is it possible to use the LDAP / Active Directory with OpenSSH ?
That is avoiding using the commands "mkgroup -d..." and "mkpasswd -d ..." of OpenSSH. These commands are used to define an user list allowed to access to the "ssh server" machine... and I would like to avoid having a fixed list not to have to relaunch the commands several times.
I use OpenSSH as a SSH server and putty as a client.
Thanks for your help
I can not determine which OS you OpenSSH is running on?
Assuming it it Linux/UNIX, AFAIK, you would want to setup using PAM (Pluggable Authentication Module).
Google for PAM LDAP Linux
One link is:
http://wiki.linuxquestions.org/wiki/Pam_ldap
Related
I am trying to automate SSH login by using password. I can't use expect command or sshpass etc. So I am left with only option to use password directly.
Did lot of research in google and didn't get any solution... :(
Please help me with this.
The code I tried is.
#!/bin/bash
USERNAME=user1
PASSWORD=abcd1234
HOSTS="server01.mat.us"
ssh ${HOSTS} -l ${USERNAME} -p ${PASSWORD}
The OpenSSH ssh utility doesn't accept a password on the command line or on its standard input. This also applies to the scp and sftp file transfer utilities, which invoke ssh to make the SSH connection. I believe this is a deliberate decision on the part of the OpenSSH developers. You have these options available to you:
Use an SSH key for authentication, instead of a password.
Use sshpass, expect, or a similar tool to invoke ssh through a TTY and automate responding to the password prompt.
Use (abuse) the SSH_ASKPASS feature to get ssh to get the password by running another program, described here or here, or in some of the answers here.
Get the SSH server administrator to enable host-based authentication and use that. Note that host-based authentication is only suitable for certain network environments. See additional notes here and here.
Write your own ssh client using perl, python, java, or your favorite language. There are ssh client libraries available for most modern programming languages, and you'd have full control over how the client gets the password.
Download the ssh source code and build a modified version of ssh that works the way you want.
Use a different ssh client. There are other ssh clients available, both free and commercial. One of them might suit your needs better than the OpenSSH client.
I'd recommend to use ssh keys instead of password if it's possible.
This script can help you to upload your public key to desired remote machine:
https://github.com/aprey10/ssh-authorizer
I have a webapplication and I would like to provide the users with a feature to be able to ssh to the linux server without having to add all the users' credentials from the Psql DB to the linux server. Instead I would like to use the credentials directly for ssh. I think that this is possible using linux pluggable authentication modules (pam), however I'm don't know where to start and I would like some help?
You will need to set up pam_pgsql and nss_pgsql for users from database to become first-class citizens (local users). Then they will be able to ssh as easy as your users from passwd/shadow/group files.
Start with said packages installation and reading their configuration manuals. Remember: PAM is for authentication, NSS is for name-to-uid and back translations.
I'm working on a project that requires me to run my code on a remote Unix server, that is not available to connect to directly (you first have to log in to the "gate" node and then to this server).
What's really bad is that they disabled key authentication, so each time I need to ssh into it, I have to type in my password twice. It's really annoying and I wonder what's the best way to transfer my local modifications of source files to this server, compile and run them without having to provide those passwords so many times.
I have no sudo access to any of those servers (neither to this "gate", nor to this target server). Any ideas on how to make the whole process more efficient?
EDIT: Martin Prikryl provided a great answer below, but it's suitable for Windows and I'm on a Mac :) I guess it might be a good thing to have it documented here also for *NIX systems.
You are looking for SSH tunneling.
WinSCP SFTP client supports one-hop SSH tunneling natively.
See the Tunnel page on WinSCP Advanced Site Settings dialog.
I assume that after you transfer the file, you need to open SSH terminal to compile the file.
You may be able to make use of WinSCP Console window for that step.
Alternatively, if you need/want to use a real SSH terminal client, make use of an existing SSH tunnel, created by WinSCP, and connect with PuTTY (or any other SSH client) over it.
In the Local tunnel port of WinSCP Tunnel page, select a fixed port number (instead of the default Autoselect). In PuTTY enter "localhost" to Host Name and the selected port in Port.
(I'm the author of WinSCP)
This has probably been asked somewhere but I can't find it for the life of me.
I am currently setting up a server machine, and I want to make it so that only computers which are directly SSH'ing into the server and has an authorized key can get in. I've already gotten the keys to work, but I don't know how I should go about making sure that people can't multi-hop their way into the server machine. I want to know:
Is it even possible to disable multi-hopping by only changing settings on the server machine?
If it is, how do I go about doing it?
If not, what other options do I have to achieve what I'm trying to do?
I don't believe it's possible by only changing settings on the server.
If your server is called server and another machine on your network is called aux, then you need to disallow the following multi-hop methods, probably others as well:
ssh -t aux ssh server
ssh -o ProxyCommand='ssh aux /usr/bin/nc %h %p' server
ssh -N -L 2222:server:22 aux & ssh -p 2222 localhost
So you need to ensure that
ssh when run on any other machine on your network will refuse to connect to server, except when the user is logged in locally (not via ssh)
alternatively, ensure the sshd setting AllowAgentForwarding is set to no on all other machines on your network
the manpage notes that this "does
not improve security unless users are also denied shell access, as they can always install their own forwarders"
netcat and equivalents are not installed on any other machine on your network
the sshd setting AllowTcpForwarding is set to no on all other machines on your network
the manpage notes that this "does not improve
security unless users are also denied shell access, as they can always install their own forwarders"
This may be a bit much.
Perhaps you can keep the private keys embedded on hardware tokens that may not leave the building? This is beyond the limits of my experience, though.
You should get a better answer if you ask at ServerFault.com, and hopefully your question will be migrated there soon.
I purchased shared hosting from Vexxhost.I wanted to host my Rails application with them.I was given cpanel details.I generated SSH keys using the cPanel and converted it to .ppk format.Next, i downloaded the key.But when i try SSH login using Putty, i get the message Server Refused Our Key.Then i'm prompted for the password.When i enter password, message is displayed: Shell access is not available for your account.Contact support.I did contact support, but no reply.Am I doing any mistake in the procedure?
I haven't used cpanel to generate ssh keys, usually I do it at the ubuntu console. Is it possible that the ppk conversion has encoding issues? or it not done right?
Do you have access to a linux box? It would be simpler to test it there.
I have configured a server myself with ssh access, and if user does not have ssh access they are presented with user/pass. So it appears that your ssh credentials are denied, but your password is recognized as accurate. Authentication is happening.
About the issue of shell support. It could be that they enable shell support only if you connect with valid ssh credentials - in which case, you need to contact support.
Or, your account does not have ssh access, and you still need to contact support.
hope it helps