I followed this link: https://confluence.atlassian.com/bitbucket/add-an-ssh-key-to-an-account-302811853.html
I generated a public key and I pasted the file ~/.ssh/id_rsa.pub to SSH Keys in BitBucket.
However, I still get the error:
Host key verification failed. fatal: Could not read from remote
repository.
Please make sure you have the correct access rights
Host key verification failed. fatal: Could not read from remote repository.
This is not about client authentication, but server authenticity. You need to verify that the server you are connecting to is really the bitbucket. This is explained in this article.
The easiest way to resolve the problem is to paste the server public key below into the ~/.ssh/known_hosts:
bitbucket.org,104.192.143.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
Related
I've created public and private keys, and added the public key to the Bitbucket repository.
These private/public key pair is available in the .ssh folder of the user account I hope to clone to.
Attempting to clone with SSH produces a connection refused:
This lead me to believe that either the Bitbucket project/server is not configured for ssh, or maybe this is a firewall/port issue for my companies network. However, port 7999 and port 22 are open.
This lead me to investigate other means of cloning with ssh, but over http as described here (just in case if port 22 or 7999 was blocked): https://support.atlassian.com/bitbucket-cloud/docs/troubleshoot-ssh-issues/
To do this I modified my ssh config as follows:
Doing this allowed me to atleast establish a connection with bitbucket, but it acts as if the request was bad:
This lead me to believe that maybe i signed the cert incorrectly so I attempted a flavor of this: https://unix.stackexchange.com/questions/503851/how-to-generate-a-certificate-file-which-to-be-used-with-ssh-config
To add the certificatefile provided in the ssh config. It sounded like I would need to add that public key of the private key used to sign the user key (that generated the certificate). However, I won't have access to the private key for the cert available on the bitbucket server.
Separately, I was able to grab the public cert from altssh.bitbucket.di2e.net:443 and I did try using this, but still got a bad request... This probably doesn't make sense to use since this is in PEM format, but I figured it was worth a try..
openssl s_client connect altssh.bitbucket.di2e.net:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE/,/END CERTIFICATE/p' > public.crt
I'm wondering if I've incorrectly signed the user key with the cert key, but would like advise on best steps to do this.
Thanks!
Come to find out the bitbucket proxy server I was trying to connect to was not configured to handle altssh.bitbucket.di2e.net which caused the connection over :443 to get dropped.
Root of the issue was a combination of corporate firewall blocking 7999 to external (wasn't blocked internally), as well as /etc/ssh/sshd_config on the remote machine I was attempting to clone to not being configured to AllowAgentForwarding
I am using Zabbix 4.0.
Trying to make a discovery rule for another remote linux server with SSH agent.
It asks for privatekey file and public key file. I understand it asks for privatekey file.
I put the private key file for remote server into the zabbix server .ssh director.
But why does zabbix also wants us to enter public key file. Privatekey file should be enough
to connect to remote server.
It is probably the public key of the server (aka hostkey), that is needed to verify that Zabbix is connecting to the legitimate server.
I am trying to connect from a windows computer to a ubuntu linux server, It is about cvs, I want to do a checkout. I use smartcvs 7.1.9.
I get this error when I try to connect to the server: (Project > Checkout > Next)
Authentication Failed: You could not get authenticated by the
CVS-server. Details: I/O-Exception: Failed to negotiate a transport
component [diffie-hellman-group-exchange-sha1]
[diffie-hellman-group14-sha1]
Anybody ideas what I can do?
This is a cvs server issue.
SmartCVS uses the diffie-hellman key exchange method for authentication which is known to have security issues. Therefore it has been disabled by default in current standard openssh(d) server configurations.
If you know what you are doing and don't care about the security implications, just add the following lines to sshd_config:
starts here
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
ends here
If you're on linux.. recreate the keys and restart the opensshd service:
dpkg-reconfigure openssh-server
/etc/init.d/ssh restart
Regards
Erwin
I am working with win 7 and git bash as well as an amazon EC2 instance. I tried to log into my instance:
$ ssh -i f:mykey.pem ubuntu#ec2-52-10-**-**.us-west-2.compute.amazonaws.com
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
71:00:d7:d8:a------------------26.
