Remotely running commands via ssh - ssh

I need to automate the copy of a zip file to a remote Linux machine and then the unzipping of that file to a user's home directory.
Let's assume we have user1 and user2, user1 is a real person but has no home directory and user2 is an application user that has a home directory but cannot directly get shell access to a host. The mechanism to gain a shell for user2 is to ssh to the box as user1 and then su to user2. (please do not pass comment on this setup as I work for a large corporation and I am unable to change this aspect, it is decided by IT security and not up for discussion).
I would like to use
scp ziptocopy.zip user1#hostname:/var/tmp/
but as I don't have anywhere on the remote host to store a key file for user1 I cannot us public/private key pairs to perform this, can anyone suggest a way to do this?
The next piece is even more tricky as I want to ssh as user1 and then su to user2 and run
unzip /var/tmp/ziptocopy.zip
Again any suggestion on how I can do this? I have done a search and found an example that uses expect, this has potential for the scp but I cannot get this to work, but how would I get expect to cope with 2 password prompts?
Thanks

I'd look into using Python and the pexpect/pxssh modules. These days pexpect is a nice alternative for automation tasks that used to be dealt with using Expect.
See this answer for some example code where an SSH session is scripted:
How to make a ssh connection with python?

Related

gcloud compute ssh with local key & project restrictions

We have a user that is allowed to SSH into an VM on the Google Cloud Platform.
His key is added to the VM and he can SSH using
gcloud compute ssh name-of-vm
However connecting in this way will always have gcloud try to update project wide meta data
Updating project ssh metadata...failed
It fails because he only has rights for accessing & administrating this VM
However it's very annoying that every time he has to connect in this way he has to to wait for GCP trying to update metadata, which is not allowed and then check the sshkeys on the machine.
Is there a flag in the command to skip checking/updating project wide ssh keys?
Yes we can 'block project wide ssh keys' on the instance, but that would mean that other project admins cannot log in anymore.
I've also tried to minimise access to this user.
But, ideally, what rights should he have if he is allowed to SSH to the machine, start & stop the instance and store data into a bucket?
What you can do is to enable-oslogin for all the users you need including admins, enabling OS Login on instances disables metadata-based SSH key configurations on those instances.
The role to start, stop and connect via SSH to an instance would be roles/compute.instanceAdmin (take in account that this role is currently in beta) you can check here a list of the Compute Engine roles available so you can choose the one that better suits your needs.
To store data into a bucket, I think the most suitable role is roles/storage.objectCreator that allows users to create objects but not to delete or overwrite objects.
I found this solution very useful.
Create a file called config under ~/.ssh
Add the following to it. Change nickname to anything you prefer, $IP_OF_INSTANCE to the public IP of the instance, and $USER to your machine username.
Host nickname
HostName $IP_OF_INSTANCE
Port 22
User $USER
CheckHostIP no
StrictHostKeyChecking no
IdentityFile ~/.ssh/google_compute_engine
Now, you can simply SSH using:
ssh nickname
Note that the path on Linux and Mac is ~/.ssh while the path on Windows is something like C:\Users\<user>\.ssh
Re: #1: There's no flag on the command to change this behavior on a per-command level instead of a per-instance level ('block-project-ssh-keys', as you mentioned) but you could file a FR at https://issuetracker.google.com/savedsearches/559662.

Can't add files to the website using Filezilla

I've been working with the server only for 2 days so I am sorry if that is simple question. I looked everywhere, but didn't find an answer.
So I have a Google compute engine account and I have owner privileges. When I run
gcloud compute ssh instance --zone us-central1-a
it works, but it creates a key with username that it takes from my computer account.
So when I am in google shell I can add or remove files using sudo. But when I go to Filezilla I have to use ssh file key and username from that key. And the only folder that accessible with that username is it's own folder. I am not sure what is the problem so I gave all the facts I could.
I'm not entirely sure I'm answering the right question, but I'll take a stab at it. The ssh keys created by/used by gcloud are specific to a particular linux user on your VM. As you note, you can use sudo when ssh'd in to edit files/directories owned by different users---the way this works is that you (roughly speaking) temporarily switch users to root when doing the file edit.
An scp client like Filezilla isn't going to be able to switch users that way. So you'll need a different technique to edit files with Filezilla.
I suggest ssh-ing in to your vm and using chmod or chown to change the ownership of files/directories that you want to use with Filezilla. Alternatively you could you use useradd -G to add you username to a group that can edit the files you care about.
Exactly what you'll do depends on the security policy you want to enforce for your files, but there a lots of decent options. The key test to run---can you get to a state where you can edit the files when logged in with SSH, but not using sudo? If so then you should be able to edit the files with Filezilla.

