I've encountered a problem of connecting to server via ssh.
I have a server A and B. From server A I run .sh script which parses log on server A, then connects to server B and do the same task. In console everything works fine, but not with web-interface.
I connect to server using cgi whith apache2. When I run script on server A, it parses log and returns relult, however it fails to connect server B.
Here is the log of httpd:
[Thu Nov 22 14:09:34 2018] [error] [client 10.1.68.243] Permission denied, please try again.\r, referer: http://cab-prod-comp-sd/cgi-bin/example-bash.sh?val_x=RDWH.&val_z=1
server A script:
-rwsrwxr-x 1 sas sas 2217 Nov 22 11:25 /sas/oljas_scripts/find_usage_of_tables.sh
server B script:
-rwxrwxr-x 1 sas sas 1202 Nov 19 09:16 find_usage_of_tables.sh
the part where I connect to server B:
SAS_RESULTS=$(ssh sas#sas-p1l-comp /sas/oljas_scripts/find_usage_of_tables.sh $table_name)
Appreciate any help.
Thank you!
EDIT:
Do I need to give a permission to user Apache? How to do this?
This is what I assume from your question:
system A runs httpd with user "apache".
system B has a user called "sas".
you want user "apache" to connect to system B, using "sas" user.
your connect code does not show any password or passphrase being used. You did not mention ssh agent either, so the ssh connection is done via ssh keys.
sshd on system B is configured to allow connections without passwords (i.e. use key authentication). From the comments above, see this: https://superuser.com/questions/543626/ssh-permission-denied-on-correct-password-authentication, John Siu's answer.
On system A, user "apache":
if it does not already have them, in ~/.ssh you should setup a private and a public ssh key (ssh-keygen, check on the web, well documented).
On system B, user "sas":
user "sas", in ~/.ssh, create (if required) a file called authorized_keys.
in this file, put the public key of the "apache" user from system A.
this will allow user "apache" on system A to connect to system B, with user "sas".
Couple traps to avoid, on system B
make sure the permissions on user "sas", ~/.ssh are 700.
permissions on user "sas", ~/.ssh/authorized_keys are 600.
permissions on user "sas", ~ are 700. Here I mean the home directory for "sas". Ex. ~ for "sas" is /home/sas, then if you ls -al /home you should see directory sas with 700.
To debug you can do ssh -v -v -v sas#sas-p1l-comp.
For your question about known_hosts, on system A, when it first connects to system B, if it does not find system B in the file, ssh will add it for you. BUT you have to do it at least once manually. The ssh client will want you to confirm the addition, and this can only be done on the command line. The web interface will not answer the client. So connect once manually, then you will be ok for the web as well.
Until that works, no point trying to setup httpd on system A. This must work at the command line first.
Thanks everyone!
Problem solved by running apache server from user SAS.
Related
Have a Linux server with OpenAFS and access to / files.
Access is read-only and like user privileges (ex. can read /etc/passwd, but can't read /etc/shadow).
It possible to run command? With /bin/bash for example?
And, on server have sshd service, but don't have rights to /root/.ssh/id_rsa
Any ideas?
I've setup Cygwin and want to ssh with domain user account on windows server 2012 R2. It works fine if I start the sshd service with "Local system account" but if I start the service with a cygserver local account or domain\cygserver then the service starts fine but when I try to ssh I see the message sshd: PID 1944: fatal: seteuid 1801: No such device or address.
ssh in verbose mode on the client shows the following:
debug1: Authentication succeeded (publickey).
Connection to 10.10.10.10 closed by remote host.
Connection to 10.10.10.10 closed.
debug1: Exit status -1
Some articles like https://blog.peterwurst.com/2016/09/15/ssh-server-on-windows-with-cygwin/ suggest to enable the following GPO with cygserver account in it. I tried them still the same error.
Act as part of the operating system
Create a token object
Log on as a service
Replace a process level token
I've verified .ssh and authorized_keys permission and the user home directory exists and also passwd file has the /bin/bash shell for the user.
Any suggestion on how to resolve this issue?
I had this issue, and the solution was to start the CYGWIN ntsec servicem, before starting the CYGWIN OpenSSH service.
Verify the subject user and SSHD account are not locked / disabled.
Confirm that password login works. PKI and password login take different paths to create a process token.
I also had this issue in the log
seteuid XXXXXXXX: No such device or address
and this made the trick
passwd -R
I have server A and Server B.
