i am trying to configure my laptop with my old keys. However there is still one ssh key missing. During a ssh -v connection, I have the following key still available on my old machine but not the new one:
...
debug1: Offering public key: username#hostname
...
How do I export this key ?
Thanks !
One has to use the following top list all available keys:
ssh-add -L
given this output, it is easy to track the public/private key pair used.
Related
I tried to connect to ssh server in M1 macOS terminal like this
ssh -i {myKeyFilePath/myKeyFile.pem} user#host
but it returns
sign_and_send_pubkey: no mutual signature supported
user#host: Permission denied (publickey).
I didn't modify any ssh settings, and the file permissions of {myKeyFile.pem} is 400.
Also I can connect ssh server well by IntelliJ remote hosts,
but when I tried this in terminal, it goes wrong.
When I updated my Mac system, all the ssh server can't ssh with the private key, you can add the 3 lines below in the beginning of your /etc/.ssh/config.
But the best solution is create a new private key and upload the public key to each server one by one, because when you got this error, means your private key is deprecated to use.
# vim ~/.ssh/config, add the lines at the beginning
Host *
PubkeyAcceptedKeyTypes=+ssh-rsa
HostKeyAlgorithms=+ssh-rsa
Most likely your SSH client is using ssh-rsa (RSA+SHA1) and your server has that signature algorithm disabled. SHA-1 is vulnerable and OpenSSH disabled that signature algorithm in version 8.8 (2021-09-26).
The replacement for ssh-rsa is rsa-sha2-256 and rsa-sha2-512.
Try this command:
ssh -o PubkeyAcceptedKeyTypes=rsa-sha2-256 -i {myKeyFilePath/myKeyFile.pem} user#host
If that command fails with an error regarding an unsupported key exchange, then your SSH client is probably ancient.
Use one of the following solutions:
update the SSH client (usually a good idea)
use a different SSH Key Type such as Ed25519 (recommended)
enable rsa-sha in the SSH server (not recommended)
Edit:
If that works, you can permanently add it to your ~/.ssh/config file, and eliminate it from the command line use. However, there is a valid security reason that rsa-sha1 was disabled. Only do this as a last resort because SHA1 has been broken. Do not enable rsa-sha1 if your servers are audited for security or exposed to the public Internet.
Host *
PubkeyAcceptedKeyTypes +ssh-rsa
Replace * with a specific host or IP address to limit the use of this configuration.
I spent a few hours until I came to this question and answers. Here is a quick try to ssh into the server and then deal with the stuff later:
ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i {yourfile} user#host
This combines the previous answers by shoaly and John Hanley which contain more details and suggestions worth to follow to.
After the Mac system is upgraded to Ventura 13.1, I encounter the problem that SSH is configured with passwordless login, but the password is still required, my solution is to upgrade and encrypt the server's key to ed25519:
// 1. server: check HostKey in /etc/ssh/sshd_config
...
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
// 2. client: ssh-keygen -t ed25519
ssh-keygen -t ed25519
// 3. client: vim ~/.ssh/ssh_config
Host *
IdentityFile ~/.ssh/id_ed25519
// 4. client: ssh-copy-id
ssh-copy-id -i ~/.ssh/id_ed25519.pub
// 5. test ssh using identity file
ssh -v username#hostname
more about see man sshd_config, search keywords HostKey and HostKeyAlgorithms
HostKey
Specifies a file containing a private host key used by SSH. The defaults are /etc/ssh/ssh_host_ecdsa_key,
/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key.
Note that sshd(8) will refuse to use a file if it is group/world-accessible and that the HostKeyAlgorithms
option restricts which of the keys are actually used by sshd(8).
HostKeyAlgorithms
Specifies the host key signature algorithms that the server offers.
How is it possible that I am still able to connect to the server although I've generated new rsa keys? Even after deleting them, I am still getting access to the server.
The client I am connecting from is Debian 10.
In the log I see the following:
Will attempt key: home/user_name/.ssh/id_rsa
And I also see:
Will attempt key: user_name#user_notebook
And that's where it's still getting the key from, even if I delete ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.
How can I ensure that the only source for the rsa key is ~/.ssh/id_rsa?
ssh -i /path/to/id_rsa user#server.domain.com
Also you can edit you config file as such
Host server.domain.com
IdentityFile ~/.ssh/id_dsa
The key was probably cached by the ssh-agent. You'll have to clear it there after having deleted the id files.
