I am trying log in to one of my projects at sagemath cloud using SSH (I am using OS X 10.10.1) after adding the local copy of the public key (~/.ssh/id_rsa.pub) to the authorized_keys file in the .ssh subdirectory of the project on the remote host, which is 162.222.176.40:
$ ssh <project id>#162.222.176.40
The authenticity of host '162.222.176.40 (162.222.176.40)' can't be established.
RSA key fingerprint is 3a:40:8e:77:88:7e:f8:68:0c:28:4a:32:f8:4a:4a:25.
Are you sure you want to continue connecting (yes/no)? yes
Is this as expected? I did check ~/.ssh/known_hosts and this host does not appear. I am guessing it will be added once I log in for the first time.
It's normal to see a message like that once upon first connecting to a server. If it asks if it's ok to continue connecting, just say "yes". That public key will then be added to your local ~/.ssh/known_hosts file (associated with that IP address or domain).
There's only a problem if you see this message every time you connect to a server. In that case, the problem might be that the given key is already in your local computer's ~/.ssh/known_hosts file, but is associated there with a different IP address or domain. Try removing that line of the file, or just clearing that file completely.
Related
This morning PyCharm started warning me:
Warning: remote host identification has changed! IT IS
POSSIBLE THAT SOMEONE IS DOING SOMETHING
NASTY! Someone could be eavesdropping on you
right now (man-in-the-middle-attack)! It is also
possible that the host key has just been changed. The
fingerprint for the ssh-ed25519 key sent by the
remote host is
[redacted A]
Do you want to update the key in
/Users/[myhome]/.ssh/known_hosts and resume
connecting?
Then it asks if I want to change ~/Users/[myhome]/.ssh/known_hosts.
The target host is used as an sftp to transfer my code to the remote server. Its name is an alias for two data transfer nodes. I can look at their ssh public keys using ssh-keyscan -t ed25519 alias.remotehost.com and I get a key that matches the one in my known_hosts file. I can also connect to a different remote server, at which time I do not get a warning about changed ssh keys, and ssh-keyscan the original remote host and I get the same keys in known_hosts.
The key that PyCharm says is new does not match any of the now twice confirmed ssh keys. The format of the PyCharm-message-derived key is even totally different from the keys from ssh-keyscan.
What is going on? I don't want to just blast through a security warning, and I'd like some guidance on where to look to see why PyCharm is giving me this warning that I cannot confirm otherwise.
The reason is not necessarily a security issue. Did you double-check your SSH configuration, in particular the known_hosts file used by PyCharm is the same you're checking?
https://man.openbsd.org/ssh_config#UserKnownHostsFile
You may want to take a look at the PyCharm SSH Configurations ... Connection Parameters; for example the different format you're seeing might be related to storing hosts in hash format option (to be confirmed):
https://www.jetbrains.com/help/pycharm/settings-tools-ssh-configurations.html
You can try to recreate a SSH configuration from scratch as described here:
https://www.jetbrains.com/help/pycharm/create-ssh-configurations.html
If you're 100% sure that the key in the known_hosts file is the right one and matches your target server's, this will remove the entry in known_hosts file and you should be again prompted to accept the server key on the next connection:
ssh-keygen -R <host>
(where host is your target server, IP or hostname: "alias.remotehost.com" in your example; you can provide the path for the file using -f <path>)
References
ssh remote host identification has changed
https://stackabuse.com/how-to-fix-warning-remote-host-identification-has-changed-on-mac-and-linux/
https://youtrack.jetbrains.com/issue/CPP-19720
I am trying to SSH into the server as part of the deployment job in CircleCI
ssh -oStrictHostKeyChecking=no $DEV_DROPLET_USER#$DEV_DROPLET_IP
I have my SSH private key for the user on this server loaded into CircleCI but everytime I run the job, I get this output
Warning: Permanently added '$host' (ECDSA) to the list of known hosts.
<$user>#<$host>'s password:
How can I stop it prompting me for the password?
I have added the SSH key for this user to the SSH Agent on the server (these instructions)
For a passwordless ssh connection, you must:
put the private ssh key into a file in the directory $HOME/.ssh/ on the client computer connecting to the server (example : $HOME/.ssh/MyServer)
copy the public ssh key into the file $HOME/.ssh/authorized_keys on the server
have writing permission on the file $HOME/.ssh/known_hosts on the client computer
The sshd service is normally already configured to accept key based authentication.
From the client computer, you can now do a passwordless connection ssh -i $HOME/.ssh/MyServer $DEV_DROPLET_USER#$DEV_DROPLET_IP
Of course, on the client computer your $DEV_DROPLET_USER must have appropriate permissions for accessing the ssh related files.
You don’t need to do anything with the ssh agent, on the client or on the server.
Late reply, but I hope it helps somebody else in the future.
Assuming you followed these instructions in the CircleCI docs, then the private key will automatically be copied to the machine being used by CircleCI when the add_ssh_keys step is run.
Make sure one the server you are trying to SSH into, the public key generated (in ~/.ssh/id_rsa.pub or something similar) is copied to the ~/.ssh/authorized_hosts file on the same server. This crucial step is what allows anybody with the private key (CircleCI) to be allowed into the server.
I'm sorry to have to ask this question, but I feel like I've tried every answer so far on SO with no luck.
I have my local machine and my remote server. Jenkins is up and running on my server.
