SSH Keyless Entry multiple servers and users all non root - ssh

I have ServerA which serves a central backup server for all linux machines in the field. They sync with rsync. I need keyless entry for these machines - say ServerX, ServerY and ServerZ. The idea is to give each client server a separate username and home folder to backup to - thus isolating each server's data and risk.
ServerA has UserX, UserY, UserZ.
On ServerX:
[root#ServerX ~]ssh-copy-id -i ~/.ssh/id_rsa.pub root#ServerA
[root#ServerX ~]ssh root#ServerA
[root#ServerA ~]
I can login as root without a password prompt
Now if I try using one of the other users on ServerA
[root#ServerX ~]ssh-copy-id -i ~/.ssh/id_rsa.pub UserX#ServerA
[root#ServerX ~]ssh UserX*#ServerA
UserX#ServerA's password:
[UserX#ServerA ~]
The ssh-copy-id does not report any erros and appears to work- but yet I cannot log in to ServerA "key-less". I have tried a couple combinations of the commands, but I cannot get passwordless login as UserX into ServerA
I am sure I am missing something obviouse here. :) Any feedback or advice would be appreciate to get passwordless access for UserX,UserY and UserZ.
Thank you for your help and time,
Regards,
Rudolf

Related

Access to jumpbox as normal user and change to root user in ansible

Here is my situation. I want to access a server through a jumpbox/bastion host.
so, I will login as normal user in jumpbox and then change user to root after that login to remote server using root. I dont have direct access to root in jumpbox.
$ ssh user#jumpbox
$ user#jumpbox:~# su - root
Enter Password:
$ root#jumpbox:~/ ssh root#remoteserver
Enter Password:
$ root#remoteserver:~/
Above is the manual workflow. I want to achieve this in ansible.
I have seen something like this.
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user#jumpbox"'
This doesnot work when we need to switch to root and login to remote server.
There are a few things to unpack here:
General Design / Issue:
This isn't an Ansible issue, it's an ssh issue/proxy misconfiguration.
A bastion host/ssh proxy isn't meant to be logged into and have commands ran directly on it interactively (like su - root, enter password, then ssh...). That's not really a bastion, that's just a server you're logging into and running commands on. It's not an actual ssh proxy/bastion/jump role. At that point you might as well just run Ansible on the host.
That's why things like ProxyJump and ProxyCommand aren't working. They are designed to work with ssh proxies that are configured as ssh proxies (bastions).
Running Ansible Tasks as Root:
Ansible can run with sudo during task execution (it's called "become" in Ansible lingo), so you should never need to SSH as the literal root user with Ansible (shouldn't ssh as root ever really).
Answering the question:
There are a lot of workarounds for this, but the straightforward answer here is to configure the jump host as a proper bastion and your issue will go away. An example...
As the bastion "user", create an ssh key pair, or use an existing one.
On the bastion, edit the users ~/.ssh/config file to access the target server with the private key and desired user.
EXAMPLE user#bastion's ~/.ssh/config (I cringe seeing root here)...
Host remote-server
User root
IdentityFile ~/.ssh/my-private-key
Add the public key created in step 1 to the target servers ~/.ssh/authorized_keys file for the user you're logging in as.
After that type of config, your jump host is working as a regular ssh proxy. You can then use ProxyCommand or ProxyJump as you had tried to originally without issue.

ssh passwordless connection with other username

I try to configure a passwordless ssh connection from server 1 to server 2.
At server 1 the user is called "user1", at the second server the user is called "user2". Can I make a passwordless ssh connection for this constellation somehow?
Normal ssh-keygen + put the content of the id_rsa.pub in the auhtorized_keys of the other server is not working.
Do someone know a possibility for that?
By the way. It is not possible to add a user called "user2" on server 1.
Thanks
You have various options, but the first thing you need to do is put user1's key in the authorized_keys file of user2 on server2. That's basically saying "anyone with this key can claim to be user2". Next you have a couple of options - first, and probably easiest, is to specify the username directly in the ssh command:
ssh user2#server2
To avoid having to remember that each time, add an entry into your .ssh/config file (the file may not exist yet):
Host server2
User user1
Then you'll be able to just do ssh server2.

Connect through ssh and scp and type in password automatically

I know this question has already been asked several times but I got another problem. I have a part in my script where I connect through ssh and scp and everytime I run the script it always ask for the password. Most of you would probably answer that I should use expect or sshpass yet I don't have any of this two. I tried running:
compgen -c
and there's no expect and sshpass existing.
Are there any alternative commands? I would really appreciate your help. Thanks
Update: I also can't install any of this since I'm only an ordinary user.
First I logged in to server A as testuser and entered the ff command:
ssh-keygen -d
Do not enter any passphrase.
This will generate files in the folder ~/.ssh/
Then scp the file rsa_id.pub (public key) to server B.
scp ~/.ssh/id_dsa.pub testuser#B:/home/testuser/.ssh/authorized_keys2
Do the same vice versa (if you want access to both). Then you can now transfer from one server to the other without the being asked for your password.
source
If you don't want to set up keys for passwordless access (against the rules?), you can set up "SSH connection sharing".
Insert these lines into your .ssh/config file:
ControlMaster auto
ControlPath /tmp/ssh_%r#%n:%p
ControlPersist 8h
Now, when you log into a server from the machine with that config it will ask you your password the first time, and won't ask again until 8 hours of idle time have passed (so, you'll get asked once per day, usually).
What it's doing is keeping the connection open in the background, and then reusing the same connection for all your SSH sessions. This gives a useful connect-speed boost, and means you don't need to re-authenticate. All-in-all, it's great for accelerating scripted SSH and SCP commands.

finding out sudo password on ssh server

I need to do a sudo command on a ssh server.
It asks for password
[sudo] password for myname:
but it's apparently different from the password for ssh server itself.
Can sudo only be used by root?
If not, should I ask the maintenance people for the password?
Or is there a way to set it up myself?
See : http://www.gratisoft.us/sudo/sudoers.man.html
Specifically see rootpw, targetpw , etc.
It is possible to have two different passwords, one for the account and another for the sudo command.
You should ask to the Maintenance people....

Create script/shortcut to login via ssh

My issue is that everytime I have to login to a given account on a linux server (there are many) I have to go pull a text file not I have to look at the username and ip.
Example: "ssh some_user#xxx.xxx.xxx.x -pxxxxx"
I want to make my life a little easier by creating a shortcut, e.g. "ssh some_user"...
I searched and could not find an answer, likely not using the right terminology.
Thanks!
You can use the ssh client configuration file (.ssh/config). If you have to type ssh -p 1234 mylogin#my.server.with.a.long.name.com, you can populate your config file with
host server
hostname my.server.with.a.long.name.com
user mylogin
port 1234
Then you can simply type ssh server and it will have the same effect. You can have as many entries in your .ssh/config file as you want and even use wildcards (*)
If you are using a recent version of bash, you can furthermore make use of the command_not_found_handle function:
command_not_found_handle () {
if grep "host $1" ~/.ssh/config &>/dev/null; then
ssh $#
else
printf "Sorry: Command not found: $1\n"
return 127
fi
}
Then you can connect simply with
server
I dont know if I understood your problem correct, but a proper ssh config file make life muuuch easier. No IP, no domain, no password, not even a username.
See the man page: http://linux.die.net/man/5/ssh_config
I like things like ssh vm, or scp vm:... no more scp blablubb#192.168.226.xy:...+ passphrase.
Also see ssh-keygen and ssh-copy-id for asymmetric key exchange. Will get you rid of typing passwords.
Generally I recommend to read a ssh tutorial.