Failure to authenticate SSH keys - ssh-keys

I'm in the process of setting up a virtual server via Amazon AWS. I followed their tutorial regarding setting up a Linux based virtual server on OS X. Everything goes well until I get to the .ssh pair key file. I download AWS's key as a .pem file. It saves as a .pem.txt file. Which seems odd from what I'm reading. So, I duplicate and change the extension to .pem only.
Then I go to copy the file from downloads to the ~/.ssh folder and get no problems using cp ~/Downloads/FileName.pem ~/.ssh. When I try to use chmod 400 to adjust the security parameters of the folder it returns "Not a directory". When I try to authenticate it fails. I suspect because it has something to do with the chmod 400 code line, but I'm not certain. I also wanted to verify to make sure the file copied into the .ssh folder, but all of the suggestions online about unhiding the hidden folders on a Mac were a no-go.
It is a Linux set up so the user name is the one listed in the tutorial (I already researched this problem). I double check to see if there was a file .ssh and there seems to be. When I type ssh in the terminal I do get feedback, so I'm assuming there is a file there.

Create an ssh folder in your home folder, if one is not present. Then copy the PEM file to that folder. Then change permissions of the PEM file to protect it. Something like this:
mkdir -p ~/.ssh
cp fred.pem.txt ~/.ssh/fred.pem
chmod 400 ~/.ssh/fred.pem

Related

transfer file to remote via cmd

I've done enough search on google and in this site, but I don't find any answer to my problem. I simply want to transfer file from local windows machine into remote ubuntu server.
This is the command I tried:
scp C:/Users/myself/Documents/personal/gd_bundle-g2-g1.crt bitnami#11.123.12.123:/etc/ssl/certs
I get this error:
Permission Denied (Publickey)
Obviously because I didnt key in the keyfile and I dont know where to key in. So please guide me how can I transfer file to remove server with public key specified.
Thanks
edit:
scp -i C:\Users\myself\Documents\personal\ppk\myfile.ppk bitnami#11.123.12.123:/C:/Users/myself/Documents/personal/gd_bundle-g2-g1.crt /etc/ssl/certs
Getting error : wrong format
You need to create an ssh key pair, a public and private key. There are many sites that explain how to do it, usually you run ssh-keygen, such as specified here.
The private key is "id_rsa" and the public key is "id_rsa.pub". On the remote machine you need to place the contents of id_rsa.pub at the end of the $HOME/.ssh/authorized_keys file. If you don't have an authorized_keys file then create one by copying id_rsa.pub there. You will need to use other means than scp to get it there.
Additionally your $HOME/.ssh directory on both machines needs to have good permissions, this is "chmod 700 .ssh" on a unix machine.

Store a private key outside of ~/.ssh

I have to deal with a rather annoying situation. I must transfer a file via shell script using scp from one server to another. The problem is that I do not have root access on either of them. I'm not allowed to install any packages like, sshpass, ssh2, expect etc. I don't even have write permission in the home directory of the user I have to use on the second server.
Since I can't use sshpass etc. to enable my script to enter the login credentials, I thought about using an ssh keypair for auth. Actually that was my first thought, but since the user on the second server doesn't have write permissions in its home directory but only in a subsequent directory, ssh-keygen fails as it can't put the keys in ~/.ssh.
Both are Debian servers btw.
Is there any way to generate a ssh keypair and use it outside of ~/.ssh?
Any help is greatly appreciated.
On the clientside yes. However, on serverside, unless configured differently, sshd will expect your credentials in that directory.
If you can scp from the server where you can't access .ssh to the one where you can, you can use -i option to specify the keyfile location.
Do you have an alternative transport mechanism? Can you put the filn your public_html and wget it on the other side?
You can have the keypairs anywhere. What is key is that the permissions are set correctly on the keypair. The ownership needs to be set to the user chown user:user keyfile and the permissions must be chmod 400 keyfile.
Once you have your key moved and permissions set all that's left is to tell scp which key to use. You can do this by using the -i flag.
IE: scp /source/file user#host:/target/location/ -i keyfile
Edit:
As Amadan alluded to in his answer - this assumes the server you're connecting to already has the key as an authorized key on the user. If not it would require an /etc/ssh/sshd_config change that only someone with the right access can do. It might be worth trying a cat /etc/ssh/sshd_config on the server if your user has access to it at all right now. If you have read access you'll be able to discern the expected authorized_keys location. It's possible the server admin has already customized the expected key location to something you have write access to.

