I am trying to use ssh private keys stored in Hashicorp Vault to ssh to some servers in Jenkins Pipeline. I have the following code
stage('Syncing Scripts') {
steps {
script {
withVault([configuration: vaultConfiguration, vaultSecrets: vaultSecrets]) {
remoteCommands.copyLocalDirToServer(credentials, "server_files/*", "${username}#${host}", "~/server_path")
}
}
}
}
Library code for remoteCommands
void copyLocalDirToServer(String credentials, String localDir, String server, String remoteDir, int timeoutSec=10) {
sshagent(credentials : [credentials]) {
checkConnectivity(credentials, server, timeoutSec)
sh "scp -r ${localDir} ${server}:${remoteDir} "
}
}
username, host are two environemnt variable bound via Vault. credentials currently refers to an ssh key stored in Jenkins credentials. The Pipeline is working.
Vault is supposed to be the single source of truth. The ssh keys are stored in Vault and I am able to get them. But the problem is that I get a string from Vault in an environment variable. I am not sure how to pass that to the ssh command. Creating a file to pass to the ssh command puts the ssh keys in plain text on Jenkins which is not recommended.
To avoid this I had to duplicate the ssh keys in Jenkins credentials. I would like to avoid this duplication.
What is a possible solution to pass a secret ssh key fetched from a secret provider (like Vault) to ssh command running in Jenkins Pipeline that does not compromise on security best practices?
Related
I want to secure an azure virtual machine. Currently, I have a login and a password that I use to connect in SSH with Putty.
My idea is to create an RSA certificate in an Azure Key Vault (I managed to do that just fine) and use it to connect to my virtual machine through Bastion. I have no problem using the certificate instead of a password:
However, I first need to configure the machine to use this certificate instead of the currently defined password. I figured it must happen in the reset password tab, but I cannot find what to put inside SSH public key:
I cannot find a way to retrieve the public key from the azure portal, I can download the certificate under the CER or the PFX format, but I tried to get the public key from those files using OpenSSL, but no matter what I do it is invalid.
How can I get a public key that follows the format "ssh-rsa AAAA... username#domainname" that azure requires from a certificate generated in an Azure Key Vault or a from a .pfx or .cer file?
I tried to reproduce the same in my environment and got the results like below:
To reset SSH public key check the below workarounds:
Try to login to your terminal or cloud bash like below:
ssh username#host
sudo -i
By default, ssh-keygen will generate an RSA key purse with one public and private key
ssh-keygen -t rsa -b 2048
y
ssh-keygen will generate public/private RSA key pair -> Next click Enter if you do not specify any dir it will generate under /root/ .ssh/id_rsa I tried with default one click enter -> overwrite y -> Enter passphrase click Enter -> Enter like below:
The public key will be saved in /root/.ssh/id_rsa.pub. SSH key command generated both public/private under the home directory of user root
cd /root/.ssh/
ls
Now, Try to add the public key to the target server
id_rsa - private key
id_rsa.pub - public key
Use the public key and paste in vm and update like below:
When I try to login my SSH it got login with public key without getting the password-authentication successfully like below:
Now, I tried to connect virtual machine through Bastion it's connected successfully like below:
I have multiple VM created and managed by terraform using azurerm_windows_virtual_machine, i don't find a way to associate ssh key or shh username and password to these VM and only i find this block
admin_ssh_key {
username = "azureroot"
public_key = file("~/.ssh/id_rsa.pub")}
}
that could be associated to a azurerm_linux_virtual_machine, but i use windows VM and not Linux VM
I resolved the problem by using username and password vm admin as a user of ssh key ;)
I am trying to create SFTP lined service (Using keys) in azure data factory.
Soruce (SFTP) team has shared public key.
But in ADF, it is asking for private key content and pass phrase.
Please help me if this is somthing source team has to share the pass phrase and private key content or do I need to generate these keys using public key shared by source.
Regards,
Srinivas.
Convert your public key file into base64 string (On MAC: run in terminal base64 -i youkey.pub) then you can use that value for privateKeyContent
In adf connector authenticationType change to SshPublicKey.
passPhrase - is required only if you key is protected with password.
Also i would suggest you to store those sensitive data in keyvault
I need a help, I was setting up a keyboard-interactive, close the server session, and now I can not enter? I have my key (.pem) to enter, but now it asks for a password and the server does not have a password, I use the key to enter
What I have done when I had the same problem (aws says it's key pair, but in fact you just have private key when you generate a 'key pair' in aws console):
download the private ssh key *.pem on your computer
generate the pubkey : ssh-keygen -y -f aws.pem > aws.pub (replace aws by the name of your key)
import the public key (*.pub) in ec2 key pairs
create a new instance and associate key pair (depends how you create instance, I can tell you for terraform)
now you can ssh to your ec2 instance ssh -i aws.pem user#host
Note
I think the first step is not required, you can just generate key pair on your PC with ssh-keygen, then import the public key in ec2 without the need of generating any keys from aws
Is it possible to connect to a server using a public key? The server holds the private key in authorized_keys, and the client can connect with:
ssh -i id_rsa.pub server
It is the exact opposite as the usual way with public/private keys: the client keeps the public key, and the server holds the private key.
Now the reason: For machines being deployed to customers, I want to setup a remote connection to rescue the machines in case of problems.
the machine initiates a reverse SSH connection to the rescue server: connect using the public key (the same on all the machines: ssh -i id_rsa.pub -NR 64000:localhost:22 rescue#server)
the machine opens a channel, but cannot execute commands (prompt /bin/false)
on the server, do a SSH to the machine through the open channel and authenticate with the private key (the usual way: ssh -i id_rsa -p 64000 localhost).
You can't use keys to authenticate in opposite order of private/public, because of the way how asymmetric cryptography works.
The alternative solution for you can be to use openssh certificates as described in manual pages and many how-to's.