I followed this page on Protecting the Docker daemon Socket with HTTPS to generate ca.pem, server-key.pem, server-cert.pem, key.pem and key-cert.pem
I wanted a remote Docker daemon to use those keys so i used rsync via ssh to send three of the files(ca.pem, server-key.pem and key.pem) to the remote host's home directory. The identity file for ssh into the remote host is called dl-datatest-internal.pem
ubuntu#ip-10-3-1-174:~$ rsync -avz -progress -e "ssh -i dl-datatest-internal.pem" dockerCer/ core#10.3.1.181:~/
sending incremental file list
./
ca.pem
server-cert.pem
server-key.pem
sent 3,410 bytes received 79 bytes 6,978.00 bytes/sec
total size is 4,242 speedup is 1.22
The remote host stopped recognising the identity file ever since and started asking for a non-existent password.
ubuntu#ip-10-3-1-174:~$ ssh -i dl-datatest-internal.pem core#10.3.1.151
core#10.3.1.151's password:
Does anyone know why and how to fix it? I still have all the keys if that helps.
There are a couple things about the rsync command that bother me, but, I can't put my finger on the problem (if there is one).
the rsync command and subsequent ssh command reference different hosts: rsync(core#10.3.1.181:~/
) and ssh to the host(core#10.3.1.151). Those are different machines, no?
the ~ in the target of the rsync command. core#10.3.1.181:~/. I am pretty sure that the ~/ references the core home directory, but, you could just get rid of the ~/ and replace that with a . (dot).
If you can reproduce the environment you did the copy in, you can add a --dry-run to the rsync command to see what it is going to do. Looking at this command I can't see it erasing the target's .ssh directory.
We've been trying to use opennebula to simulate a cluster but ssh is driving us crazy.
For some, still unknown reasons, it is necessary that user oneadmin (created by opennebula) is able to ssh to local host. The "home" directory of opennebula (created by it) is /var/lib/one and inside "one" we can find .ssh directory. So here's what I've done up to now:
sudo -su oneadmin
oneadmin#pc:$ cd /var/lib/one/.ssh
oneadmin#pc:/var/lib/one/.ssh$ ssh-keygen -t rsa
oneadmin#pc:/var/lib/one/.ssh$ cat id_rsa.pub >> authorized_keys
Moreover, I've changed all permissions: all files and directory have oneadmin as owner and 600 (as I can read from the opennebula guide)
and finally, by root, I do
service ssh restart
Then I login from one terminal as oneadmin again but when I perform:
ssh oneadmin#localhost
here's what I get
Permission denied (publickey).
where am I making this damned mistake? We've lost more than one day for all these permissions!
I've just run into a similar problem - turns out Open Nebula didn't get on with selinux.
Finally found the solution over here - http://n40lab.wordpress.com/2012/11/26/69/ - we need to restore the context to ~/.ssh/authorized_keys:
$ chcon -v --type=ssh_home_t /var/lib/one/.ssh/authorized_keys
$ semanage fcontext -a -t ssh_home_t /var/lib/one/.ssh/authorized_keys
I would like to setup a rsync a folder inside /etc, I followed this link http://news.softpedia.com/news/How-to-Use-RSA-Key-for-SSH-Authentication-38599.shtml and created one user added in visudo and then with ssh keygen, transferred the public key to remote machine, but still its asking for password.
Any other way would be recommended.
Thanks.