cwrsync permissions on private key

I installed cwRsync 5.3.0 on Windows 8, and I want to set up password-less SSH. I ran ssh-keygen to create the keys, and copied the public key to the remote box. But when I try to SSH, I get this:
C:\>ssh myuser#myhost
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0660 for '/cygdrive/c/Users/myuser/.ssh/id_dsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /cygdrive/c/Users/myuser/.ssh/id_dsa
How can I change the file's permissions, so cwRsync won't see it as being group-readable? I tried removing the Windows permission inheritance from it, and removing access by anyone but my user. But that seems to have no effect.
I just ran into the same scenario where I installed cwrsync and didn't have access to chmod via cygwin or other. I was able to fix this using rysnc.exe itself:
Add rsync.exe to your %PATH% if it isn't already there:
PATH=%PATH%;c:\path\to\cwrsync\bin
Change to the folder that your SSH private key is located:
cd c:\users\myuser\.ssh\
Use rsync to perform a local copy of your SSH private key using the chmod switch (700=u+rwx,g=,o=):
rsync --chmod=700 id_dsa id_dsa.bak
Ensure that the rsync command ran successfully by typing each file to ensure the content is the same:
type id_dsa
type id_dsa.bak
Overwrite the original SSH private key with the .bak (which now has the correct permissions):
move id_dsa.bak id_dsa
Test SSH to make sure it is working now:
ssh -i id_dsa myuser#myhost
I've recently run into this issue and phiz's answer didn't work for me. However, Stéphane's solution in comments was helpful and I felt it should be a proper answer rather than a comment.
TLDR: Set Windows permissions on the .ssh folder to full access for yourself and nobody else.
Locate the directory where cwRsync keeps your ssh keys (possibly c:\home\username\.ssh or <path to cwRsync install>\home\username\.ssh). Use the Windows permissions dialog to remove all inherited permissions from this directory, and set full control to your own account only.
(Note that I found it necessary to remove permissions from SYSTEM and Administrators for this to work. It may still work with one or other present, but I removed both at once and found it to work that way.)

SSH 'command not found' when trying to connect to AWS

I'm new to Amazon web services and have managed to set up an instance.
I already have the ssh directory on my machine at: /usr/bin/ssh
I have also downloaded a Pem key file to my machine and have tried to copy my Pem key file into that directory but I cannot navigate to it. When I try:
cd /usr/bin/ssh
I get:
-bash: cd: /usr/bin/ssh: Not a directory
When I just try to type the command:
ssh
I get the following:
BEGIN: command not found
: command not found2: MIIEpAIBAAKCAQEAu6JORnapcVdvAwPm+6LVBA3n8chlGU4nE0g9nyD8zSDWlATJpf1Td35tPrxj
: No such file or directory
can anyone help with this?
I'm on OSX Lion 10.8.4 if that helps!
Your problem appears to be related to configuring the ssh keys. First, some clarifications:
/usr/bin/ssh is not a directory, it is the actual secure shell program. Do not modify it. (If you have already destroyed your ssh installation, you would need to restore the installation: http://support.apple.com/kb/PH10763).
ssh will use a public and a private key (keypair) to authenticate. The private key should be stored locally on your computer, generally in the .ssh folder inside your home directory (~/.ssh)
You may have generated the keypair yourself, or have gotten one generated by AWS.
I will assume your .pem file is the private key portion of the keypair, and that you have downloaded that from AWS after following a procedure along the lines of: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-to-have-aws-create-the-key-pair-for-you.html.
In that case, you need to simply:
copy the .pem file into your ~/.ssh directory.
rename it to id_rsa
ensure that you have correctly set permissions for the private key and .ssh directory (ssh is picky), typically 600 for the id_rsa file and 700 for the .ssh directory.
initiate the ssh connection via ssh username#host

WARNING: UNPROTECTED PRIVATE KEY FILE! when trying to SSH into Amazon EC2 Instance

