I can't configure SSH key-authentication on my new VDS server. After I've done ssh-copy-id I still get password prompt for user.
To debug I added LogLevel DEBUG3 in /etc/ssh/sshd_config and restarted systemctl restart sshd and saw in logs /var/log/secure this message:
RSA key is not allowed
Why does this happen and how do I fix it?
OpenSSH disabled RSA scheme by default for security reasons.
Therefore the best option is to create new local keys using more secure algo:
ssh-keygen -t ed25519
Related
At the moment, I'm trying to configure an SSH key to use for cloning Github repositories into a Jenkins pipeline. When I login to my Linux server as the Jenkins user and attempt to create a SSH keypair, below is the output I get:
-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Saving key "/var/lib/jenkins/.ssh/id_rsa" failed: Permission denied
Do I need to elevate my privileges in order to create these keys? Thanks.
Figured it out. When running the ssh-keygen command, it likes to create the .ssh directory on its own. I had created it ahead of time and that clearly created some sort of permissions issue.
So in the future: if you're ever creating these keys and getting a permissions error, allow the command to create the .ssh directory to avoid any issues. Thanks.
I've installed GitLab per https://github.com/gitlabhq/gitlab-recipes/tree/master/install/centos.
The instructions state to add user "git"
adduser --system --shell /sbin/nologin --comment 'GitLab' --create-home --home-dir /home/git/ git
All seemed to work. I then added a project on the GitLab server, and it gave instructions to push to it:
cd existing_git_repo
git remote add origin git#mysite.com:root/bidjunction.git
git push -u origin master
I then went to my client to push to the git server.
[Michael#devserver bidjunction]$ git push -u origin master
The authenticity of host 'mysite.com (123.456.789.01)' can't be established.
RSA key fingerprint is cd:32:3c:5a:4e:33:44:11:df:ee:3s:4b:3a:c2:a4:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mysite.com,123.456.789.01' (RSA) to the list of known hosts.
Address 123.456.789.01 maps to ve6.phpwebhosting.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
git#mysite.com's password:
Is there a password I should have set? Probably not, and instructions don't address.
Reading System ask password when push project to github, it appears it might be related to SSH.
GitLab provides the following instructions to add a SSH key. I followed them, and first added the key to my general user's home on the server. No change. Then tried logging on a root, and added a key to git's home. Still none, but I am thinking that the client already has my general user's key, thus is not pulling the new git key.
EDIT. Please confirm that I should add these keys to the GitLab server, and not my Linux client.
Any and all help would be very much appreciated.
SSH Keys
SSH key allows you to establish a secure connection between your computer and GitLab
Before generating an SSH key, check if your system already has one by running cat ~/.ssh/id_rsa.pub If your see a long string starting with ssh-rsa or ssh-dsa, you can skip the ssh-keygen step.
To generate a new SSH key just open your terminal and use code below. The ssh-keygen command prompts you for a location and filename to store the key pair and for a password. When prompted for the location and filename you can press enter to use the default. It is a best practice to use a password for an SSH key but it is not required and you can skip creating a password by pressing enter. Note that the password you choose here can't be altered or retrieved.
ssh-keygen -t rsa -C "$your_email"
Use the code below to show your public key.
cat ~/.ssh/id_rsa.pub
Copy-paste the key to the 'My SSH Keys' section under the 'SSH' tab in your user profile. Please copy the complete key starting with ssh- and ending with your username and host.
EDIT 2
Looks like I was confused, and used GitLab's server id_rsa.pub. Guess that doesn't make any sense! I've since corrected it, but now I get this error:
[Michael#devserver ~]$ ssh git#mysite.com
Address 123.456.789.01 maps to ve6.phpwebhosting.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
PTY allocation request failed on channel 0
This account is currently not available.
Connection to mysite.com closed.
[Michael#devserver ~]$
Seems like a SELinux permission issue. Steps to follow:
restorecon -R -v /home/git/.ssh
usermod -s /bin/bash git
Edit your home machine user's .ssh/config to something like:
Host mysite.com
User gitlab_username
Hostname mysite.com
PreferredAuthentications publickey
IdentityFile /home/user/.ssh/id_rsa
Try connecting to the gitlab server ssh -T git#mysite.com. You should see a message welcoming you.
I added it to the installation guide. I have a merge request ready with several enhancements. I will merge it when gitlab 6.8 is released.
I believe you need to set up your global config username and email
$ git config --global user.name "John Doe"
$ git config --global user.email johndoe#example.com
Check if the git user has a no login shell as you specified. Changing that to bash as suggested fixed my problem (usermod -s /bin/bash git).
I've got root access to our production server and I want to deploy the latest version in git to the server but I'm running into the error below when I "git pull" on the folder I want to update.
I've browsed around a bit, but can't find a clear answer on what to do..
The staging server runs on the same machine, but just in a different folder and when I pull on that folder it all goes fine.
I'm not very experienced when it comes to Linux, so please help me out with a clear answer on how to fix :-)
Otherwise I have access to anything I need
p.s.
