I have a running coturn instance on Centos-7-x64, if I access it through the browser I can see:
TURN Server
use https connection for the admin session
After examining the documentation, I found this:
Add the admin user(s) to the database, with turnadmin utility. If you added those users, then they will be able to connect to the TURN server ports over HTTPS from your browser and perform admin tasks with the web interface.
So I created an admin user with the following command:
$ sudo bin/turnadmin -A -u username -p password
And I can see that user listed when running:
turnadmin -L
However, when I try to connect to https://my.ip.adrss:3478 I can't see the promised admin.
What am I missing here?
You need to configure TLS. For this, you can start the server with the following flags (taken from documentation)
--cert Certificate file, PEM format. Same file
search rules applied as for the configuration
file. If both --no-tls and --no-dtls options
are specified, then this parameter is not needed.
Default value is turn_server_cert.pem.
--pkey Private key file, PEM format. Same file
search rules applied as for the configuration
file. If both --no-tls and --no-dtls options
are specified, then this parameter is not needed.
Default value is turn_server_pkey.pem.
You'll need to specify the path to each file. You can find the file with find / -name turn_server_*.pem -type f, if you want to use the ones that the package comes with. Otherwise, you can point to your own files. I think they are located in /etc/turn_server_cert.pem and /etc/turn_server_pkey.pem
Related
I am writing a test case in Robot Framework where in, I have to either copy the file from the local machine (windows) to the remote server (linux) or create a new one at the location.
I have used multiple sudo su - command to switch users to root user to reach the desired host. As a result of this, I am not able to use Put File Keyword from SSH Library to upload the file. I have reached at the desired folder location by executing the commands with Write keyword.
Since there is no option left (thats what i realize with my limited knowledge on Robot Framework), i started creating a new file with vi <filename> command. I have also reached the INSERT mode of the file, BUT i am not able to edit text into the file.
Can someone please suggest me how can i either
Copy the file from local windows machine to remote linux server AFTER multiple SU commands (Switch User)
Create a new text file and enter the content.
Please See : the new file which is being created / copied is a certificate file. Hence i do not wish to write the entire content of the certificate in my test suite file
The entire test case looks something like this
First Jump1
Log Starting the connection to AWS VM
# Connection to VM with Public Key
Connection To VM ${hostname} ${username}
Send Command sudo su -
Send Command su - <ServiceUser1>
# Reached the Detination server
Send Command whoami
Send Command ss -tln | grep 127.0.0.1:40
# Connecting to Particular ZIP
Send Command sudo -u <ServiceUser2> /usr/bin/ssh <ServiceUser2>#localhost -p <port>
Send Command sudo su -
# Check Auth Certificate
Send Command mosquitto_pub -h ${mq_host} -p ${mq_port} -u ${mq_username} -P ${mq_password}
In the step Check Auth Certificate, the certificate is checked to be present or not, if present -> delete the current certificate and create the new one (either create a new file or upload from local) and if it not there create a new certificate
though it might not be ideal, but was able to achieve what i wanted to do with
echo "content" > newFilename
echo "update content" >> newFileName
I have built an MF container image and pushed it. I have copied the file in (Mac) ~/.ssh/id_rsa.pub to mfpf-server/usr/ssh before building the image.
I am trying to connect using the command in Mac terminal:
ssh -i ~/.ssh/id_rsa admin#public_ip
It says:
Permission denied (publickey).
Any idea? What is the user I shall use?
your problem is very probably related to the permissions of the pub key copied on the container or to the configuration of your key.
You could check the permissions of key copied on the container, sshd is really strict on permissions for the authorized_keys files: if authorized_keys is writable for anybody other than the user or can be made writable by anybody other than the user, sshd will refuse to authenticate (unless sshd is configured with StrictModes no)
Moreover such a problem won't be showed using ssh -v, it will showed only on daemon logs (on the container)
From man sshd(8):
~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in
as this user. The format of this file is described above. The
content of the file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by
others.
If this file, the ~/.ssh directory, or the user's home directory
are writable by other users, then the file could be modified or
replaced by unauthorized users. In this case, sshd will not
allow it to be used unless the StrictModes option has been set to
“no”.
So I suggest you to check about the files and directories permissions.