The link that you gave us is right, but there is something that they miss. In the backup-server you must change the file /etc/ssh/sshd_config, uncomment this line
AuthorizedKeysFile .ssh/authorized_keys
and your no password access should be working. In resume:
Client (where you have yours original files)
In a terminal write:
$ ssh-keygen -t rsa
this create the id_rsa.pub file in /home/USER/.ssh/
Server (where you will backup yours files)
modify the ssh_config file:
#nano /etc/ssh/sshd_config
and uncomment the line
AuthorizedKeysFile %h/.ssh/authorized_keys
and now just copy the content of .ssh/id_rsa.pub(Client) at the end of .ssh/authorized_keys(Server) and the no-password will be working(to connect from Client to Server). Maybe you need to restart your ssh server with
/etc/init.d/ssh restart
To make your rsync just do (you don't gave us too much information, but I suppose this)
rsync -az --delete --progress /etc/ server:destinationFolder/
this will make a backup of /etc/ in the Client to destinationFolder/ in the Server, show you the progress of the backup, will delete the file that are not in the source and will send compress the files. The access permissions to the .ssh/ directory in the Server must be 700, i.e: chmod -R 700 .ssh/
Possible errors:
1."Agent admitted failure using the key"
Sol: After you disconnect from the server (logged with the password) you must type in your client terminal ssh-add
I am trying to push my project onto my bitbucket, been messing with this for about 4 days pouring through countless problem solving/pages/troubleshooting/tutorials. Im at a loss and very frustrated. I have done this before but on different computers...anyway here is the code/response that I'm getting
~/dev/sample_app git push -u origin --all
The authenticity of host 'bitbucket.org (131.103.20.168)' can't be established.
RSA key fingerprint is 81:7b:2c:f5:6f:18:2b:7c:4b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
~/dev/sample_app
I am on a mac running 10.8.4.
So a little progress has been made, initially there was no .ssh folder so I created that way back in the beginning, there was no known_hosts file so I ran
ssh -T git#bitbucket.org
I chose yes and this created a known_hosts file and when I tried to push again I got:
~/dev/sample_app git push -u origin --all
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
My .ssh folder is 700 and the keys inside are all 600.
You can set IdentityFile flag file in ~/.ssh/config file as follows:
Host bitbucket.org
IdentityFile ~/.ssh/id_rsa
When you run
ssh git#bitbucket.org
the ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read.
SSH Client To Use Given Private Key ( identity file )
You might be using ssh as the git origin url. Try removing the ssh origin like so
git remote rm origin
Then add new origin with HTTPS url and try pushing again.
git remote add origin https://git#bitbucket.org/SOMETHING/SOMETHING.git
git push -u origin master
Make sure you paste your url from bitbucket as origin.
In my case on fresh Ubuntu 16 machine I was missing files in ~/.ssh folder so what worked:
Go to folder ~/.ssh
Run ssh-keygen and name your file i.e. id_rsa
Run cat ~/.ssh/id_rsa.pub | xclip -sel clip
If you miss xclip just apt-get install xclip :)
Go to (in url change USERNAME to your bitbucket username:) ) https://bitbucket.org/account/user/USERNAME/ssh-keys/
Click Add key and paste the key from the clipboard
Magic - it works now :)
Edit: As Dan Swain points out in the comments, from 1 March 2022 this answer will have been superseded by authentication policy changes: https://bitbucket.org/blog/deprecating-atlassian-account-password-for-bitbucket-api-and-git-activity
The same applies to Github repositories as well, FWIW.
Thanks for the heads-up, Dan.
It might make sysadmins recoil in horror, but after suffering this problem (Windows) I gave up on SSH and went back to HTTPS.
When first adding the remote repository to Git, replace the SSH reference 'git#bitbucket.org...' with the HTTPS URL 'https://<username>#bitbucket.org'.
You have to type your password in every time but, particularly under Windows where SSH is not as commonly available as with the *nix family, I see this as a minor inconvenience compared with the headaches of SSH.
After setting up git with git config --global user.name "My Name" and
git config --global user.email myemail#x.com, I was still having trouble with the Permission Denied, (publickey) error. To solve this, I first generated a new ssh token with
ssh-keygen
and copied it with
pbcopy < ~/.ssh/YOUR_KEY
After that, I went to bitbucket.com to add it as a new SSH key in my settings. Then, I returned to my terminal to add the new key with
ssh-add ~/.ssh/YOUR_KEY.
The big problem that I was having was that I missed the critical ssh-add [key] command.
I had similar problem with BitBucket. in my case, it only fixed after I found out I should remove sudo from git clone command!