This has worked in the past, so I'm assuming it's got something to do with the SSH key
Error:
###########################################################
# WARNING: POSSIBLE DNS SPOOFING DETECTED! #
###########################################################
The ECDSA host key for www.site.org has changed,
and the key for the corresponding IP address x.x.x.x
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
*************
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R gitlab.site.org
ECDSA host key for gitlab.site.org has changed and you have requested strict checking.
Host key verification failed.
In the log you see the following text:
(...)
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R gitlab.site.org
ECDSA host key for gitlab.site.org has changed and you have requested strict checking.
Host key verification failed.
So it is a matter of performing the command that is suggested there:
ssh-keygen -f "/root/.ssh/known_hosts" -R gitlab.site.org
Windows:
Go to /Users/Abhilash/.ssh/known_hosts and delete the contents in it and save.
Linux / Mac:
Go to ~/.ssh/
nano known_hosts
remove content inside and save ctrl+O
Note:
You will be promted to save the key while pushing again.
I have also faced the same issue after following these steps it worked for me.
For macOS:
Step 1: Go to Folder or use command+shift+g
Step 2: type "~/.ssh/"
Step 3: Open "known_hosts" file and Remove all the content
Step 4: Now Open terminal and pull from another branch, It will ask for password give your system password.
It will work surely.
All of the other answers introduce security risks.
This error appears because you have a record in your known_hosts file which says that the server should have a particular ssh key. But when you try to connect, the server has sent a different ssh key which does not match the one in your known_hosts file. Your particular error message says:
Offending ECDSA key in /root/.ssh/known_hosts:1
This means that the first line in the known_hosts file is different to what the remote server is sending.
The secure way to fix the issue is as follows:
Find out what the correct key fingerprint should be from a trustworthy source. e.g. Here you can find the correct fingerprints for GitHub and GitLab. (If your organisation self-hosts GitLab, you will need to talk to your administrator to get the ssh key fingerprints.)
CHECK that the existing fingerprint in your known_hosts file is correct.
You can run ssh-keygen -lf ~/.ssh/known_hosts (or /root/.ssh/known_hosts in your case) to generate SHA256 fingerprints from your known_hosts file. Your error message says that the problem is with the first key. Find the equivalent SHA256 fingerprint on GitHub or GitLab and check if it matches exactly.
e.g. Here is the output of the above command:
256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
and here is the ECDSA SHA256 fingerprint from the GitLab website:
HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
If the existing fingerprint from known_hosts matches the official fingerprint from the GitHub or GitLab website, then ssh has detected a Man in the Middle (MitM) attack. STOP. Do not connect to the server. Try connecting from a different internet connection. Talk to your administrator.
If the existing fingerprint in known_hosts does not match the official fingerprint, then either you were under a MitM attack previously, or the server hosting GitLab has changed its ssh keys. You can delete the fingerprint from your known_hosts file. (Note: Only delete the specific fingerprint which is causing trouble.) Next time you connect to GitLab, you will be prompted to add the new fingerprint to the known_hosts file.
The authenticity of host 'gitlab.com (172.65.251.78)' can't be established.
ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Double-check that the fingerprint matches what is shown on the GitHub or GitLab website, then type yes or no accordingly.
Try replacing ssh with:
ssh -oStrictHostKeyChecking=no
since if the key hasn’t been accepted yet, then it will ask do you want to accept it yes/no. Alternatively, you can also do this in your CI file just before the SSH command:
echo "StrictHostKeyChecking no" >> ~/.ssh/config
courtesy:
https://forum.gitlab.com/t/error-host-key-verification-failed/77315/3
if you'd like to remove this message permanently you can edit your ssh config file (~/.ssh/config) to include:
Host {YOUR HOST HERE}
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Even after changing one of the BBB's IP, when i tried to connect, its configuration is reverting back to default, did somebody tried this, if so let me know with exact steps for the solution.
problem:
root#silvan-DL-H61MXP:~# ssh root#192.168.7.2
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
7d:0c:75:6f:f0:15:2f:13:39:f9:94:ba:88:30:61:e9.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R 192.168.7.2
RSA host key for 192.168.7.2 has changed and you have requested strict checking.
Host key verification failed.
The solution for connecting with ssh to such development systems, which often loose their configuration is to disable host key checking and storage for them.
In your case this can be done by putting this into ~/.ssh/config:
Host 192.168.7.*
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
However, be careful not to disable host key checking and storage for normal systems as this would open them up for man-in-the-middle attacks.
I try to use ssh to login in the Openstack server built for the class. I download the .pem key from server. By putty, I login successfully with .ppk key (generate .ppk key by .pem using putty keygen). But it's not work on ssh. Is there something I missed?
My command
ssh -l ubuntu -i ~/.ssh/xxx.pem xxx.edu -p 18922
Error msg
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
(xxx).
Please contact your system administrator.
Add correct host key in /Users/xxx/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/xxx/.ssh/known_hosts:2
RSA host key for [xxx.edu]:18922 has changed and you have requested strict checking.
Host key verification failed.
Thanks for Anil Vishnoi's comment!
Remove
/Users/xxx/.ssh/known_hosts
and use my original command by passing pem key
ssh -l ubuntu -i ~/.ssh/xxx.pem xxx.edu -p 18922
I can ssh to Openstack server directly.