lack of https, in following setting in the /etc/gitlab/gitlab.rb file:
external_url 'http://127.0.0.1'​
However setting external_url 'https://127.0.0.1 requires an https certificate, e.g. from Let's encrypt, which seem to not be provided for onion domains.
Client-side hypothesis
My second guess would be that it is a client-side issue related to some SOCKS setting is incorrect at the test user side that runs the torsocks command, similar to an issue w.r.t. the SOCKS 5 protocol that seems to be described here.
Question
Hence I would like to ask:
How can I resolve the connect to host some_onion_domain.onion port 22: Connection refused error when users try to clone the repo over tor?
One can set the ssh port of the GitLab instance to 9001, e.g. with:
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 443:443 --publish 80:80 --publish 22:9001 \
--name gitlab \
--restart always \
--volume $GITLAB_HOME/config:/etc/gitlab \
--volume $GITLAB_HOME/logs:/var/log/gitlab \
--volume $GITLAB_HOME/data:/var/opt/gitlab \
gitlab/gitlab-ee:latest
Next, add port 9001 and port 22 to the ssh configuration in /etc/ssh/sshd_config by adding:
Port 9001
Port 22
then restart the ssh service with: systemctl restart ssh.
It is essential that one adds a public ssh key to the GitLab server for each computer you want to download the repo from, even if one wants to clone a public repository. You can make a new GitLab account for each computer, or add multiple public ssh keys to a single GitLab account. These instructions explain how to do that, tl;dr
ssh-keygen -t ed25519
<enter>
<enter>
<enter>
systemctl restart ssh
xclip -sel clip < ~/.ssh/id_ed25519.pub
Ps. if xclip does not work, one can manually copy the ssh key with: cat ~/.ssh/id_ed25519.pub.
Then open a browser and go to https://gitlab.com/-/profile/keys so for your own tor GitLab server that would be: someoniondomain.onion/-/profile/keys, and copy paste that key in there.
That is it, now one can clone the repository over tor with:
torify -p 22 git clone ssh://git#someoniondomain.onion:9001/root/public.git
Note
As a side note, in the question I happened to have tested git clone git#127.0.0.1:root/test.git however, instead of using 127.0.0.1 I should have used either the output of hostname -I or the public ip address of the device that hosts the GitLab server. Furthermore, I should have verified whether the GitLab server was accessible through ssh by testing:
ssh -T git#youronionserver.onion
Which should return Congratulations... It would not have done so if I had tested that, indicating the problem was in the ssh access to the GitLab server (or the ssh connection to the device). I could have determined whether the ssh problem was with the device or the ssh server by testing if I could log into the device with: ssh deviceusername#device_ip, which would have been successfull indicating, the ssh problem with at the GitLab server.

kex_exchange_identification: Connection closed by remote host

I've wanted to connect my share hosting with ssh. So I generate an ssh key in the ssh action of cpanel and authorized it. Then I've downloaded the private key and drop it in the ./ssh folder of my MacBook.I've used this code to connect my host.
ssh -p 2083 username#host IP
but I got this error:
kex_exchange_identification: Connection closed by remote host
How can I solve my problem?
I run into a similar case with a small computer I have in my desk. What I did to debug the issue was to run sshd -t, which runs the sshd daemon in debug mode. This command reported that the permissions of my keys were invalid. All I had to do then was to go in the folder where the keys are stored and issue chmod 0600 <your_ssh_keys>.
Maybe the action you run generated things with the wrong permissions too.
I got this error when using docker command with remote host
docker -H ssh://user#server compose up
after some digging i found on my remote server in auth logs (/var/log/auth.log) this:
Aug 8 14:51:46 user sshd[1341]: error: beginning MaxStartups throttling
Aug 8 14:51:46 user sshd[1341]: drop connection #10 from [some_ip]:32992 on [some_ip]:22 past MaxStartups
This lead me to change MaxStartups settings in /etc/ssh/sshd_config. After restarting ssh service everything worked like a charm.
I had same problem and it was happend as I use ProxyCommand in ssh config file. In my case the Host was not defined correctly which then caused the same error!