According to Attlassian:
You shouldn't use sudo when cloning, pushing, or pulling because the
ssh-agent runs on the user level, not the root level.
A more sustainable solution is to edit .bashrc (e.g. vi ~/.bashrc) and then add the following line to it (replace the key name):
KEY="$HOME/.ssh/YOUR_KEY"
if [ -e "${KEY}" ]; then
ssh-add -q "${KEY}"
fi
This will load the key automatically when you start the shell
If you're using Fedora 33+ and using the RSA algorithm. Use more secure alogrithm like ECDSA or ED25519 instead:
ssh-keygen -t ed25519 -C "your_email#example.com"
Check out the bitbucket support for more details
Cause
The RSA algorithm is being quickly deprecated across operating systems and SSH clients because of various security vulnerabilities, with many of these technologies now outright denying the use of this algorithm.
(info) For example - here is the announcement from OpenSSH regarding
their upcoming deprecation of the ssh-rsa algorithm. In the event that
you are using an operating system or SSH client whose version has this
algorithm disabled, it's possible that any SSH keys previously
generated using this algorithm will no longer be accepted by these
technologies.
Resolution
To fully resolve this issue, our team recommends that these deprecated
keys be re-generated using a supported and more secure algorithm such
as ECDSA and ED25519
I faced same issues in Linux (Ubuntu).
I solved it using setup in git:
git config --global user.name "Your Name"
git config --global user.email your.email#example.com
Printing the public key using cat and SSH key to bitbucket.org:
$ cat ~/.ssh/id_rsa.pub
Adding Bitbucket and pushing up the repository:
git remote add origin git#bitbucket.org:<username>/your repository name.git
git push -u origin --all
That's all!
In my case, this issue happened because I had a number of ssh keys in the ~/.ssh. I had to create a bitbucket.org specific entry in ~/.ssh/config as follows:
Host bitbucket.org
Hostname bitbucket.org
IdentityFile <location-of-.ssh-directory>/bb-rsa
IdentitiesOnly=yes
My guess is that since we don't specify a key while cloning, ssh tries all the keys in ~/.ssh which bitbucket thinks as a hacking attempt and rejects our repo clone attempt.
In my case it solved the problem to add the ssh key from the directory
~/.ssh/id_rsa.pub
on bitbucket.org. I named it also id_rsa.pub on the website.
At the beginning I added another key I created just for bitbucket and named it like that. The first remote actions worked but after some days the request have been denied.
Check for exisiting SSH Key
ls -al ~/.ssh
Copy the SSH Key
cat ~/.ssh/id_rsa.pub | pbcopy
Add the copied SSH Key to 'Bitbucket Settings', 'Security', 'SSH Keys'.
If you have multiple keys in your computer make sure you add bitbucket to the list such as below in
.ssh/config
# Company account
Host company
HostName github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_accelya
# Personal account
Host personal
HostName github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_personal
# Personal account bitbucket
Host bitbucket
HostName bitbucket.org
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_personal_bitbucket
This may be obvious, but I spent quite a bit of time on it.
Check the destination when running git remote -v
In my case I had the ssh keys perfectly set up but the output from this command was:
origin get#github.com:USERNAME/REPOSITORY.git
(notice the get not git)
and not
origin git#github.com:USERNAME/REPOSITORY.git
Again, this was a very particular case, but be sure to check the strings carefully of this system if you're having trouble.
You can fix this with the following commands:
git remote set-url origin git#github.com:USERNAME/REPOSITORY.git
Make sure your have switched to the correct user on terminal.
In my case root user was not the one which has ssh keys added at the bitbucket settings panel. Running git with sudo makes it run from root user and my own user was the one who has keys added.
In my case my issue was that I tried using the .ppk file the putty generated and no matter what I tried nothing worked.
In the end I figured that the it was the wrong file and I had to export it, save it as the id_rsa file and load it, then everything worked.
