I'm learning Ansible, in a setup document : http://docs.ansible.com/intro_getting_started.html
It says if I don't want to enter password every time, I can do :
$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
I did it, but how come I still have to enter password every time ?
Then it says "you may wish to use Ansible’s --private-key option", but I can't find any document on that. Whay's that for and how to do it ?
I'm not sure about Ansible, but I know a bit about how ssh keys work
When you generate a new SSH key with the ssh-keygen command (which by default goes to the ~/.ssh/id_rsa file), it asks you to put in a passphrase(password)
Whenever you use that key, it will ask you for that passphrase.
If you create a new key with
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/YOUR_USERNAME/.ssh/id_rsa_nopass
Enter passphrase (empty for no passphrase): [just press enter, don't type anything]
Enter same passphrase again: [just press enter again]
This will create both an id_rsa_nopass private key file, and an id_rsa_nopass.pub public key file in the directory you chose (/home/user/.ssh)
You should then be able to use the following command, assuming ansible is set up to use your ssh keys correctly
$ ssh-add ~/.ssh/id_rsa_nopass
NOTE: Using an ssh key without a passphrase can be dangerous, as anybody can access your device and connect without knowing your password. If you don't mind this, then a no-passphrase ssh key is a good way to avoid typing a password everyone
edit: Just looked into Ansible a bit, it's basic setup is just to run a command on an ssh server, right?
In which case, you may need to add your public key to whichever server you are connecting to, this can usually be done via the command
ssh-copy-id -i /path/to/your/public/key/file yourname#yourserver.com -p your_server's_ssh_port
For example, to authorize the id_rsa_nopass key from earlier to the account foobar on the server example.org, with ssh port 10022 you would do
ssh-copy-id -i ~/.ssh/id_rsa_nopass.pub foobar#example.org -p 10022
This will prompt you for the password to foobar#example.org, upon filling in the password it will authorize that public key to connect to that server, and since id_rsa_nopass has no passphrase, you should now be able to connect without any password prompt
Related
I'm trying to create an ansible and I want an ssh key specific for the ansible that requires no passphrase (for automation pourposes). Here's what I've done:
> ssh-keygen -t ed25519 -C "ansible"
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\user_name/.ssh/id_ed25519): C:\Users\user_name/.ssh/ansible
At the following:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
I left them empty and just pressed enter and
the public/private key files get created.
I copied the public key to the VM I want to connect to and made sure it's there by looking inside the
~/.ssh/authorized_keys
But when I try connecting to the VM, with the ansible specific ssh key I just created (which doesn't require a passphrase) it asks me for the password...
ssh -i C:\Users\user_name/.ssh/ansible ip_addr
user_name#ip_addr's password:
Now, I believe the password is asking for it's the one of the VM itself, not the ssh key, but I was expecting to ssh inside without having to enter any sort of password. What am I missing?
The host machine is Windows 10, the VM has Ubuntu 20.04
I'm using Yubikey 5 NFC and want to move my openssh key into it so that I can authenticate for ssh login via this Yubikey.
Maybe you will suggest to generate a new gpg keypair for Yubikey and use the gpg-agent instead of ssh-agent to authenticate. But I still want to move my current ssh private key into Yubikey because this way I don't have to edit authorized_keys everywhere.
I tried to do this following this article:
https://www.mvps.net/docs/how-to-add-your-existing-ssh-key-to-yubikey-via-openpgp/
which suggest to use pem2openpgp from monkeysphere to translate my ssh key into gpg key and somehow write this translated gpg key into Yubikey (via keytocard command of gpg).
But after all these done. I find that the fingerprint of my ssh key is changed, this is confirmed by following command:
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
$ ssh-add -l
And the fact that the fingerprint changed makes using my current ssh key meaningless -- I still need to edit authorized_keys everywhere to make the "new public key" work.
So is there any other way which can write my old ssh key into Yubikey and keep the old key's fingerprint?
My problem is that one user forgot his ssh passphrase for key, so i had to generate new one and install it on all environments.