How to double ssh with vscode

To ssh into a remote station I do the following:
ssh -L 4001:connect.iop.kcl.ac.uk:4000 username1#cana.host.institution
I'm then asked for a password which I enter, and I then do:
ssh -YX username2#otherserver.other.institution
and am asked for another password, after which I am where I want to be.
I want to set this up in vs code using the Remote-SSH extension but am running into difficulty
When I try and add the first step (ssh -L 4001:connect.iop.kcl.ac.uk:4000 username1#cana.host.institution), my config file looks as follows:
Host cana.iop.kcl.ac.uk
HostName cana.iop.kcl.ac.uk
LocalForward 4001:connect.iop.kcl.ac.uk:4000
User dmzromc
But when I try and connect I get the following error:
[16:23:45.992] Log Level: 3
[16:23:45.993] remote-ssh#0.49.0
[16:23:45.994] darwin x64
[16:23:45.995] SSH Resolver called for "ssh-remote+cana.host.institution", attempt 1
[16:23:45.995] SSH Resolver called for host: cana.host.institution
[16:23:45.995] Setting up SSH remote "cana.host.institution"
[16:23:46.020] Using commit id "78a4c91400152c0f27ba4d363eb56d2835f9903a" and quality "stable" for server
[16:23:46.023] Install and start server if needed
[16:23:46.031] Checking ssh with "ssh -V"
[16:23:46.071] > OpenSSH_7.9p1, LibreSSL 2.7.3
[16:23:46.075] Running script with connection command: ssh -T -D 55893 -o ConnectTimeout=15 cana.iop.kcl.ac.uk bash
[16:23:46.364] > /Users/user1/.ssh/config line 15: Missing target argument.
[16:23:46.364] Got some output, clearing connection timeout
[16:23:46.835] "install" terminal command done
[16:23:46.835] Install terminal quit with output: /Users/user1/.ssh/config line 15: Missing target argument.
[16:23:46.836] Received install output: /Users/user1/.ssh/config line 15: Missing target argument.
[16:23:46.837] Stopped parsing output early. Remaining text: /Users/user1/.ssh/config line 15: Missing target argument.
[16:23:46.837] Failed to parse remote port from server output
[16:23:46.838] Resolver error:
[16:23:46.842] ------
Any advice much appreciated
I had the same issue when forwarding a database port and fixed it by manually editing my ssh config as follows:
BEFORE (using the problematic config that VSCode auto generates)
Host mysshhost
HostName mysshhost
LocalForward 5432:mydatabaseservername:5432
User myuserid
AFTER (works for me)
Host mysshhost
HostName mysshhost
LocalForward localhost:5432 mydatabaseservername:5432
User myuserid
So in your case, the config should look something like:
Host cana.iop.kcl.ac.uk
HostName cana.iop.kcl.ac.uk
LocalForward localhost:4001 connect.iop.kcl.ac.uk:4000
User dmzromc

Unable to eb ssh. Return error message ERROR: An error occurred while running: ssh

i keep on running unto this problem after setting up a key pair with eb ssh --setup numerous times. How can I connect to ssh? I am using windows git.
$ eb ssh name-env
The authenticity of host '54.210.133.152 (54.210.133.152)' can't be established.
ECDSA key fingerprint is SHA256:JxdKl8dJXMsfF1EkPRBnOH4hT7Zw6PtfRuRJ7xNu0ao.
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.
INFO: Attempting to open port 22.
INFO: SSH port 22 open.
INFO: Running ssh -i C:\Users\dav\.ssh\aws-eb ec2-user#54.210.133.142
ERROR: An error occurred while running: ssh.
Assuming your public keys are already associated with your EC2 instance, you will also need to make sure your private key has the proper permissions (mode) of 600.
Note: In a *nix environment you would run a chmod 600 /path/to/.ssh/private-key-file but I'm not sure how that translates to file permissions in a Windows environment.