If any.ssh fix didn't work or you cloned as https there can be a validation issue. in my case, I fixed this error by providing my username and password when cloning the repo. This issue can occur when you are using multiple accounts in a same machine.
use "git clone https://username:password#github.com/username/repository.git" command with your user name and password and repo URL.
I like the Answers here, but they all kind of miss a possible root cause.
with the command:
ssh -T git#bitbucket.org
replace bitbucket.org with your own bitbucket host.
If you get an answer like:
This deploy key has read access to the following repositories:
team-name/repository-name
that is why pushing to the repository is not working.
This you can also double check in the Bitbucket Web UI, notice the read-only access in the description:
Hope this gives a different perspective to the same problem.
I update config file with the top line to get it working
PubkeyAcceptedKeyTypes +ssh-rsa
Host <yourhost>
IdentityFile ~/.ssh/id_rsa
My Solution:
git remote rm origin
Add you user name before #bitbucket.org to the repo URL
git remote add origin https://{USER_NAME}#bitbucket.org/{NAME}/{REPO_NAME}.git
git push -u origin master
In Windows, #efesaid answer worked for solving issues with the ssh connection test. By the way, you can add a -v to see what keys (by name) are being attempted and why the connection fails.
However, when pushing to bitbucket, using git#bitbucket.org:user/repo.git, it seems that the host is not precisely bitbucket.org so I still was getting permission denied problems. I solved them by (re)naming my key to id_rsa (this is the key name that was being attempted in the ssh test).
This works if you have a single rsa key. For multiple keys, perhaps the host in the config file must be
bitbucket.org:username
but I am no sure this is unde
I think that the bitbucket instructions are best. Check if ssh is installed and if not install it
krasen#krasen-Lenovo-Y50-70:~$ ssh -v
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I xxxxx] [-i identity_file]
[-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port]
[-Q cipher | cipher-auth | mac | kex | key]
[-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] [user#]hostname [command]
krasen#krasen-Lenovo-Y50-70:~$ ls -a ~/.ssh
. .. google_compute_engine google_compute_engine.pub identity identity.pub known_hosts
krasen#krasen-Lenovo-Y50-70:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/krasen/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/krasen/.ssh/id_rsa.
Your public key has been saved in /home/krasen/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx krasen#krasen-Lenovo-Y50-70
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| xx x |
| xxxxx |
| xxxxxxxxx |
| .xxxxxxxx |
| xxxxx |
| xxxxxxxxxxxx|
| xxxxxxxxxxxxx|
| xxxxxxxxxxx |
+-----------------+
krasen#krasen-Lenovo-Y50-70:~$ ls -la ~/.ssh
total 40
drwx------ 2 krasen krasen 4096 Jun 29 14:30 .
drwxr-xr-x 110 krasen krasen 4096 Jun 29 13:00 ..
-rw------- 1 krasen krasen 1675 Mar 18 2015 google_compute_engine
-rw-r--r-- 1 krasen krasen 409 Mar 18 2015 google_compute_engine.pub
-rw------- 1 krasen krasen 1679 Jun 29 13:15 identity
-rw-r--r-- 1 krasen krasen 409 Jun 29 13:15 identity.pub
-rw------- 1 krasen krasen 1679 Jun 29 14:30 id_rsa
-rw-r--r-- 1 krasen krasen 409 Jun 29 14:30 id_rsa.pub
-rw-r--r-- 1 krasen krasen 4698 Jun 29 13:16 known_hosts
krasen#krasen-Lenovo-Y50-70:~$ ssh-agent /bin/bash
to check if the agent is started
krasen#krasen-Lenovo-Y50-70:~$ ps -e | grep [s]sh-agent
26503 ? 00:00:00 ssh-agent
krasen#krasen-Lenovo-Y50-70:~$ ssh-add ~/.ssh/id_rsa
Identity added: /home/krasen/.ssh/id_rsa (/home/krasen/.ssh/id_rsa)
krasen#krasen-Lenovo-Y50-70:~$ ssh-add -l
2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/krasen/.ssh/id_rsa (RSA)
krasen#krasen-Lenovo-Y50-70:~$ cat ~/.ssh/id_rsa.pub
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
get this key and add it as key in the bitbucket settings
I got round a similar issue where I had previously used HTTPS to access the repository and had to switch to SSH by setting the url like so;
git remote set-url origin ssh://git#bitbucket.org/...
