I want to make an aws lambda function which connects to a server via ssh and private key authentication.
I am using the simple-ssh node module which uses the ssh2 module as base. I tried using OpenSSH and RSA format for generating a key pair but none of them worked.
The error message which is shown is always
Error: Cannot parse privateKey: Unsupported key format
Does anyone know the valid parameters for a ssh-keygen command which is compatible to the ssh2 node module?
Thanks in advance :)
Okay I have found the issue I had. I was saving the private key inside of an environment variable. The problem was that there were no line breaks and it seems like the parser needed this line breaks to understand the key. When I saved the key into a file and read it with require('fs').readFileSync it worked.
The command I needed to get the key was the following:
ssh-keygen -m PEM -t rsa -b 2048
I was trying to install gitlab on my linux server following this guide and got stucked in the second setp that says
curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
any idea on how can I solve this?
ANSWER be sure to have http_proxy and https_proxy variables correctly set.
---- UPDATE ----
After setting the variables I got the following answer from curl
Detected operating system as Ubuntu/trusty.
Checking for curl...
Detected curl...
Running apt-get update... done.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/gitlab_gitlab-ce.list...curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Unable to run:
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/config_file.list?os=Ubuntu&dist=trusty&source=script
Double check your curl installation and try again.
Tell curl to ignore SSL warnings with -k/--insecure. Documented in man curl.
Edit: also check your proxy settings, as the host you're trying to curl to does, in fact, have a valid SSL certificate. See the --proxy option of curl.
I have a nodejs app on openshift, and we use the rhc port-forward command to connect to our database when we develop locally.
We have implemented passport to authenticate users through google and through facebook. I have authenticated my self, and we could still use the rhc commands. My partner has recently authenticated himself through facebook, and shortly after that (~1 week), we got this error thrown our way. Dont know if that is entirely relevant, but it couldn't hurt to include.
Connection to openshift.redhat.com failed: A secure connection could not be established to the server
(SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure). You may
disable secure connections to your server with the -k (or --insecure) option
'https://openshift.redhat.com/broker/rest/api'.
If your server is using a self-signed certificate, you may disable certificate checks with the -k (or
--insecure) option. Using this option means that your data is potentially visible to third parties.
Any ideas on how to resolve this? I have seen this error on other stack questions, but every question I saw, the people posing the question were using ruby.
This is likely a result of the POODLE SSLv3 debacle. You can fix it by updating the httpclient ruby gem. At the command line type:
sudo gem update httpclient
Or you can also fix it by adding the following to your .openshift/express.conf file:
ssl_version=tlsv1
Both of these fixes essentially tell your app to use TLSv1 instead of SSLv3.
The rhc gem has been updated, please run gem update rhc and you will get the newest fixed version.
I had the same issue on Windows with ruby 1.9.3 and httpclient 2.3.4.1
gem update httpclient updated the same to 2.5.3.3 and thus fixed the issue.
I am trying to use
sudo npm install
to install all my dependencies for an application written in nodejs. My OS is Ubuntu 13.04
However, I keep getting this warning:
The authenticity of host 'github.com (192.30.252.131)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:1d:52:13:1a:21:2d:bz:1d:66:a8.
Are you sure you want to continue connecting (yes/no)?
Has anyone encountered this warning before? Is it possible to authenticate and store the fingerprint locally? So I won't need to authenticate again when I enter sudo npm install another time.
Right now, I am unable to enter anything, not even "yes". My terminal just gets stuck, i have to press Ctrl+C to terminate.
Danger ahead, unless you actually don't care about secure communication with github on your local account
Ssh rightly complains that they can't make sure you are indeed connecting to github's server through a secure channel. That might be why github is recommending https access, which works out-of-the-box thanks to its public key infrastructure.
Now, you can have it work, but be aware that it involves caching a public key fingerprint which, if done incorrectly, provides an attacker permanent man-in-the-middle attack.
How to proceed safely?
Option 1 is use https url instead of ssh.
Option 2 is have ssh access work.
Okay, show me option 2
Do ssh -T git#github.com but don't just type "yes".
Check if the hash that is shown matches one of the hashed shown in https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ (in your question it does, and see, the page is fetched through https for the same public key infrastructure reasons).
If the hash matches, then connection is indeed safe you can answer "yes" to ssh's question.
Okay, I checked and typed yes, how do I know it works?
Ssh will show something like:
Warning: Permanently added the RSA host key for IP address
'192.30.252.128' to the list of known hosts.
After that, you will either see a message like
Permission denied (publickey).
which is good but shows that you need further configuration, or simply
Hi yourlogin! You've successfully authenticated, but GitHub does not
provide shell access.
which means that all works well and you can retry your first operation.
Notice that if you retry the same ssh command, it should no longer ask the question.
Run ssh -o StrictHostKeyChecking=no git#github.com in command prompt to add the authenticity to your known_hosts. Then you won't get the prompt the next time.
