Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Is there any way to execute a ssh connection with out use interactive password autentification and non public keys, I need too run a command in the remote server all this with out manual intervention, I know that i can use a script but I don´t have any example. The application will be running in different machines so it's a bit hard creating a key public for every machine.
Everything is possible with the right configurations, but there are some security points to consider.
You certainly don't want everyone on the net to be able to execute any command on your server. So simply allowing everything is not a good idea.
Everyone who has your application on a computer in her control can do everything what your application can do ... and maybe more, if the application has limits only build in itself, not the server side.
You can distribute a private key with your application (and pass to SSH on connection), but of course then anyone having the application can extract this key. (If the application can access it, so can do any attacker who has control over it.)
You could also distribute a password with your application and somehow pass it to ssh, but still, in principle anyone who has the application can get the password.
If there is always the same command to be executed (maybe with different inputs), you can force this specific command at the server-side - for example, for a specific public key in the authorized_keys file. Or you could create a SSH subsystem and only allow this by server configuration.
On the server side, you can put additional limits by IP address or host name, but this is not really secure (IP adresses can be faked, for example). If the computers on which the application is to be run have already existing SSH installations, they should have host keys, and maybe you can do host authentication. But this is still only really useful if these hosts are under your control, more or less.
For security issues, a password (if you don't use a certificate) will always asked to you interactively, unless you configure server in an advanced way.
You can use a certificate, by inserting password one time.
Take a look at this
On debian, a tool exists for this and it's called sshpass (a noninteractive ssh password provider)
It comes with lots of warnings and caveats though! Be sure you assess the risks properly before continuing down this path...
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I have a Raspberry Pi behind an LTE-router to connect to the internet. The LTE router prevent the Pi to get assigned a static IP, so I created a service that builds a reverse ssh tunnel with auto-ssh to my private Server to be able to access my pi remotely. The problem is now, if someone gets the SD card of the Pi, he can read the private key from the file system and has access to my server.
Is there any way to protect my server from access through the ssh connection with this key while keep the abillity to build a reverse tunnel wihtout password?
The server is hosted by strato, which is managed by Plesk, so every domain has its own vhost file system in /var/www/vhost/domain.de. Would it be possible to isolate this space for the ssh access with exact this key on the Pi, so the Client can only see whats inside this folder? Or ist there any other solution for my problem?
Create a new (tunnel) key on the raspberry, only to build the reverse tunnel to your strato server.
On your strato server add the public key into .ssh/authorized_keys, but add in front
command=/bin/false ssh-rsa ....
To connect you have to add -N to ssh this will build a tunnel but doesn't try to open a shell.
Now it's unimportant if that key get lost, as it can only build a reverse tunnel, but can not open a shell.
You can even use that key for all raspi's to build individual reverse tunnels.
Obviously, you add on your raspi in .ssh/authorized_keys only your user key, not the tunnel key
Is there a way to automatic accept host keys while making a SSH connection with WinSCP. I am using winscp.com version 4.2. I understand that -hostkey=* is only available since version 5.2.
My current script just waits for the prompt and does not go forward once the host keys are changes. Is there any way to automate?
The only appropriate solution for you is to upgrade. WinSCP 4.2 is years old and as such it suffers many security flaws.
And obviously, as a side effect, you get the -hostkey=* "feature".
The only way to automatically accept host key in versions prior to 5.2 is to use the -hostkey=<fingerprint>. And that's still the only CORRECT and SECURE solution.
For details, see Where do I get SSH host key fingerprint to authorize the server?
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've set up a Minecraft server on OpenShift, a free PaaS. OpenShift requires internal applications (like my server) to bind to a port in the range of 15000 to 35530 or port 8080. However, it also requires external client to access the server in one of these ports:
22,
25,
80,
109,
110,
143,
220,
443,
465,
587,
993,
or 995.
In other words, none of the internally exposed ports are exposed externally; however, there are two ways to communicate. One is SSH port tunneling, which I have setup on my computer already. The second one is through HTTP, which is automatically forwarded to 80 when it is sent through 8080 internally. The problem with SSH tunneling is that one needs to add a client's public key through OpenShift, and the client needs to setup their private key, which is too complicated for most of my friends.
I would like to make the connection process easier, so I thought of two possible ways of doing this. The first, which would be simpler to setup, would be to "unsecure" the SSH connections by not requiring a certain public or private key to connect. It's a game server, so security isn't an issue for me at all, but I think that this may not be possible, as SSH was built to be secure. The other way, which would be harder, would be to embed Minecraft packets into HTTP packets, which the OpenShift system automatically forwards. Perhaps this would be possible using an existing HHTP proxy system?
If anyone could help me solve this either of those two ways (or another way, if you can think of one), I would be very grateful!
Why not just create an ssh key pair specifically for this application and create a script that opens the tunnel using that specific key and then launches the program? You can also put restrictions on what any connection using that key is allowed to do (nothing).
