I am trying to connect to Unix server from WinSCP commandline for the first time.
It closes with the the following error:
The server's host key was not found in the cache. You have no guarantee that the
server is the computer you think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 42:9e:c7:f4:7f:8b:50:10:6a:06:04:b1:d4:f2:04:6d
If you trust this host, press Yes. To connect without adding host key to the cac
he, press No. To abandon the connection press Cancel.
In the WinSCP commandline, it does not ask for any input (Yes or No). It closes with Authentication failed. If I connect through the WinSCP tool, I'll get the same error. However, I'll be able to press YES.
I also know that If I add -hostkey switch in the command line, I'll be able to connect. But, I don't want pass hostkey in my batch script as I will be connecting to various servers. So, my requirement is to pass "YES" input from the commandline in case of this error. Can someone help?
A host key fingerprint verification is a crucial step in securing your SSH connection. Even if you are using a set of sessions with your script, it does not excuse you. The fingerprint should be part of a set of information you have for each of the sessions (in addition to a hostname, an username and a password).
Skipping the fingerprint verification means that you lose any security and there's no point using an SSH/SFTP anymore.
Anyway, if you do not care about a security, you can use the -hostkey=* switch to unconditionally accept any host key.
Further references:
Where do I get SSH host key fingerprint to authorize the server?
Verifying the host key
Related
I just created my first VPS host on OVHcloud. When I ssh for the first time I see:
The authenticity of host 'X.X.X.X (X.X.X.X)' can't be established.
ECDSA key fingerprint is SHA256:<the-fingerprint>.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Is there a way to verify this fingerprint? I know that people most of the time ignore the possibility of a MITM here and skip the check. But most of the time the first connection happens within an internal network, which isn't the case here.
Alternatively I'd be happy to upload an ssh public key to the server using the web manager. But I haven't found a way to do that.
The answer is yes.
I just discovered you can connect to the KVM directly from the OVH manager, thus connecting through tty1.
Go to your OVH manager, and in your VPS page, there should be a part that says "Name". There is then an option in the dropdown menu, "KVM" which let's you locally connect to your VPS through a QEMU instance.
You can get your fingerprints after logging in in this manner.
The answer is no for both questions:
When OVH spawn your VPS, they don't check/gather the auto generated ECDSA key (the ones in /etc/ssh/ssh_hosts_ecdsa*). So for the first connection, there is no way to verify this fingerprint.
For the SSH key upload through the OVH Manager, this is sadly not possible neither. You have to upload it by yourself with ssh-copy-id root#vpsXXX.
Note that it's possible on OVH's Public Cloud Instances, but not for VPS
I tried to connect to Ubuntu Server from Windows 8 using PuTTY.
At first, it asked me some registration of key. I accepted the pop up request. After that whenever I access Ubuntu Server there will be no registration, because already registered.
What I want is I want that registered key from Windows 8 location and remove them, so that when try to connect PuTTY will ask me to register keys again.
I don't know where those SSH keys or certificates are stored in Windows 8. Please help me to find certificates and remove them. I tried my C:\ I couldn't find any SSH folder or certificates.
It's called SSH host key. It's not a certificate.
PuTTY stores them to Windows registry under a key:
[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys]
See Verifying the host key chapter in PuTTY documentation to understand the purpose and importance of verifying the SSH host key.
I'm working on a project that requires me to run my code on a remote Unix server, that is not available to connect to directly (you first have to log in to the "gate" node and then to this server).
What's really bad is that they disabled key authentication, so each time I need to ssh into it, I have to type in my password twice. It's really annoying and I wonder what's the best way to transfer my local modifications of source files to this server, compile and run them without having to provide those passwords so many times.
I have no sudo access to any of those servers (neither to this "gate", nor to this target server). Any ideas on how to make the whole process more efficient?
EDIT: Martin Prikryl provided a great answer below, but it's suitable for Windows and I'm on a Mac :) I guess it might be a good thing to have it documented here also for *NIX systems.
You are looking for SSH tunneling.
WinSCP SFTP client supports one-hop SSH tunneling natively.
See the Tunnel page on WinSCP Advanced Site Settings dialog.
I assume that after you transfer the file, you need to open SSH terminal to compile the file.
You may be able to make use of WinSCP Console window for that step.
Alternatively, if you need/want to use a real SSH terminal client, make use of an existing SSH tunnel, created by WinSCP, and connect with PuTTY (or any other SSH client) over it.
In the Local tunnel port of WinSCP Tunnel page, select a fixed port number (instead of the default Autoselect). In PuTTY enter "localhost" to Host Name and the selected port in Port.
(I'm the author of WinSCP)
I purchased shared hosting from Vexxhost.I wanted to host my Rails application with them.I was given cpanel details.I generated SSH keys using the cPanel and converted it to .ppk format.Next, i downloaded the key.But when i try SSH login using Putty, i get the message Server Refused Our Key.Then i'm prompted for the password.When i enter password, message is displayed: Shell access is not available for your account.Contact support.I did contact support, but no reply.Am I doing any mistake in the procedure?
I haven't used cpanel to generate ssh keys, usually I do it at the ubuntu console. Is it possible that the ppk conversion has encoding issues? or it not done right?
Do you have access to a linux box? It would be simpler to test it there.
I have configured a server myself with ssh access, and if user does not have ssh access they are presented with user/pass. So it appears that your ssh credentials are denied, but your password is recognized as accurate. Authentication is happening.
About the issue of shell support. It could be that they enable shell support only if you connect with valid ssh credentials - in which case, you need to contact support.
Or, your account does not have ssh access, and you still need to contact support.
hope it helps
I always use ssh in putty to connect a remote server. As I know, ssh is based on public/private key mechanism, is it?
Does that mean the client will receive a public key first time when it connects to the server and then use the public key to continue with following communication?
Thanks.
Do you mean for authentication, or for encryption?
For authentication, Section 5.5.1 here covers it:
http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch05_05.htm#ch05-46136.html
In general, you create the key pair and get them there through other means.
If you mean for the encryption, try section 3.9.1.3 here:
http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_09.htm#ch03-65213.html
There are two parts where public/private key come into play -- session initialization and (optionally) user authentication.
In session initialization, the host public and private keys are used to set up the encrypted connection, but are not used to encrypt the connection itself. Instead, the initial set up is used to securely generate a unique session key that is used to encrypt the connection. The host public/private keys are generated and installed on the server.
While connecting, your ssh client (PuTTY in this case) will verify that the host key is what it remembers from the last time you connected. (If they are different, then somebody might be snooping on your connection!) This is why PuTTY asks you to confirm the hash of the host key the first time you connect -- it doesn't have a record of what the key is supposed to be, so it asks you to verify. If you tell PuTTY to confirm and save, then PuTTY will save the hash of the host key in the registry for future connections.
In user authentication, the user public and private keys are used to allow access to the server. The public key is installed for the user on the server. The server can then use that key to issue a challenge to the client that can only be answered correctly by using the user's private key. The user generates the public/private keys him/herself (e.g. with ssh-keygen).
For PuTTY, you can generate your own public and private key using the PuTTYgen utility (this is the PuTTY equivalent to ssh-keygen). It's up to you how you want to get the public key installed on the server. Then, run Pageant (a little app that sits in your notification area) and add your private key. If you set a passphrase on your private key, then Pageant will prompt you to enter it. Pageant, while running, will then work with PuTTY (or pscp, psftp, etc.) to make use of your private key.
This is a gross simplification of the processes involved; see James' answer for links to details.