Host-based ssh authentication failure with Chef - ssh

Using chef-12.1.2-1, all nodes running Centos 7.
I've setup up host based ssh authentication on my nodes and can successfully ssh without passwords between them.
I start up a chef server by doing the following:
/opt/chef/bin/chef-zero -H <ip> -p 8889 -d
and try to bootstrap my nodes using knife bootstrap which takes me to a password prompt:
[root#node]# knife bootstrap <ip> -r <role>
Connecting to <ip>
Failed to authenticate root - trying password auth
Enter your password:
After doing some digging I found that knife uses the Ruby implementation of SSH, using the gem net-ssh-multi. I can't find specifically why this wouldn't work with host based authentication.
Why is it prompting me for a password and not using my host based authentication?

Could you try HostbasedAuthentication as an ssh flag passed into knife?
knife bootstrap <ip> -r <role> -a HostbasedAuthentication

Related

Auto-Type sudo password on CentOS 7.9

I have CentOS 7.9 and a SSH Config file which I use to SSH to the hosts in my network. I use a SSH keypair to SSH to the hosts and upon logging in, I run the sudo su command to become root. It then asks me for my password. Is there any way or any tool I can use so I don't have to type my admin password each time? Thank you in advance

How to clone gitlab repo over tor using ssh?

Error message
After having added the ssh key of a user of a GitLab server and repository that is hosted over tor, a test was performed that tried to clone a private repository (to which the testing user is added) over tor. The cloning was attempted with command:
torsocks git clone git#some_onion_domain.onion:root/test.git
Which returns error:
Cloning into 'test'... 1620581859 ERROR torsocks[50856]: Connection
refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:543)
ssh: connect to host some_onion_domain.onion port 22: Connection
refused fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository
exists.
GitLab SSH Cloning Verification
However, to verify the ssh access is available to the test user, the cloning was verified without tor using command:
git clone git#127.0.0.1:root/test.git
Which successfully returned:
Cloning into 'test'... remote: Enumerating objects: 3, done. remote:
Counting objects: 100% (3/3), done. remote: Total 3 (delta 0), reused
0 (delta 0), pack-reused 0 Receiving objects: 100% (3/3), done.
Server side hypothesis
My first guess is that it is a server-side issue that has to do with the lack of https, in following setting in the /etc/gitlab/gitlab.rb file:
external_url 'http://127.0.0.1'​
However setting external_url 'https://127.0.0.1 requires an https certificate, e.g. from Let's encrypt, which seem to not be provided for onion domains.
Client-side hypothesis
My second guess would be that it is a client-side issue related to some SOCKS setting is incorrect at the test user side that runs the torsocks command, similar to an issue w.r.t. the SOCKS 5 protocol that seems to be described here.
Question
Hence I would like to ask:
How can I resolve the connect to host some_onion_domain.onion port 22: Connection refused error when users try to clone the repo over tor?
One can set the ssh port of the GitLab instance to 9001, e.g. with:
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 443:443 --publish 80:80 --publish 22:9001 \
--name gitlab \
--restart always \
--volume $GITLAB_HOME/config:/etc/gitlab \
--volume $GITLAB_HOME/logs:/var/log/gitlab \
--volume $GITLAB_HOME/data:/var/opt/gitlab \
gitlab/gitlab-ee:latest
Next, add port 9001 and port 22 to the ssh configuration in /etc/ssh/sshd_config by adding:
Port 9001
Port 22
then restart the ssh service with: systemctl restart ssh.
It is essential that one adds a public ssh key to the GitLab server for each computer you want to download the repo from, even if one wants to clone a public repository. You can make a new GitLab account for each computer, or add multiple public ssh keys to a single GitLab account. These instructions explain how to do that, tl;dr
ssh-keygen -t ed25519
<enter>
<enter>
<enter>
systemctl restart ssh
xclip -sel clip < ~/.ssh/id_ed25519.pub
Ps. if xclip does not work, one can manually copy the ssh key with: cat ~/.ssh/id_ed25519.pub.
Then open a browser and go to https://gitlab.com/-/profile/keys so for your own tor GitLab server that would be: someoniondomain.onion/-/profile/keys, and copy paste that key in there.
That is it, now one can clone the repository over tor with:
torify -p 22 git clone ssh://git#someoniondomain.onion:9001/root/public.git
Note
As a side note, in the question I happened to have tested git clone git#127.0.0.1:root/test.git however, instead of using 127.0.0.1 I should have used either the output of hostname -I or the public ip address of the device that hosts the GitLab server. Furthermore, I should have verified whether the GitLab server was accessible through ssh by testing:
ssh -T git#youronionserver.onion
Which should return Congratulations... It would not have done so if I had tested that, indicating the problem was in the ssh access to the GitLab server (or the ssh connection to the device). I could have determined whether the ssh problem was with the device or the ssh server by testing if I could log into the device with: ssh deviceusername#device_ip, which would have been successfull indicating, the ssh problem with at the GitLab server.