Here's the thing: I have created key without any passphrase and copied it to all servers (single key pair on all servers) so every server has the same id_rsa key and id_rsa.pub key added to authorized_keys. And the problem is I still can't login to these servers.
output:
user#server1:~$ ssh user#server2
Enter passphrase for key '/home/user/.ssh/id_rsa': <empty>
Permission denied (publickey).
user#server1:~$
I have no idea what may cause the problem. I have generated those keys twice, tried to use ssh-add command to be sure that system can see those keys but nothing helped.
Do you have any idea how to solve this problem?
Remove ".ssh" forlder in every user folder (e.g. /home/user1), then try to generate new keys again. ".ssh" folder is hidden by default, press CTRL + H to showing the hidden file and folders.
Also, you can ssh to a system as password-less :
ssh-keygen
ssh-copy-id user#host
After the key is copied, ssh into the machine is password-less :
ssh user#host
After change your key, type:
ssh-add
And to verify, type:
ssh-add -l
And verify with md5sum your id_rsa.pub in your host and authorized_keys on the server.
I'm following the ssh github tutorial, and I'm confused about the difference between ssh-add and ssh-agent. The tutorial seems to imply that I will need to enter a password every time I want to use my ssh key, and to stop that, I need to give the key somehow to the ssh agent. However, I am not prompted to enter a password until I run the command ssh-add, and according to the man page
ssh-add adds RSA or DSA identities to the authentication agent, ssh-agent(1).
If the point of an agent is to not have to use a password, why is the agent asking me to create a password?
Here's the code I'm running and my understanding of ssh-add:
ssh-keygen -t rsa -C "your_email#example.com"
# Creates a new ssh key, using the provided email as a label
# Generating public/private rsa key pair. Public key is like a padlock, private key is like a padlock key.
# Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
#This is like taking the padlock and they key together and sticking them in a box.
#-------------------------------
ssh-add id_rsa
#ssh-add is like sticking your key in a safe. Instead of putting your keys on a hook in your house, where anyone can pick it up, you put your key in a safe protected by a password.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
#The safe now has a password.
What is the relationship between ssh-add and ssh-agent? Am I right in assuming the following:
that doing an SSH keygen without an add is sort of like leaving your keys out in your apartment, where anyone you let into your apartment can pick them up, make a copy, and get to all of your stuff?
Doing an SSH keygen with an add is like sticking your keys in a safe with a combination, so that even if you let somebody into your apartment, they still can't get to all of your keys?
That ssh-add is an action taken by a program called ssh-agent?
Assume that you have several Linux machines to manage and you setup ssh login by creating a public private key pair issuing ssh-keygen -t rsa. Assume that you didnt set a passphrase while creating your keys. Now you will copy your public key to all the machines where you want to login by issuing ssh-copy-id -i ~/.ssh/id_rsa.pub user#somehost. Now, with your keys, you will be able to login to all the machines where you copied your keys.
Since you didnt create a passphrase, anyone who gets your private key can login to all the machines where your public key is added. Assume you let your machine to be used by some of your friends and one of him is evil-minded. To prevent this, you set a passphrase to your private key. So whenever you login using your key, you will be prompted for the passphrase and so only you(who knows the passphrase) can login.
But it becomes cumbersome to type the passphrase whenever you login to other machines. So you can give your passphrase to ssh-agent once and it will use it whenever required. You use ssh-add to give your keys to ssh-agent. You can always check what all keys your ssh-agent is managing by issuing ssh-add -l.
I have two servers called: "eps" and "dev". On server dev I have added the public key of eps to the authorized_keys file. I have then restarted SSH service on the dev server to ensure it picks up the new public key I added to the authorized_keys file.
However when I then try and ssh into "dev" from "eps", I'm prompted for passphrase for a key. the exact prompt is: Enter passphrase for key '/home/webmaster/.ssh/id_rsa':
Why is this happening? I thought it should just log me into the dev server right away.
When creating the SSH key using ssh-keygen you are prompted for a password to secure the private key. Therefore for SSH to use the key the password has to be entered to unlock the private key locally, which is why you are seeing the "Enter passphrase for key". This is not the same as the password to authenticate the user on the SSH server.
In order to have a password-less login you need to create a keyfile with ssh-keygen which has an empty password.