I'm working to set up Panda on an Amazon EC2 instance.
I set up my account and tools last night and had no problem using SSH to interact with my own personal instance, but right now I'm not being allowed permission into Panda's EC2 instance.
Getting Started with Panda
I'm getting the following error:
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
Permissions 0644 for '~/.ec2/id_rsa-gsg-keypair' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
I've chmoded my keypair to 600 in order to get into my personal instance last night, and experimented at length setting the permissions to 0 and even generating new key strings, but nothing seems to be working.
Any help at all would be a great help!
Hm, it seems as though unless permissions are set to 777 on the directory, the ec2-run-instances script is unable to find my keyfiles.
I've chmoded my keypair to 600 in order to get into my personal instance last night,
And this is the way it is supposed to be.
From the EC2 documentation we have "If you're using OpenSSH (or any reasonably paranoid SSH client) then you'll probably need to set the permissions of this file so that it's only readable by you." The Panda documentation you link to links to Amazon's documentation but really doesn't convey how important it all is.
The idea is that the key pair files are like passwords and need to be protected. So, the ssh client you are using requires that those files be secured and that only your account can read them.
Setting the directory to 700 really should be enough, but 777 is not going to hurt as long as the files are 600.
Any problems you are having are client side, so be sure to include local OS information with any follow up questions!
Make sure that the directory containing the private key files is set to 700
chmod 700 ~/.ec2
To fix this,
you’ll need to reset the permissions back to default:
sudo chmod 600 ~/.ssh/id_rsa
sudo chmod 600 ~/.ssh/id_rsa.pub
If you are getting another error:
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/geek/.ssh/known_hosts).
This means that the permissions on that file are also set incorrectly, and can be adjusted with this:
sudo chmod 644 ~/.ssh/known_hosts
Finally, you may need to adjust the directory permissions as well:
sudo chmod 755 ~/.ssh
This should get you back up and running.
I also got the same issue, but I fix it by changing my key file permission to 600.
sudo chmod 600 /path/to/my/key.pem
The private key file should be protected. In my case i have been using the public_key authentication for a long time and i used to set the permission as 600 (rw- --- ---) for private key and 644 (rw- r-- r--) and for the .ssh folder in the home folder you will have 700 permission (rwx --- ---). For setting this go to the user's home folder and run the following command
Set the 700 permission for .ssh folder
chmod 700 .ssh
Set the 600 permission for private key file
chmod 600 .ssh/id_rsa
Set 644 permission for public key file
chmod 644 .ssh/id_rsa.pub
Change the File Permission using chmod command
sudo chmod 700 keyfile.pem
On windows, Try using git bash and use your Linux commands there. Easy approach
chmod 400 *****.pem
ssh -i "******.pem" ubuntu#ec2-11-111-111-111.us-east-2.compute.amazonaws.com
Keep your private key, public key, known_hosts in same directory and try login as below:
ssh -I(small i) "hi.pem" ec2-user#ec2-**-***-**-***.us-west-2.compute.amazonaws.com
Same directory in the sense,
cd /Users/prince/Desktop.
Now type ls command
and you should see
**.pem **.ppk known_hosts
Note: You have to try to login from the same directory or you'll get a permission denied error as it can't find the .pem file from your present directory.
If you want to be able to SSH from any directory, you can add the following to you ~/.ssh/config file...
Host your.server
HostName ec2-user#ec2-**-***-**-***.us-west-2.compute.amazonaws.com
User ec2-user
IdentityFile ~/.ec2/id_rsa-gsg-keypair
IdentitiesOnly yes
Now you can SSH to your server regardless of where the directory is by simply typing ssh your.server (or whatever name you place after "Host").
Just to brief the issue, that pem files permissions are open for every user on machine i.e any one can read and write on that file
On windows it difficult to do chmod the way I found was using a git bash.
I have followed below steps
Remove user permissions
chmod ugo-rwx abc.pem
Add permission only for that user
chmod u+rw
run chmod 400
chmod 400 abc.pem
4.Now try ssh -i for your instance
If you are on a windows machine just copy the .pem file into C drive any folder and
re-run the command.
ssh -i /path/to/keyfile.pem user#some-host
In my case, I put that file in downloads and this actually works.
Or follow this https://99robots.com/how-to-fix-permission-error-ssh-amazon-ec2-instance/
I am thinking about something else, if you are trying to login with a different username that doesn't exist this is the message you will get.
So I assume you may be trying to ssh with ec2-user but I recall recently most of centos AMIs for example are using centos user instead of ec2-user
so if you are
ssh -i file.pem centos#public_IP please tell me you aretrying to ssh with the right user name otherwise this may be a strong reason of you see such error message even with the right permissions on your ~/.ssh/id_rsa or file.pem
The solution is to make it readable only by the owner of the file, i.e. the last two digits of the octal mode representation should be zero (e.g. mode 0400).
OpenSSH checks this in authfile.c, in a function named sshkey_perm_ok:
/*
* if a key owned by the user is accessed, then we check the
* permissions of the file. if the key owned by a different user,
* then we don't care.
*/
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
error("###########################################################");
error("# WARNING: UNPROTECTED PRIVATE KEY FILE! #");
error("###########################################################");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
error("It is required that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return SSH_ERR_KEY_BAD_PERMISSIONS;
}
See the first line after the comment: it does a "bitwise and" against the mode of the file, selecting all bits in the last two octal digits (since 07 is octal for 0b111, where each bit stands for r/w/x, respectively).
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/id_rsa
sudo chmod 600 ~/.ssh/id_rsa.pub
The above 3 commands should solve the problem!
Just a note for anyone who stumbles upon this:
If you are trying to SSH with a key that has been shared with you, for example:
ssh -i /path/to/keyfile.pem user#some-host
Where keyfile.pem is the private/public key shared with you and you're using it to connect, make sure you save it into ~/.ssh/ and chmod 777.
Trying to use the file when it was saved elsewhere on my machine was giving the OP's error. Not sure if it is directly related.