Then check that the content of your pub key has been copied correctly on authorized_keys listing
/root/.ssh/authorized_keys
To access the container with the ssh key you need to use the "root" user.
ssh -i ~/.ssh/id_rsa root#<ip address>
I have to deal with a rather annoying situation. I must transfer a file via shell script using scp from one server to another. The problem is that I do not have root access on either of them. I'm not allowed to install any packages like, sshpass, ssh2, expect etc. I don't even have write permission in the home directory of the user I have to use on the second server.
Since I can't use sshpass etc. to enable my script to enter the login credentials, I thought about using an ssh keypair for auth. Actually that was my first thought, but since the user on the second server doesn't have write permissions in its home directory but only in a subsequent directory, ssh-keygen fails as it can't put the keys in ~/.ssh.
Both are Debian servers btw.
Is there any way to generate a ssh keypair and use it outside of ~/.ssh?
Any help is greatly appreciated.
On the clientside yes. However, on serverside, unless configured differently, sshd will expect your credentials in that directory.
If you can scp from the server where you can't access .ssh to the one where you can, you can use -i option to specify the keyfile location.
Do you have an alternative transport mechanism? Can you put the filn your public_html and wget it on the other side?
You can have the keypairs anywhere. What is key is that the permissions are set correctly on the keypair. The ownership needs to be set to the user chown user:user keyfile and the permissions must be chmod 400 keyfile.
Once you have your key moved and permissions set all that's left is to tell scp which key to use. You can do this by using the -i flag.
IE: scp /source/file user#host:/target/location/ -i keyfile
Edit:
As Amadan alluded to in his answer - this assumes the server you're connecting to already has the key as an authorized key on the user. If not it would require an /etc/ssh/sshd_config change that only someone with the right access can do. It might be worth trying a cat /etc/ssh/sshd_config on the server if your user has access to it at all right now. If you have read access you'll be able to discern the expected authorized_keys location. It's possible the server admin has already customized the expected key location to something you have write access to.
hg clone ssh://denis#medsecop.com//var/www/vhosts/medsecop.com/stage/symphony
returns
remote: Permission denied (publickey).
abort: no suitable response from remote hg!
I have the .ppk file but I don't know how to add options to the ssh command above to use (it says "hg clone doesn't take more arguments")
-i /path/to/keys.ppk
I connect to SSH with this:
sudo ssh -v denis#medsecop.com -i /home/denis/Desktop/MedSec/my-openssh-key
Any ideas?
If you tag question with putty tag, I suppose, you use Windows at your side (and some Win-specific details I'll mention later)?
I don't know how to add options to the ssh command above to use
Well, for any ssh-powered repositories you must to define used ssh-client in (global, user- or repository-specific) config file. For key-based authorization you can define private-key file as parameter of used command or use special additional tool (ssh-agent in *Nix or pageant in Win or...)
Sample
Windows-box with Mercurial (TortoiseHG), full Putty, without Cygwin
Key-based authorization for ssh-repositories: Plink + Pageant
Global mercurial.ini part
[ui]
merge = ...
username = ...
ssh = "PATH\TO\TortoisePlink.exe"
Also Pageant is running and (putty-type) private keys for published public keys loaded into it
When I connect to any ssh-repo, authorization happens automagically
Pageant-less version may include
-i KEYFILE option for TortoisePlink at the repository level - in the .hg\hgrc
--load SESSION option for TortoisePlink (same location as above) for using previously created Putty's session, which have all needed authorization predefined
I solved it by adding the public key
ssh-add file.ppk
I have a bunch of remote servers that I regularly connect to via ssh; which I've setup in my ~/.ssh/config file. I was wondering if it was possible to specify a remote path to cd to when I connect to some of these servers?
For example, I may have something like this in my config file:
Host testbox
HostName 192.123.456.789
User root
And when I ssh in to testbox, I'd like to also cd to /var/www/apps/myapp.
I've had a look around but cannot see an option that would do that via the .ssh/config file.
Cheers,
Diego
You can do this with a tool I've open sourced that allows you to SSH and CD – aptly named sshcd. For the example you've given, you'd simply use:
sshcd root#testbox:/var/www/apps/myapp
Hope this helps!
There's an option in the authorized_keys file.
Do a man on sshd, look under the heading "AUTHORIZED_KEYS FILE FORMAT". You can add various options to each authorized key - one is command="command". As the manpage says, "Specifies that the command is executed whenever this key is used for authentication."