My problem was to do with permissions.
My project directory was owned by root, but I was logged in as ubuntu. I would get PERMISSION DENIED if I typed in a git command, e.g. git pull origin master, so I used sudo git pull origin master.
I had registered ubuntu's SSH key from /home/ubuntu/.ssh/id_rsa.pub with BitBucket.
However, I was using sudo. So the SSH key used was actually /home/root/.ssh/id_rsa.pub which was different to what BitBucket had.
Solution for my case
chown -R username_here:username_here project/folder/here
Now it should work if you don't prepend sudo
OR give BitBucket root's key
In source tree select your project right click then you find an option "Convert to SSH"-> Repair -> login this solved for me
If you are using SourceTree with Bitbucket, the solution is the next:
Go to your personal Bitbucket settings
Got to App passwords and create an app password
Give the next permissions to the app password:
Repositories (R-W-A-D)
Projects (R-W)
Pull request (R-W)
After that, keep the password generated
Try to clone again your repo
A password popup will be displayed, input the generated password.
That's all.
How do I setup passwordless ssh between nodes on AWS cluster
Following steps to setup password less authentication are tested thoroughly for Centos and Ubuntu.
Assumptions:
You already have access to your EC2 machine. May be using the pem key or you have credentials for a unix user which has root permissions.
You have already setup RSA keys on you local machine. Private key and public key are available at "~/.ssh/id_rsa" and "~/.ssh/id_rsa.pub" respectively.
Steps:
Login to you EC2 machine as a root user.
Create a new user
useradd -m <yourname>
sudo su <yourname>
cd
mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys
Append contents of file ~/.ssh/id_rsa.pub on you local machine to ~/.ssh/authorized_keys on EC2 machine.
chmod -R 700 ~/.ssh
chmod 600 ~/.ssh/*
Make sure sshing is permitted by the machine. In file /etc/ssh/sshd_config, make sure that line containing "PasswordAuthentication yes" is uncommented. Restart sshd service if you make any change in this file:
service sshd restart # On Centos
service ssh restart # On Ubuntu
Your passwordless login should work now. Try following on your local machine:
ssh -A <yourname>#ec2-xx-xx-xxx-xxx.ap-southeast-1.compute.amazonaws.com
Making yourself a super user. Open /etc/sudoers. Make sure following two lines are uncommented:
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
Add yourself to wheel group.
usermod -aG wheel <yourname>
This may help someone
Copy the pem file on the machine then copy the content of pem file to the .ssh/id_rsa file you can use bellow command or your own
cat my.pem > ~/.ssh/id_rsa
try ssh localhost it should work and same with the other machines in the cluster
how I made Paswordless shh work between two instances is the following:
create ec2 instances – they should be in the same subnet and have the same security group
Open ports between them – make sure instances can communicate to each other. Use the default security group which has one rule relevant for this case:
Type: All Traffic
Source: Custom – id of the security group
Log in to the instance you want to connect from to the other instance
Run:
1 ssh-keygen -t rsa -N "" -f /home/ubuntu/.ssh/id_rsa
to generate a new rsa key.
Copy your private AWS key as ~/.ssh/my.key (or whatever name you want to use)
Make sure you change the permission to 600
1 chmod 600 .ssh/my.key
Copy the public key to the instance you wish to connect to passwordless
1 cat ~/.ssh/id_rsa.pub | ssh -i ~/.ssh/my.key ubuntu#10.0.0.X "cat >> ~/.ssh/authorized_keys"
If you test the passwordless ssh to the other machine, it should work.
1 ssh 10.0.0.X
you can use ssh keys like described here:
http://pkeck.myweb.uga.edu/ssh/