See How to stop SSH working with removed private key for details.
I'm trying to make a GitClone from a Gitlab repository. I have generated a ssh key with the command ssh-keygen on my cmd:
Then i added my pub key (starting with ssh_rsa) to my Gitlab account, but whenever i try to make a gitclone, i have the following error:
Any advices? I tried to convert my key with puttygen, but still doesn't work!
The start of my pub key is ssh-rsa key..
And the private key: --BEGIN OPENSSH PRIVATE KEY--
..key..
--END OPENSSH PRIVATE KEY--
Output of ssh -v git#gitlab.(..).com
OK. i Solved the problem. Since i was using TortoiseGit to make a GitClone, this last one doesn't accepts Openssh key. Therefore, once you generate the key, you need to convert it in putty format with Puttygen. Moreover, you must pay attention to the version of the new generated key and you can change the version on puttygen on key>parameters to save key!
What I want to do is to copy key to another host.
ssh-copy-id -i ~/.ssh/id_rsa user#host
I get error:
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '[homedir].ssh/id_rsa.pub':
So there is no public key. So where is it? I tried to use command
sudo find / -name id_rsa.pub
but it only found one which I generated experimentally in my test directory. I tried sending the experimental from the test directory, but then it keeps infinitely asking paraphrase and does not send when I keep pasting.
So there is something wrong.
I could regenerate using
ssh-keygen -t rsa
but then it tries to use ~./.ssh directory
and wants to overwrite private id_rsa key. I am afraid this might brake something.
So how do I get my public key file?
Just in case someone else comes here looking for an answer to the OP's question... and to directly answer that question (namely, how can you re-generate the .pub key in a situation where it is missing, and you only have the private key)...
Here is the answer:
Regenerating a .pub key from the private key
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
The -y option is the command instructing ssh-keygen to output your public key.
This will re-generate the .pub part of the pair. Just as the OP pointed out, if you simply generate a new pair, and replace the old private key, you will lose access to whatever servers you have already provided your public key to. Sure, you can go through the process of providing a new public key to those servers, but why go through that hassle if it can be easily avoided?
RSA keys work on pairs. You can generate ssh private and public keys any number of times..it does not break anything. It simply replaces the old one with a newly generated keys. This only requires you to copy the newly generated public key id_rsa.pub to your remote machine's ~/.ssh/authorized_keys file in order for you to access secure shell using rsa keys.
So generate new rsa keys on your home's .ssh directory (your old keys are replaced by new ones) and copy to the remote host's .ssh directory
cd /home/<your_username>/.ssh
ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub remote_username#host:~/.ssh/authorized_keys
then
ssh remote_username#host
Keep passphrase empty while generating your new keys unless you want to enter passphrase every time you try to make a ssh connection.
NOTE: you need to append your public key to authorized_keys file in remote host's ~/.ssh directory if it already exists holding other client's public keys.
here is the situation: i have one machine which lives at my house (lets call it house_machine) and i have another machine at my office (call this one office_machine). im using ssh with dsa key authentication and without password authentication to access home_machine from office_machine. i have set up an ssh server on home_machine and added the public key generated on office_machine to the authorized_keys file on home_machine. this works fine - i can ssh in to home_machine from office_machine just using the key and no password.
now the question: i would like to be able to access home_machine when i visit other offices simply by using the public key belonging to office_machine. ie i would like to put the public key (id_dsa.pub) on a usb drive and just copy it to the .ssh directory at another office. from what i have read on this site, others seem to have been able to do this type of thing, however it isnt working. when i try simply placing id_dsa.pub on a new machine and doing ssh -v user#home_machine the debug message ends with:
debug1: Offering public key: .ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
my temporary solution has been to set "PasswordAuthentication yes" in sshd_config on home_machine, and just use a password to get to home_machine. however this voids the point of using key-authorisation.
thanks in advance!
You need to copy more than just the public key - you need the private key.
In ssh, you place the public on the server side but the client side needs to have the private key.
You want to copy over the id_dsa file (not id_dsa.pub) to your USB key (make sure it's protected with a passphrase, in case it gets lost!).
You can then use that key to login to home_machine from any machine that has access to the key:
ssh -i /path/to/id_dsa user#home_machine
(it looks like you might already have a different private key on office_machine, judging by what you pasted - You might look into using ssh-agent)
Also, check /var/log/secure to see why your sshd might be rejecting key authentication (it's often an issue of permissions on the .ssh directory and its ancestors).