Please contact your system administrator.
Add correct host key in /m/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /m/.ssh/known_hosts:27
ECDSA host key for ec2-52-10-**-**.us-west-2.compute.amazonaws.com has changed and you have request
ed strict checking.
Host key verification failed.
Logging in like this has worked fine in the past, but this problem started after I rebooted my EC2 instance. How can I get this working again?
edit:
$ ssh -i f:tproxy.pem ubuntu#ec2-52-10-**-**.us-west-2.compute.amazonaws.com
ssh: connect to host ec2-52-10-**-**.us-west-2.compute.amazonaws.com port 22: Bad file number
tried again:
The authenticity of host 'ec2-52-10-**-**.us-west-2.compute.amazonaws.com (52.10.**-**)' can't be
established.
ECDSA key fingerprint is d6:c4:88:-----------fd:65.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added 'ec2-52-10-**-**.us-west-2.compute.amazonaws.com,52.10.**-**' (ECDSA) t
o the list of known hosts.
Permission denied (publickey).
what should I do now?
The hostname has a new ssh key, so ssh tells you something has changed.
The hint is here:
Offending ECDSA key in /m/.ssh/known_hosts:27
If you're sure the server on the other side is authentic, you should delete line 27 in /m/.ssh/known_hosts.
This error says that something has been changed since your last login to this server and that the server you try to ssh to, might not be the server you think it is.
One thing to be aware of...
When you create an EC2 instance, No fixed IP assigned to this instance.
When you start this instance, it will get (dynamic) IP number and a DNS name which will be based on that IP.
If you shutdown the instance and start it again few hours later, it might get a new IP and a new DNS name.
If you are still trying to access the old DNS name/IP, you are actually trying to access a server that might not belong to you.
This will end with the same error msg as you had.
(It can happen because you pointed a DNS entry to the old IP, or you are using scripts that try to access the old DNS name/IP, or you just repeating the ssh command from your history...)
If this is the case, the solution is to use Elastic IP.
You can assign Elastic IP to your server, and this will force it to keep its IP address between reboots.
Elastic IP is free while your (attached) server is up.
But it will cost you some minor fees when the attached server is down.
This is done to make sure you are not "reserving" IP while not using/need it
In BeanStalk environment, the issue is that it refers to the key from known_hosts for the respective IP. But it has changed. So using the same key would not work.
Removing the key for the IP from ~/.ssh/known_hosts and then connecting by ssh would work.
(Basically, when the entry is not there in ~/.ssh/known_hosts it will create a new one, and thus resolve the conflict)
Type the following command to set the permissions. Replace ~/mykeypair.pem with the location and file name of your key pair private key file.
chmod 400 ~/mykeypair.pem
In your case mykeypair.pem is tproxy.pem
I was facing the same issue and after making pem file private it was fixed.
Here is some more information on SSH Key Permissions
I'm using Chef and trying to add an SSH fingerprint to the known_hosts file of a particular service user account so that I can pull in repos via git. My script is failing because the host verification failed. I do not want to skip verification. I'd like chef to install the fingerprint into the known hosts file.
Requirements:
Do not disable verification
Do not skip verification
Do not add duplicate entries to the known_hosts file (make it idempotent for chef)
Don't use DNS. SSH can use DNS for verification, but this isn't overly secure and it's not enabled by default for installs.
Make it easy to change later, don't pre-compile the hashed line for known_hosts, the input should be an ssh key's fingerprint.
Any thoughts on how to accomplish this? I've been looking at ssh-keyscan and ssh-keygen. There are search functions and remove functions, but no method to add a key, so it seems.
Use the ssh cookbook from the supermarket. https://supermarket.chef.io/cookbooks/ssh
it has an LWRP that makes adding the keys very easy.