How do you work with StrictHostKeyChecking using go.crypto/ssh package in Go? - ssh

So far with the ssh package in go I have been able to create some sort of client that will allow two forms of authentication. Either the user inputs a password or it will use keys to authenticate. This works great, however StrictHostKeyChecking may be causing an issue. Normally the first time you would SSH into a remote you'll be prompted with a message asking about the host authorization.
Is there anyway in Go to provide the user with that yes / no prompt or to disable StrictHostKeyChecking altogether?

They don't implement this for you, but you could provide HostKeyCallback in the ClientConfig struct passed to Dial. The function you provide should validate the hostname and host key against some known list and prompt the user if it doesn't match. The documentation says that the default is to accept all host keys, which is like setting StrictHostKeyChecking no in the ssh client config.

Related

Adding user Without password in postgres

I have installed Postgres v12 on Windows Machine. I have looked documentation of Postgres, but they are using command-line tools commands as
create user <username> etc,
I am using these commands but didn't get Logged into it.It says
fe_sendauth: no password supplied
How Can I add a user in Postgres psql shell without a password ?
If you don't want to be prompted for a password, you will need to have provision for that user in your pg_hba.conf file.
For example:
# TYPE DATABASE USER ADDRESS METHOD
host all user1 0.0.0.0/0 trust
host all all 127.0.0.1/32 md5
The first line beginning with "host" uses the method of "trust" which means the user will go unchallenged. You can change any of the other parameters as you see fit, but as long as they hit this rule first, other rules won't insist on a password. Once you make this change, you'll need to reload the service for it to take effect.

Is there a way to do SSH password-less login when the server only allows keyboard-interactive authentication?

Suppose I've got a server foo.com which only allows keyboard-interactive authentication, and that I can't change this. This means I can do,
sshpass -p PASSWORD ssh foo.com
but I can't create public/private keys to log in without a password.
Now, I could just create an alias ssh_foo="sshpass -p PASSWORD ssh foo.com", but then I have to create aliases for scp, for sftp, and in general it won't work for any other programs that use these, e.g. graphical programs based on sftp which mount remote folders. So I'm looking for a more generic solution.
In particular, is there any way to set up my .ssh/config file to allow password-less login in this case? This should then work for everything. I feel like some clever combination of ProxyCommand and LocalCommand might do it, but I can't figure out what.
(Note, I do understand the security implication of this, I'm just curious if you can do it)
Have you attempted using expect? According to the documentation it "[Expect] is a tool for automating interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, etc."
The Wiki Page for except is also a very good resource for examples as the ones on the Expect page are broken.
You can also use plink which you can download and compile. You can use the -pw argument to automate this.

Disable scp password prompt

I have a user ID set up on a server that doesn't require a password. I'd like to be able to use scp to transfer a file from it. My problem is scp keeps asking for my password even though there isn't one; I can telnet to the server and log on without the password. Is there any option (-o) I can specify to disable the password prompt? Using keys is not an option.
I'm no expert, but I'm guessing you might have to set PermitEmptyPasswords to Yes in /etc/ssh/sshd_config as per the instructions here.

SSH config to restore user ssh access?

I have been locked out of ssh. I'm on the Google Cloud, so I can move the hd over and change the ssh config files, but after a few attempts, I cannot login still. The problem began shortly after I changed the password to the primary account, but since SSH was not using password authentication, I am surprised that affected SSH. I tried turning password authentication on, generating new keys, have Google's platform generate new keys, etc, but nothing has allowed me to log in.
I keep getting this error, regardless of key combo or whether or not password authentication is on.
Permission denied (publickey).
I have a slightly older backup (a couple hours, before the issue), and it's telling me too many authentication failures for any user (regarless of user#domain.com).
I was wondering if there are any config setting I can set to be able to log back in.
Not sure this belongs stackoverflow or serverfault but..
Try adding -vv to your ssh command. It shows a lot more debugging info
For example:
ssh -vv username#host
See if that gets you any hints! It could be a number of things, it searching for private key in the wrong place, etc.
The issue could be ssh keys saved in your local computer. Can you move the ssh keys from .ssh/ to a different directory in your local computer and see if that resolves the issue.
Or can you enable password authentication for your ssh and use -o flag with ssh command which forces non-key authentication to confirm if the issue was with the key: ssh -o PubkeyAuthentication=no username#
You also set MaxAuthTries to higher number in your sshd_config.

Google server putty connect 'Disconnected: No supported authentication methods available (server sent: publickey)

