I have the old key in the file ~/.ssh/id_rsa.pub. I had to format the computer, how to restore this key to gain access to the servers again?
I suppose you mean with "the old key in the file id_rsa.pub" your client ("computer") and that you lost it during formatting the client. This public key should already persist on your server. To be able to authenticate to your server, you need the matching private key (~/.ssh/id_rsa). If you have it, just copy it back to that location on your new system.
If you lost it during formatting and have no backup, the only way to regain access is to generate a new pair (ssh-keygen) and copy the public key to your server (for example via ssh-copy-id) while authenticating via password, if you have not disabled that. I would also suggest removing the old public key from the server in that case.
Related
Unfortunately I forgot my id_rsa key passphrase. Since the only solution I found so far is to reset the key by a new SSH key. I now have the problem that I need to add the new key to each server I'm connected to. Is there a possibility to do this automatically? Maybe by copying the information from the "known_hosts" file of the old key to the new one?
This is not quite a duplicate of How to reset or change the passphrase for a GitHub SSH key?, but the answer there is valid.
You have to remember that the whole point of the passphrase mechanism was to prevent access by untrusted hosts. The machinery is specifically setup so only a machine with the proper passphrase (or several) can connect to the server.
The known hosts are only useful to you as a todo list. You need to access one by one somehow (not SSH), to send the new passphrase you generated. The known hosts itself is not the security mechanism, it's just a small part (the less important part, security can do without). It will save you typing some ys in the future.
I'm sorry to say you have to manually get to each machine. If by some miracle you had another vpnish API that all your servers shared you could automate that, but most of us don't.
I am using Windows machine and I have WinSCP installed.
I am writing a script that logs in to the server and downloads file.
I do not want to store account password in the script. Is there anyway I can login to server with some-kind of host-key or private-key or something.
Yes, you can use the public key authentication. But for that you still have to store the private key along with your script. Normally the key is encrypted with a passphrase. To automate the login, you would have to store the passphrase to the script file anyway (using the -passphrase switch). So still, if anyone gets an access to your machine, he/she is still able to steal your identity, just as with the password. Though there's an advantage. You can have multiple keys (while only one password). If you use a special key for the script and the key is ever compromised, you can revoke it, while keeping the other keys.
Note that, if you are not absolutely sure of the physical and electronic security of the system on which you are connecting, there's hardly any way to setup an automatic authentication. If you are sure about the security, storing password in the script file is just ok.
Anyway, your question is mostly duplicate of:
How do I setup Public-Key Authentication?
For WinSCP specifics, see the guide to Setting up SSH public key authentication.
See also the WinSCP guide to Protecting credentials used for automation.
I had a similar issue on windows so I used Putty instead http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
If you need to generate a public key then use: http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
I gave the public key + password to whoever owned the SFTP server to install it on his side.
I saved the private key on my side lest say on "C:\privatekey.ppk"
You don't use password on your script but you link to the private which you must have on you machine.
Then, when you want to automate a batch to download from the FTP server the Pageant in order to load the private key into session http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe
Then use the PSFTP to connect and perform actions http://the.earth.li/~sgtatham/putty/latest/x86/psftp.exe
So here is sample code for the batch file:
!--Loading the key to session--!
#C:\pageant.exe "C:\privatekey.ppk"
!--Calling the PSFTP.exe with the uaser and sftp address + command list file--!
#C:\psftp user#your.server.address -b C:\sftp_cmd.txt
Command list file (sftp_cmd.txt) will like like this:
mget "*.*" !--downloading every thing
!--more commands can follow here
close
Now, all you need to to schedule it in scheduled tasks *I wish it was simple as unix's cron job....
If you follow the GitHub HowTo "Generating SSH Keys", you get three files in your ~/.ssh directory: known_hosts, id_rsa, and id_rsa.pub.
The file known_hosts is used for the server authentication, id_rsa is used for the client authentification (here is an article, that explains the difference).
Why should I create / why GitHub does need both -- a host and a user authentification files? How does the GitHub authentification work?
Thx
This is just plain old SSH authentication; nothing about it is specific to GitHub.
id_rsa and id_rsa.pub are the two halves of your key: the private key and the public key. Effectively, the public key is the lock for the private key. You put the lock (public key) on whatever servers you want easy access to, without too much worry that someone else will see it, because it's just a lock. You keep the (private) key on your machine, and use it to log into those servers; they see you have a key fitting the lock, and let you in.
(Not to say that you should put your public key on completely untrustworthy machines; there are malicious tricks that can take advantage of shortcuts like ssh -A.)
known_hosts doesn't actually have much to do with this; it's just where ssh stores the fingerprints of all the servers you've connected to, so it can throw up a big scary warning if the fingerprint changes. (That would mean it's not the same machine: either something has changed radically on the server side, or your connection has been hijacked.)
So, anyway, one of the protocols Git itself understands is SSH. When you use git#github.com:... as a repository URL, Git is just connecting over SSH. Of course, GitHub doesn't want you mucking around on their machines, so they only let you do Git things, not get a full shell.