Breaking agent forwarding in Ansible on Vagrant

Using Ansible to provision Vagrant box, Ansible fails when cloning Git repo: Host key verification failed. fatal: Could not read from remote repository.. Oddly I can clone from Git with no issues when I SSH into the box and run git clone <GIT_URL>. Have set sudo: no in Ansible task but still fails. ssh-agent is running correctly on both host and box.
Host key verification failed.
is not related to the agent forwarding. As noted in the comments, it is related to the known_hosts file.
Before the first connection to the server (github.com), you need to manually verify it's host key, or use similar process as noted in comments, using keyscan:
ssh-keyscan -H github.com >> ~/.ssh/known_hosts
The other (not recommended) possibility is to turn off the host key verification in the ~/.ssh/config:
Host git
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
in the home directory of the user running the git clone.

Connecting to a remote server from local machine via ssh-tunnel

I am running Ansible on my machine. And my machine does not have ssh access to the remote machine. Port 22 connection originating from local machine are blocked by the institute firewall. But I have access to a machine (ssh-tunnel), through which I can login to the remote machine. Now is there a way we can run ansible playbook from local machine on remote hosts.
In a way is it possible to make Ansible/ssh connect to the remote machine, via ssh-tunnel. But not exactly login to ssh-tunnel. The connection will pass through the tunnel.
Other way is I can install ansible on ssh-tunnel, but that is not the desired and run plays from there. But that would not be a desired solution.
Please let me know if this is possible.
There are two ways to achieve this without install the Ansible on the ssh-tunnel machine.
Solution#1:
Use these variables in your inventory:
[remote_machine]
remote ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user='username' ansible_ssh_private_key_file='/home/user/private_key'
hope you understand above parameters, if need help please ask in comments
Solution#2:
Create ~/.ssh/config file and add the following parameters:
####### Access to the Private Server through ssh-tunnel/bastion ########
Host ssh-tunnel-server
HostName x.x.x.x
StrictHostKeyChecking no
User username
ForwardAgent yes
Host private-server
HostName y.y.y.y
StrictHostKeyChecking no
User username
ProxyCommand ssh -q ssh-tunnel-server nc -q0 %h %p
Hope that help you, if you need any help, feel free to ask
No request to install ansible on the jump and remote servers, ansible is ssh service only tool :-)
First make sure you can work it directly with SSH Tunnel.
On local machine (Local_A), you can login to Remote machine (Remote_B) via jump box (Jump_C).
login server Local_A
ssh -f user#remote_B -L 2000:Jump_C:22 -N
The other options are:
-f tells ssh to background itself after it authenticates, so you don't have to sit around running something on the remote server for the tunnel to remain alive.
-N says that you want an SSH connection, but you don't actually want to run any remote commands. If all you're creating is a tunnel, then including this option saves resources.
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
There will be a password challenge unless you have set up DSA or RSA keys for a passwordless login.
There are lots of documents teaching you how to do the ssh tunnel.
Then try below ansible command from Local_A:
ansible -vvvv remote_B -m shell -a 'hostname -f' --ssh-extra-args="-L 2000:Jump_C:22"
You should see the remote_B hostname. Let me know the result.
Let's say you can ssh into x.x.x.x from your local machine, and ssh into y.y.y.y from x.x.x.x, while y.y.y.y is the target of your ansible playbook.
inventory:
[target]
y.y.y.y
playbook.yml
---
- hosts: target
tasks: ...
Run:
ansible-playbook --ssh-common-args="-o ProxyCommand='ssh -W %h:%p root#x.x.x.x'" -i inventory playbook.yml

gitlab 5.2 can clone and push by http, but can't clone or push by ssh

I have setup my gitlab server behind a route, and I have mapped my ssh port to 50000 in the server. the gitlab port is 50001.Then I create a test project and try to clone it in another machine,it's ok when I use http.
git remote add origin http://myrouteaddress:50001/user/test.git
but when I try to test it use ssh, it failed with
git remote add origin ssh://git#myrouteaddress:50000/user/test.git
fatal: The remote end hung up unexpectedly
I have test my ssh setting with
ssh -vT git#myrouteaddress -p 50000
and it passed without problem.
I find out the auth with
sudo tail -f /var/log/auth.log
and get the follow
Jun 1 12:29:22 debian sshd[24799]: Accepted publickey for git from mytestpcip port 37848 ssh2
Jun 1 12:29:22 debian sshd[24799]: pam_unix(sshd:session): session opened for user git by (uid=0)
Jun 1 12:29:22 debian sshd[24801]: Received disconnect from mytestpcip: 11: disconnected by user
Jun 1 12:29:22 debian sshd[24799]: pam_unix(sshd:session): session closed for user git
can someone tell me the reason? Thank you very much!
I finally got the reason, I have generate the ssh rsa key with wrong parameter. the right way is:
ssh-keygen -t rsa -C "email#email.com"
Check your config:
# check gitlab-shell install
sudo -u git -H /home/git/gitlab-shell/bin/check
# check gitlab install
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
Then, try and use the scp syntax:
git#myrouteaddress:50000:user/test.git
or
gitolite:user/test.git
With a config file in your ~/.ssh/config with
Host gitolite
Hostname myrootaddress # or ip address
Port 5000
User git
IdentityFile ~/.ssh/git