Is it possible to create a UNIQUE key that can be used by all users to ssh to a server? I need to avoid creating a new key for each user and copying it to the server.
More in deep, I would create a key pair in a specific <key_path>, then copy the public key on the server and then let all the users ssh to the server just like this:
ssh -i <key_path> server-user#the-server
I tried to create a keypair with a specific user (call it userA) with no passphrase:
ssh-keygen -t rsa -f <key_path>
But when I try to use the userA's key with a different user (call it userB), I'm asked to enter the passphrase, even if there's no passphrase, and if I just press enter on the passphrase, I'm asked to insert the server-user password:
ssh -i <key_path> server-user#the-server
Enter passphrase for key <key_name>:
server-user#the-server's password:
I know I could generate a key for userA and another key for userB, but in my case I need to use the same key for different users.
Related
I want to secure an azure virtual machine. Currently, I have a login and a password that I use to connect in SSH with Putty.
My idea is to create an RSA certificate in an Azure Key Vault (I managed to do that just fine) and use it to connect to my virtual machine through Bastion. I have no problem using the certificate instead of a password:
However, I first need to configure the machine to use this certificate instead of the currently defined password. I figured it must happen in the reset password tab, but I cannot find what to put inside SSH public key:
I cannot find a way to retrieve the public key from the azure portal, I can download the certificate under the CER or the PFX format, but I tried to get the public key from those files using OpenSSL, but no matter what I do it is invalid.
How can I get a public key that follows the format "ssh-rsa AAAA... username#domainname" that azure requires from a certificate generated in an Azure Key Vault or a from a .pfx or .cer file?
I tried to reproduce the same in my environment and got the results like below:
To reset SSH public key check the below workarounds:
Try to login to your terminal or cloud bash like below:
ssh username#host
sudo -i
By default, ssh-keygen will generate an RSA key purse with one public and private key
ssh-keygen -t rsa -b 2048
y
ssh-keygen will generate public/private RSA key pair -> Next click Enter if you do not specify any dir it will generate under /root/ .ssh/id_rsa I tried with default one click enter -> overwrite y -> Enter passphrase click Enter -> Enter like below:
The public key will be saved in /root/.ssh/id_rsa.pub. SSH key command generated both public/private under the home directory of user root
cd /root/.ssh/
ls
Now, Try to add the public key to the target server
id_rsa - private key
id_rsa.pub - public key
Use the public key and paste in vm and update like below:
When I try to login my SSH it got login with public key without getting the password-authentication successfully like below:
Now, I tried to connect virtual machine through Bastion it's connected successfully like below:
I am trying to use ssh private keys stored in Hashicorp Vault to ssh to some servers in Jenkins Pipeline. I have the following code
stage('Syncing Scripts') {
steps {
script {
withVault([configuration: vaultConfiguration, vaultSecrets: vaultSecrets]) {
remoteCommands.copyLocalDirToServer(credentials, "server_files/*", "${username}#${host}", "~/server_path")
}
}
}
}
Library code for remoteCommands
void copyLocalDirToServer(String credentials, String localDir, String server, String remoteDir, int timeoutSec=10) {
sshagent(credentials : [credentials]) {
checkConnectivity(credentials, server, timeoutSec)
sh "scp -r ${localDir} ${server}:${remoteDir} "
}
}
username, host are two environemnt variable bound via Vault. credentials currently refers to an ssh key stored in Jenkins credentials. The Pipeline is working.
Vault is supposed to be the single source of truth. The ssh keys are stored in Vault and I am able to get them. But the problem is that I get a string from Vault in an environment variable. I am not sure how to pass that to the ssh command. Creating a file to pass to the ssh command puts the ssh keys in plain text on Jenkins which is not recommended.
To avoid this I had to duplicate the ssh keys in Jenkins credentials. I would like to avoid this duplication.
What is a possible solution to pass a secret ssh key fetched from a secret provider (like Vault) to ssh command running in Jenkins Pipeline that does not compromise on security best practices?
I need a help, I was setting up a keyboard-interactive, close the server session, and now I can not enter? I have my key (.pem) to enter, but now it asks for a password and the server does not have a password, I use the key to enter
What I have done when I had the same problem (aws says it's key pair, but in fact you just have private key when you generate a 'key pair' in aws console):
download the private ssh key *.pem on your computer
generate the pubkey : ssh-keygen -y -f aws.pem > aws.pub (replace aws by the name of your key)
import the public key (*.pub) in ec2 key pairs
create a new instance and associate key pair (depends how you create instance, I can tell you for terraform)
now you can ssh to your ec2 instance ssh -i aws.pem user#host
Note
I think the first step is not required, you can just generate key pair on your PC with ssh-keygen, then import the public key in ec2 without the need of generating any keys from aws
I have created one efi and signed with pesign using the docs -
UEFI secure boot :
https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm
https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
https://wiki.ubuntu.com/SecurityTeam/SecureBoot
http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-hands-on-experience/
And booted with :
sudo qemu-system-x86_64 -L . -pflash /usr/share/qemu/OVMF.fd -hda fat:uefi_disk
uefi disk contains signed efi file
But to secure boot I need to have
DB
DBX
KEK
PK
so that I can enroll in OVMF secure boot
But in the tutorials, never got these how to generate.
Please suggest
In addition to generating keys for secure boot, one need to take care of signing the keys.
procedure for generating keys, signing and storing them to keystore is defined in detail here https://www.rodsbooks.com/efi-bootloaders/secureboot.html
Security keys can be categorised in 2 ways Private and Public and secure boot follow chain of root of trust for key addition PK=>KEK=>DB. Any changes in DB needs to be signed using KEK private key, changes in KEK needs to be signed by PK private key and changes in PK requires key to be signed by previous PK publik key's private key.
Generate PK pair and sign PK public key with private key. PK is a self signed key.
Generate KEK pair and sign KEK public key using PK private key
Generate DB key pair and sign DB public key using KEK private key
Generate DBX key pair and sign DBX key pair using KEK private key
Note : for replacing previous PK from BIOS, you will require an empty key signed by platform owner. Most BIOSs allow changing keys without verifying but ideally it should not be allowed. Whole purpose of secure boot is that things can be traced to root of trust and verified.
Apart from generating completely new set of keys, you can also use Machine Owner's Key MOK for registering a new key with secure boot.
Generate a key pair
sign your utility using private key(using sbsign)
add public key to MOK utility (using mokutility)
also described in link mentioned above
Is it possible to connect to a server using a public key? The server holds the private key in authorized_keys, and the client can connect with:
ssh -i id_rsa.pub server
It is the exact opposite as the usual way with public/private keys: the client keeps the public key, and the server holds the private key.
Now the reason: For machines being deployed to customers, I want to setup a remote connection to rescue the machines in case of problems.
the machine initiates a reverse SSH connection to the rescue server: connect using the public key (the same on all the machines: ssh -i id_rsa.pub -NR 64000:localhost:22 rescue#server)
the machine opens a channel, but cannot execute commands (prompt /bin/false)
on the server, do a SSH to the machine through the open channel and authenticate with the private key (the usual way: ssh -i id_rsa -p 64000 localhost).
You can't use keys to authenticate in opposite order of private/public, because of the way how asymmetric cryptography works.
The alternative solution for you can be to use openssh certificates as described in manual pages and many how-to's.