I'm trying to connect to my Debian Google Compute Engine server through PuTTy (I've tried other alternatives too) but when I do I get the error "Disconnected: No supported authentication methods available (server sent: publickey)
The google server came without a username and password, only a url to automatically login to their own terminal.
I had PuTTY working and then one day got this error.
Solution: I had revised the folder path name containing my certificates (private keys), and this caused Pageant to lose track of the certificates and so was empty.
Once I re-installed the certificate into Pageant then Putty started working again.
Turn on Password Authentication
By default, you need to use keys to ssh into your google compute engine machine, but you can turn on password authentication if you do not need that level of security.
Tip: Use the Open in browser window SSH option from your cloud console to gain access to the machine. Then switch to the root user with sudo su - root to make the configuration changes below.
Edit the /etc/ssh/sshd_config file.
Change PasswordAuthentication and ChallengeResponseAuthentication to yes.
Restart ssh /etc/init.d/ssh restart.
Please follow this guide: https://gist.github.com/feczo/7282a6e00181fde4281b
with pictures.
In short:
Using Puttygen, click 'Generate' move the mouse around as instructed and wait
Enter your desired username
Enter your password
Save the private key
Copy the entire content of the 'Public key for pasting into OpenSSH authorized_keys file' window. Make sure to copy every single character from the beginning to the very end!
Go to the Create instances page in the Google Cloud Platform Console and in the advanced options link paste the contents of your public key.
Note the IP address of the instance once it is complete.
Open putty, from the left hand menu go to Connection / SSH / Auth and define the key file location which was saved.
From the left hand menu go to Connection / Data and define the same username
Enter the IP address of your instance
name the connection below saved Sessions as 'GCE' click on 'Save'
double click the 'GCE' entry you just created
accept the identy of the host
Now login with the password you specified earlier and run
sudo su - and you are all set.
You need to use an SSH key to login to your instance.
The GCE documentation explains the process here.
I had the same problem but got it working by changing enable-oslogin from TRUE to FALSE in google cloud.
from:
to:
I had the same issue and just figured it out !!
Assuming that you already went and created private/public key added your public key on the remote server ... type in username#remotehost.com and THEN go to Connection -> SSH -> Auth and click Browse to locate your private key. After you choose it will populate the input field. After that click OPEN ...
So the important thing here is the order... make sure you first enter parameters for the host and then locate your private key.
I got this error because I had forgotten to add my username behind the key in the GCE metadata section. For instance, you are meant to add an entry into the metadata section which looks like this:
sshKeys username:key
I forgot the username: part and thus when I tried to login with that username, I got the no supported auth methods error.
Or, to turn off the ssh key requirement entirely, check out my other answer.
Apparently running sudo chmod -R a+rw on your home folder causes this to happen as well.
This problem mainly caused by your connected username not have the access to the shell in GCE. So you use the following steps to solve this issue.
gcloud auth list
If you are using the correct login. please follow the below steps. otherwise use
gcloud auth revoke --all
gcloud auth login [your-iam-user]
and you get the token or it automatically detect the token.
gcloud compute --project "{projectid}" ssh --zone "{zone_name}" "{instance_name}" .
if you dont know this above line click to compute engine-> ssh dropdown arrow-> view google command-> copy that code and use it
Now it update your metadata and it is available in your computer's folder Users->username
~/.ssh/google_compute_engine.ppk
~/.ssh/google_compute_engine.pub
Then you create a new ppk file using puttygen and you give the username, which you want like my_work_space. Then
save the publickey and privatekey in a folder.
Next step: Copy the public key data from puttygen and create new ssh key in gcloud metadata
cloud console ->compute engine->metadata->ssh key->add new item->paste the key and save it
and now return your shell commandline tool then enter
sudo chown -R my_work_space /home/my_work_space
now you connect this private key using sftp to anywhere. and it opens the files without showing the permission errors
:) happy hours.
If the private key has been generated with ssh-keygen in Linux it needs to be converted with puttygen because Putty does not support openssh keys.
Start puttygen, and click on Conversions - Import key, then click Browse and select the private key generated with openssh, then click on Save private key.
Use your new key to connect.
I faced the same issue and solve after several trial and error.
In the /etc/ssh/ssh_config, set
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
AuthenticationMethods publickey
then, open putty.
In the "Saved Sessions", enter the server IP, go through the path Connection->SSH->Auth->Browse on the left panel to search your private key and open it.
Last but not least, go back to Session of putty on the left panel and you can see the server IP address is still in the field, "Saved Sessions", then click "Save", which is the critical step.
It will let the user login without password any more.
Have fun,
Download "PuttyGEN" get publickey and privatekey
use gcloud SSH edit and paste your publickey located in /home/USER/.ssh/authorized_keys
sudo vim ~/.ssh/authorized_keys
Tap the i key to paste publicKEY.
To save, tap Esc, :, w, q, Enter.
Edit the /etc/ssh/sshd_config file.
sudo vim /etc/ssh/sshd_config
Change
PasswordAuthentication no
[...]
ChallengeResponseAuthentication to no.
[...]
UsePAM no
[...]
Restart ssh
/etc/init.d/ssh restart.
the rest config your putty as tutorial
NB:choose the pageant add keys and start session would be better
Electricity went down and got this error. Solution was to double click your .ppk (Putty Private Key) and enter your password.
PasswordAuthentication and ChallengeResponseAuthentication default set to NO in rhel7.
Change them to NO and restart sshd.
Similar problem - same error message. I got the same message when trying to clone something from bitbucket with ssh. The problem was in my ssh configuration configured in the mercurial.ini: I used the wrong bitbucket username. After I corrected the user name things worked.
For me these was my problem, solution from https://unix.stackexchange.com/questions/282908/server-refused-public-key-signature-despite-accepting-key-putty
"Looking at the log /var/log/secure showed that it was just downright refused. I'm somewhat new to centos since I'm mainly a debian kind of guy, so I was unaware of /var/log/secure
After checking this and doing a bit of searching, it turns out PermitRootLogin no needs to be PermitRootLogin without-password if you want to specifically use just keys for root login. That did the trick. Thanks everyone for contributing."
I had the same error message and discovered that my mistake was in the username I used with putty. Apparently GCE SSH Keys listing would change your username characters in some of the listing. In my case, the underscore was changed to period. i.e: my_username becomes my.username
I inadvertently copied the wrong username from the listing and got the same error message.
I know this is an old question, but I had the same problem and solved it thanks to this answer.
I use Putty regularly and have never had any problems. I use and have always used public key authentication. Today I could not connect again to my server, without changing any settings.
Then I saw the answer and remembered that I inadvertently ran chmod 777 . in my user's home directory. I connected from somewhere else and simply ran chmod 755 ~. Everything was back to normal instantly, I didn't even have to restart sshd.
I hope I saved some time from someone