As usual, the Arch wiki has a whole lot more words on this.
known_hosts stores the server's identity the first time you connect, so that you know the next time that you're connecting to the same server. This prevents someone from pretending to be the server the next time you connect (but sadly not the first time)
id_rsa is your secret key that proves that you are really you. Never give this away.
id_rsa.pub is the public key, its purpose for authentication is basically just to prove that you have the secret key without giving it out. This key you can give to anyone what needs it since there's nothing secret about it.
When you connect to the server, SSH first checks that the server has the correct key (ie it should match the one in known hosts. If the client is comfortable that the server is genuine, it uses its private key to sign the following data and sends it to the server;
string session identifier
byte SSH_MSG_USERAUTH_REQUEST
string user name
string service name
string "publickey"
boolean TRUE
string public key algorithm name
string public key to be used for authentication
The server verifies the signature using the public key (which you earlier uploaded to Github), and if it is correct, the client is authenticated.
The known_hosts file is used by ssh whenever you actually connect to a host via SSH. It stores a signed key of sorts for the server. Then, if it changes, you will know.
ssh-keygen -t rsa -C yourgithub#accountemail.com is used to generate the SSH key in which you will give the id_rsa.pub to github. Then, when you connect to github you have the private key id_rsa in your ~/.ssh folder which is then used to validate your information with github.
This is a very low-level explanation, but the private key (non .pub) file is your end, the .pub is for github and the known_hosts is for your box to know what is what.
You can also generate a config file in ~/.ssh for use to specify which key goes to which host..
authorized_keys and known_hosts are entirely different..
Your SSH server (sshd, ie) uses authorized_keys, or whatever file is defined within your /etc/ssh/sshd_config/ for knowing the public side of another key. So when a user connects to your server, they pass their private key, your SSH server verifies against the public key it has within authorized_keys and if it doesn't match, it doesn't work.
Github maintains an authorized_keys so-to-speak on their users. Your public key goes into your authorized_keys on your account and then when you connect via ssh to clone,push,etc, it checks your private key you send over with your public key they already know.
I'm trying to change my EC2 public key for myself, the rest of my team who uses AWS, and also for running instances.
So the old key was (for example) 'my_key', and I made a new key called 'my_key2'.
I made the new key, saved the .pem file alongside the old one, so both 'my_key.pem' and 'my_key2.pem' are residing in my ~/.ssh folder.
Now, I'm trying to ssh into other instances to change they authorization_keys to share my public key, but when I try to ssh, I get
amy$ ssh ***-**-**-***-***.foo.com
Permission denied (publickey).
I tried taking the new 'my_key2' file out of the .ssh folder, and the same problem occurs. I didn't have this problem before I started mucking around. Any tips on getting ssh to recognize my old certificates so that I can get everyone going on the new keys?
You will need to stop the instance (if EBS-backed instance) in order to change the key pair to be used for the instance. If not EBS-backed volume you will just need to start another instance from your AMI with the the new key pair.
If you are not able to easily restart the instance or create a new instance, there is this method which purports to being able to change public keys on a running instance, but I haven;t tried it. Really the right way to do it is by stopping/starting or creating new instances.
http://seabourneinc.com/2011/01/19/change-key-pairs-on-aws-ec2-instance/
http://seabourneinc.com/2011/01/19/change-key-pairs-on-aws-ec2-instance/
This solution works. I checked it.
In simple steps.
login to AWS console, create a new pem key, it will ask you to save it to local, save it.
run the following command.
ssh-keygen -y | tee my_key.pub
type the path to where you have saved the new pem key file along with the file name.
the above command will display the contents on the screen, copy it, and paste into the
authorized_keys file of the EC2 instance, save and close.
now you can use the saved/downloaded new pem key file to access the EC2 instance.
I get this error
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED
The rest of the error message is similar to here.
I have SSH keys in my server. I have my private key in my desktop. I am not sure where I should put it.
Add correct host key in ~/Users/Sam/.ssh/known_hosts to get rid of this message.
Should I add the public key of my server to the file?
The issue is that the server's public key has changed from the one used the last time your client connected, and it may be indicative of an attempt to fool you into connecting to a server that's masquerading as your intended target in some fashion, in order to steal your credentials or some other malicious behaviour.
The message also naturally occurs if the public key on the server has been explicitly changed, which can happen for a number of legitimate reasons - a vulnerability in Debian-based Linux distributions in the not-so-distant past necessitated key regeneration for many people, for example.
If you can confirm that you're connecting to the intended destination, and you know that any key change was legitimate, then you can usually accept the key change. Alternatively, as the message explains, you can obtain the server's public key via an alternative (secure) channel and update your client's local copy so it recognises the server's credentials once more.
If you don't control the server, contact the person or organisation that does, and find out whether the change was legitimate.
You don't need to modify your private key in any way; this is nothing to do with your key pair.
If the keys were really changed on the server (ie. you are not a victim of a man-in-the-middle attack), the easiest think to do is get the line number from the message (offending key is in path/known_host:line_number), delete this line, login to the server (and accept the key).
You mean, programatically?
Probably you can find better support at the forums posted in this question:
https://stackoverflow.com/questions/321618
I was just having this error and I think it's because I'd been previously using another Vagrant instance on my laptop for a work assignment I had, and now that that assignment has finished I'm trying to use Vagrant for my own project, but the old Vagrant instance's public key was still in my known_hosts file. So I just deleted the old entry in the known_hosts file for 127.0.0.1 and saved the file and the error went away.