If I open up terminal and do something like scp /path/to/file user#server:/path/to/wherever then my ssh works fine without requiring a password
If I run this command inside of my Jenkins job I get 'Host Key Verification Failed'
So I know my SSH is working correctly the way I want, but why can't I get Jenkins to use this SSH key?
Interesting thing is, it did work fine when I first set up Jenkins and the key, then I think I restarted my local machine, or restarted Jenkins, then it stopped working. It's hard to say exactly what caused it.
I've also tried several options regarding ssh-agent and ssh-add but those don't seem to work.
I verified the local machine .pub is on the server in the /user/.ssh folder and is also in the authorized keys file. The folder is owned by user.
Any thoughts would be much appreciated and I can provide more info about my problem. Thanks!
Update:
Per Kensters suggestion I did su - jenkins, then ssh server, and it asked me to add to known hosts. So I thought this was a step in the right direction. But the same problem persisted afterward.
Something I did not notice before I can ssh server without password when using my myUsername account. But if I switch to the jenkins user, then it asks me for my password when I do ssh server.
I also tried ssh-keygen -R server as suggested to no avail.
Try
su jenkins
ssh-keyscan YOUR-HOSTNAME >> ~/.ssh/known_hosts
SSH Slaves Plugin doesn't support ECDSA. The command above should add RSA key for ssh-slave.
Host Key Verification Failed
ssh is complaining about the remote host key, not the local key that you're trying to use for authentication.
Every SSH server has a host key which is used to identify the server to the client. This helps prevent clients from connecting to servers which are impersonating the intended server. The first time you use ssh to connect to a particular host, ssh will normally prompt you to accept the remote host's host key, then store the key locally so that ssh will recognize the key in the future. The widely used OpenSSH ssh program stores known host keys in a file .ssh/known_hosts within each user's home directory.
In this case, one of two things is happening:
The user ID that Jenkins is using to run these jobs has never connected to this particular remote host before, and doesn't have the remote host's host key in its known_hosts file.
The remote host key has changed for some reason, and it no longer matches the key which is stored in the Jenkins user's known_hosts file.
You need to update the known_hosts file for the user which jenkins is using to run these ssh operations. You need to remove any old host key for this host from the file, then add the host's new host key to the file. The simplest way is to use su or sudo to become the Jenkins user, then run ssh interactively to connect to the remote server:
$ ssh server
If ssh prompts you to accept a host key, say yes, and you're done. You don't even have to finish logging in. If it prints a big scary warning that the host key has changed, run this to remove the existing host from known_hosts:
$ ssh-keygen -R server
Then rerun the ssh command.
One thing to be aware of: you can't use a passphrase when you generate a key that you're going to use with Jenkins, because it gives you no opportunity to enter such a thing (seeing as it runs automated jobs with no human intervention).
I come accross StrictHostKeyChecking configuration when I needed to setup sftp communication between two servers (e.g. Windows Server ---> Linux Server). As defined here (use find for string match "StrictHostKeyChecking"):
If this flag is set to “yes”, ssh will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This option forces the user to manually add all new hosts. If this flag is set to “no”, ssh will automatically add new host keys to the user known hosts files.
I want to use PSFTP.EXE to transfer files to the Unix server from Windows machine and there is obviously no concept of ~/.ssh/known_hosts. My question is then...what is the equivalent for StrictHostKeyChecking for PSFTP.EXE. Is it simple -batch which avoids interactive prompts ?
By default all PuTTY tools (including psftp) behave as StrictHostKeyChecking=ask.
With -batch, psftp (and pscp and plink) behave as StrictHostKeyChecking=yes.
If you use this switch and psftp finds that server's host key has changed you will get:
WARNING - POTENTIAL SECURITY BREACH! The server's host key does not
match the one PuTTY has cached in the registry. This means that either
the server administrator has changed the host key, or you have
actually connected to another computer pretending to be the server.
The new ... key fingerprint is:
...
Connection abandoned.
While without the switch (the default behavior), you will get an interactive prompt.
Likewise for the host key of a new server.
The psftp (nor any other PuTTY tool) never behaves as StrictHostKeyChecking=no. Unless you use some ugly and insecure hacks like here: How to pass echo y to plink.exe for first connection.
Obviously the -batch affects all other prompts too, not just host key prompts (comparing with StrictHostKeyChecking). There are these prompts in psftp (pscp and plink):
Username, passphrase, password, password change and keyboard-interactive prompts (connection aborts with -batch)
Insecure algorithm prompt (the same behavior as with host key prompt)
Append to existing log file? (logging is disabled with -batch when log file already exists and Ask user every time option is enabled for What to do if the log file already exists)
I'm trying to setup Pycharm such that my local changes are automatically deployed to a remote server.
I can ssh remoteserver and also sftp remoteserver from the terminal so access is not an issue. But if I try to setup deployment in Pycharm using SFTP, it can't establish the connection.
My best guess is that it's an authentication issue. When running the ssh or sftp commands separately, I've never needed to enter a username or password, so I suppose the auth is happening via Private Key. But the problem is that I'm not sure where the Private Key actually is (I'm in an unfamiliar dev environment).
So either
How do I know which Private Key I'm using when running ssh or sftp?
Any other way to resolve the problem.
Thanks!
As to (1), the SSH man page says (under the -i option) "The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file."
The configuration file is ~/.ssh/config, and the key file for a particular host is specified with IdentityFile.
You can also run ssh with -vvv parameter. The location of the private key file will be printed out (if key authentication is used).