#!/bin/sh
ssh -i ~/pathtoidfile -L 25565:localhost:yourport -f -N
# run minecraft to local server?
This is just off the cuff - probably not exactly correct. Also, assumes a unix (Mac or Linux) system. For windows, you'd have to install an ssh client (mingw?) and use cmd syntax.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have an apache svn server running on a shared hosting linux account.
The symptom is that i can connect to the server that is hosting svn with PuTTY just fine,
but the TortoiseSVN Repository Browser can't connect.
I have tried svn, svn+ssh,
If I try just svn I get:
E730060: Unable to connect to a repository at URL
'svn://50.97.138.99:36901 /test' svn: E730060: Can't connect to host
'50.97.138.99': A connection attempt failed because the connected
party did not properly respond after a period of time, or established
connection failed because connected host has failed to respond.
If I try svn+ssh,
I get repeatedly prompted for the password and end up having to cancel the pwd dialog several times, and the error is:
Unable to connect to a repository at URL 'svn+ssh://wren.arvixe.com'
To better debug connection problems, remove the -q option from ssh in
the [tunnels] section of your Subversion configuration file. Network
connection closed unexpectedly
I've been working on this two whole days now, googled my heart out, and am starting to get delirious.
Thanks for any help. Ill be happy to provide more details / do experiments / etc.
I didn't know what details anyone would want to get started, so sorry if not enough details initially.
There seems to be some confusion about how your repository is accessible. You can't simply browse via svn+ssh:// without someone setting it up. Did someone set this up?
I'm surprised you can log onto the server via SSH (using PuTTY) since it's a shared hosting server. That's usually not allowed. Most shared hosting sites don't allow shell access.
You mention apache svn server in your opening statement. Then, you try both svn:// and svn+ssh://. There are FOUR separate ways of setting up a Subversion server and accessing Subversion:
Use Apache httpd as the server. To do this, you need Apache httpd to be configured and compiled correctly. You need several Apache plugins such as mod_dav_svn.so and mod_dav.so. Do you have this setup? If you do, you need to access your repository with http:// and not svn:// as you show.
Use svnserve as the server. This is simple to setup. You access your repository with svn:// as you show. Did someone configure svnserve and have it running?
Use svnserve over ssh. This uses the svnserve, but integrates with ssh and can use the Unix file access. This is very, very tricky to setup, and I have seen extremely few instances of people actually using this. Each user, when they access the repository, fires off their own svnserve process. The repository has direct access to it, and you must set up the individual accounts to prevent any shell access. Otherwise users could directly manipulate the repository.
Use direct file access This is highly not recommended when sharing a repository since all users must be granted direct read/write access on the repository.
The problem is that it becomes impossible to help you without knowing how Subversion was setup on your system. Did you create the repository? If so, did you start a svnserve process to access it? Did someone else setup your Subversion repository on that system? If someone else setup the repository, you'll have to get the exact directions from them on how to access it.
If you are the one who setup the repository, did you setup Apache or did you setup svnserve? If you have setup svnserve, did you use the default port 3690, or setup another port to use? Can you determine if this port is blocked by your firewall? You can use the telenet command to try accessing the port directly:
C> telnet 50.97.138.99 3690
If you can't connect, you'll see an "Unable to connect to remote host" message, and that means either svnserve isn't running, or your firewall is blocking that port. Since you can log into the server, try logging into the server, and acesssing that repository directly:
$ svn log svn://localhost
If you can access the repo, you have svnserve running, but your firewall blocking it. If you can't access svnserve, you might not have it running.
Try that and see what you get.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
This is most likely not possible, but I'm just asking this to check... I'm just thinking out loud here...
So, SSH keys are very useful for logging into a server. Use SSH, and your SSH keys increase security to the server while also making it easier to manage several servers or other programs with one SSH key. Also, by unlocking the key when you login, there is even less need to type the password over and over again. So, I was wondering... is there a way to use SSH keys for website user verification? I am not talking about large, public websites, but about small, controlled systems that are used by specific users whose OS/browser can be controlled. Is there a way to integrate this? For this to work I assume the private key would need to be transferred over the web, so let's say we have SSL running to make this not insecure. Is such a thing possible? In an ideal situation, I log in to a website and it will see that my private key matches the public key that is installed, and voilá, I'm in!
It's called a client certificate, and you import it into your browser.
From technical point of view SSH keys represent public key cryptography scheme, and this is what X.509 certificates do in SSL. So what you need is certificates (client-side one if you want to authenticate the client on the server).
And no, private keys are never transferred across the net. They are used in certain operations for exchange of session key.
AuthUserFile /home/hafizni/.htpasswd
AuthGroupFile /home/hafizin/.htgroup
AuthName hafizin page
AuthType Basic
require group my-users