I solved my problem by running
ssh-keyscan github.com >> ~/.ssh/known_hosts
in command prompt. This command will add authenticity to your known_hosts.
You sure you're not accidentally logged in as a different user (this happens to me when I sudo -s / login as root and forget my GitHub account isn't linked to that user).
I landed here because I was getting this error and not understanding why. It turns out I had a typo in my npm command:
npm install -P -E #angular/common #angular/compiler #angular/core #angular/forms
#angular/platform-browser #angular/router #angular/animations# angular/platform-browser-dynamic
Notice how the end of the line reads #angular/animations# angular/platform-browser-dynamic.
NPM interprets the last "package" as being a github repo and that is where the error comes from.
I know this does not actually answer the question but I put it up just in case anyone else encounters this by making a similar mistake.
If you have this type problem
The authenticity of host 'github.com (192.30.252.131)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:1d:52:13:1a:21:2d:bz:1d:66:a8.
Are you sure you want to continue connecting (yes/no)?
don't worry, follow these steps:
Step 1: yes [press enter]
then you'll get:
Please type 'yes', 'no' or the fingerprint:
Step 2: copy fingerprint and paste here [press enter ]
Stéphane Gourichon's 2016 answer mentions:
Do ssh -T git#github.com but don't just type "yes".
Check if the hash that is shown matches one of the hashed shown in "GitHub's SSH key fingerprints".
(in your question it does, and see, the page is fetched through https for the same public key infrastructure reasons).
Another way to check, this time programmatically, if the GitHub host keys match, is to use the GitHub API (Jan. 2022):
GitHub’s SSH host keys are now published in the API
The GitHub metadata endpoint (api.github.com/meta) now contains our SSH host keys.
(We'll continue offering host key fingerprints as well.)
{
// new entry
"ssh_keys": [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl",
"ecdsa-sha2-nistp256 >AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=",
"ssh-rsa >AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
],
// existing entry
"ssh_key_fingerprints": [
"SHA256_RSA": "nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8",
"SHA256_ECDSA": "p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM",
"SHA256_ED25519": "+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU"
],
// ... rest of payload
}
These keys are in the OpenSSH known_hosts format for easy inclusion into existing known_hosts files.
This will make it easier to preconfigure systems which expect to connect via SSH.
For example, you can prime your CI runners with these keys before starting to fetch from GitHub.
The keys returned from the API include both SSH host keys that we're actively using, plus any that we're advertising via host key rotation for future use.
Currently, we're not offering any keys via rotation that aren't actively in use, but if we announce new host keys in the future, you can find them here as well during the rotation period.
See the meta API endpoint to learn more.
Github just made changes to their ip address infrastructure. You can read here for more details https://github.com/blog/1606-ip-address-changes . Also, I have never seen a problem like this before. Is you package.json containing a git depency cloned via ssh?
Try echo 'yes' | sudo npm install. This may solve your problem. If it does not, try cloning via HTTPS instead or download the module as a tarball instead, which can be done like this https://api.github.com/repos/username/reponame/tarball
I was using npm ci but the package-lock.json file had a lot of git+ssh:// URLs which triggered this error message.
Bashed on the accepted answer here, I used a little sed script to replace all the ssh:// URLs with https:// URLs:
sed -i 's|git+ssh://git#github.com|https://github.com|' ./package-lock.json
I hope that may help some people in a similar situation.
This is a quick workaround. A more permanent solution would be to fix the URLs in the package.json file, in order to build an improved package-lock.json file.
Just in case you stumble upon that in IntelliJ IDEA (or any other IntelliJ product), go to Version Control > GitHub and uncheck [✓] Clone git repositories using ssh.
Run ssh github.com and type yes and it should fail. Then run your command again. If not try ssh github.com again as they have multiple IP's and you might need all of them.
I'm connecting to a server whos cert is signed by my own CA, the ca's cert had installed into system's keychain.
connecting with openssl s_client -connect some.where says Verify return code: 0 (ok)
but i cant connect with nodejs's tls/https module, which fails with
Error: SELF_SIGNED_CERT_IN_CHAIN
but connecting to a normal server (i.e google.com:443) works fine.
seems that nodejs's openssl is not sharing same keychain with system's openssl.
but I cannt find where is it. i tried overide with SSL_CERT_DIR but not seemed working.
BTW: i can bypass the server verifying by setting NODE_TLS_REJECT_UNAUTHORIZED=0 , but that's not pretty enough ;)
Im using OSX 10.8.3 with OpenSSL 0.9.8r, node v0.9.8
The default root certificates are static and compiled into the node binary.
https://github.com/nodejs/node/blob/v4.2.0/src/node_root_certs.h
You can make node use the system's OpenSSL certificates. This is done by starting node via:
node --use-openssl-ca
See the docs for further information.
See this answer on how system certificates are extended for Debian and Ubuntu
If you're using the tls module (and it seems like you are) with tls.connect you can pass a ca param in the options that is an array of strings or buffers of certificates you want to trust.