still asking for password even after setting up the machine for Password-less SSH Login

I need to copy a file from a remote machine to my local machine and I need to automate it.
I've tried SCP command and it's working, however, I could not automate the part wherein it is asking for the password of the user of the local machine and the remote machine.
Based on this article I can Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id
after following all the instructions written there, I tried to access the remote machine using this
ssh lalala#XXX.XXX.XXX.XXX
it works, it doesnt ask for the password anymore. But when I tried copying a file from that machine using the command below,
scp lalala#XXX.XXX.XXX.XXX:'/a/b/c.txt' lelele#XXX.XXX.XXX.YYY:'/b/c/'
it still asks for the password of the localmachine which is the lelele#XXX.XXX.XXX.YYY
I wonder if I did something wrong? what could it be? is there something wrong with the format of the command?
BTW, im using Centos, and I'm planning to code it using python
If you are copying to your local machine why don't you just do
scp lalala#XXX.XXX.XXX.XXX:'/a/b/c.txt' /b/c/
?
I tried your line on some machine with similar setup and didn't get asked for password; I got an error instead, but this is probably due to differences in our configurations. I tried mine and it worked.
Regarding whether your connection succeeds in the remote machine you could tail this file there:
tail -f /var/log/secure
If you see no error there you can be sure (well, never say always) your layout with the generated keys is working.
In this case I bet you'll see no error there
I think you may have multiple ssh keys and set identies only as yes. If so, please check this answer: https://askubuntu.com/a/999306/398861

How to setup ssh for no passwords from different accounts

I would like to ssh from user1#machine1.com to user2#machine2.com without passwords.
I can do this using passwords.
With using ssh-keygen to set up ~user1/.ssh/id_rsa on machine1.com and
~user1/.ssh/authorized_keys on machine2.com, using the instructions in ssh manual page,
I can, from user1 on machine1.com "ssh user1#machine2.com" without any passwords.
But I can not login without passwords using the same setup procedure, albeit substituting for the destination user2 for user1, i.e., from user1 on machine1.com "ssh user2#machine2.com" does not work without passwords.
The instructions I have found for doing this seem to suggest that I need a user2 account
on machine1.com to setup the keys and then copy them to the user1 account on machine1.com and user2 on machine2.com appropriately.
Is this so? Can the necessary keys be generated on machine1.com using account user1 for logging into user2 on machine2.com?
Update: I have tried this using a third computer machine3.com instead of machine2.com and it works as desired. I found several posts of the web with the same generic problem but without any solutions. Any WAGs at what might be the problem?
Thanks in advance
You can copy the same data into ~user2/.ssh/authorized_keys on machine2 that you copied into ~user1/.ssh/authorized_keys, so you would basically reuse the same key for both accounts. It's up to you to decide if this is a good idea.
You can, however, also generate a second key, but then you'd have to explicitly specify on the command line which key file is to be used for authorization from machine1.

SSH Key Authentication [Hesitance?]

I guess I'm being a little hesitant but I deal with vcs's occasionally and always get asked for some sort of prompt, of course I'm attempting to access an external machine which I'm sshing into.
Basically my question is, say I don't have root access on this machine, would it still be possible to set this up? I've skimmed through reading it a couple times and I'm pretty sure I got the method down - you generate pub/private keys, sftp to the machine and throw your public into some authorized_keys directory. How is this managed with multiple users for example? Could the generic file name ( the .pub ) get overwritten, or am I completely misunderstanding the process here and it's setup to allow multiple keys natively?
If I'm not a sudoer and one of the server's directories needs to be chmod'd to say 700 whereas it's 655, I can't really do anything other than ask for su access, right?
If you have ssh access to the remote machine, you can generate the key pair on your local machine, add the public key to the authorized_users file on the remote machine, and then use this for authentication. You don't need root privileges to do this. The keys and authorized_files usually reside under your home directory ( myhome/.ssh/authorized_keys etc) so they don't get confused between users.
Your questions about setting directory permissions is unrelated, but if you own the directory or its parent (or its parent...) you will be able to set any permissions on the file in that directory.
Sounds to me like it might be time to curl up with a general *nix administration book, perhaps? Not light reading, but it can be useful and I always find it most informative to learn the details when I'm actually struggling with them.
I ssh all the time into a machine that allows su or sudo. But, it's set up not to allow ssh via "ssh root#machine". So to answer your question, yes it's possible.
You can only change the directory permissions if you own the directory or if you have root access.