Iam able to ssh from server A to server B as 'root' user password less successfully. I have another non-root normal user in server B, My requirement is to ssh from server A to Server B using that non-root normal user.
Here is what I did;
1) Copied the public key from Server A to Server B's non-root normal user authorized_keys files kept in .ssh directory of non-root normal user.
2)On Server B, given the permissions 700 to .ssh directory and given 600 permissions to authorized_keys file.
It is still asking for password, it is not working as expected(passwordless).
Please help.
FYI, root user login from Server A to Server B is working perfectly passwordless and I followed the above steps only. Surprised to see it is not working for a normal user.
Iam able to fix this issue using the below command;
restorecon -R -v /home/
Iam now able to do keybased authentication for non-root user successfully
On server B for other user, .ssh directory permission would be 755 and 644 for authorized_keys . This should work
Use below commands as root user-
ssh-keygen [Leave everything default and enter]
ssh-copy-id server_ip
Then it will ask for remote server password and then you can login to remote server using-
ssh server_ip
I'm unable to ssh into my EC2 instance, seems to be an issue with the permission level of the ssh .pem file I'm passing to ssh, googling around this seems to be a problem many others have faced but their solutions didn't work for me.
Here is what I tried, someone please help...
Atempt 1:
asemani$ ssh -i ~/.ssh/secure.pem root#54.210.0.1
********************************************************************************
This is a private computer system containing information that is proprietary
and confidential to the owner of the system. Only individuals or entities
authorized by the owner of the system are allowed to access or use the system.
Any unauthorized access or use of the system or information is strictly
prohibited.
All violators will be prosecuted to the fullest extent permitted by law.
********************************************************************************
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0777 for '.ssh/secure.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key ".ssh/secure.pem": bad permissions
Permission denied (publickey).
Attempt 2:
asemani$ chmod 600 ~/.ssh/secure.pem
asemani$ ls -l ~/.ssh/
total 56
-rw-r--r-- 1 asemani CORP\Domain Users 782 Apr 29 11:14 config
-rw-------# 1 asemani CORP\Domain Users 1696 Apr 29 21:32 secure.pem
asemani$
asemani$ ssh -i .ssh/secure.pem root#54.210.0.1
********************************************************************************
This is a private computer system containing information that is proprietary
and confidential to the owner of the system. Only individuals or entities
authorized by the owner of the system are allowed to access or use the system.
Any unauthorized access or use of the system or information is strictly
prohibited.
All violators will be prosecuted to the fullest extent permitted by law.
********************************************************************************
Permission denied (publickey).
I don't get the warning anymore but Permission is still denied. I then also tried doing a chmod 400 on the .pem file but that also didn't work. I won't paste that here since that may be overkill.
What is happening here? How can I ssh into my ec2? This should be a simple thing??
Change permission to chmod 400 ~/.ssh/secure.pem
Are you able to login as the default user using your pem key? For Ubuntu instances, default user should be ubuntu; for most other instances it should be ec2-user. If you're able to login as the default user, chances are that root isn't allowed for ssh login. To change that, login as the default user and do the following:
# Edit sshd_config and modify 'PermitRootLogin XX' to 'PermitRootLogin yes'
sudo vi /etc/ssh/sshd_config
# Reload sshd configuration
sudo service sshd reload
NOTE: This only serves as a how-to. It's generally not recommended to allow root login over ssh for security reason.
You need to launch the instance through your AWS EC2 management console. Once it is launched, copy the public DNS IPv4 and paste it after the linux distribution name being used (e.g. ubuntu#IPv4). Also, make sure you are working in the directory that houses your private access key.
For clarification, once your EC2 instance is launched and you're in the directory that holds your private access key, type in the following in the command-line:
ssh -i private_access_key.pem linux#IPv4
to windows users can change the premise of files through wsl doing this:
Edit or create (using sudo) /etc/wsl.conf
[automount]
options = "metadata"
Restart wsl: (powershell)
PS Get-Service LxssManager | Restart-Service
and finally, do:
chmod 400 key.pem
I am trying to connect to a new user account I created via SSH with the command
useradd -s /bin/false -d /home/username james
I added/edited the password via SSH with the command
passwd james
When trying to connect to my server using this user and pass via FileZilla I get the following error messages.
Response: 331 User James OK. Password required
Command: PASS *****
Response: 530 Login authentication failed
Error: Critical error
Error: Could not connect to server
When I try to login with this user/pass through SFTP I get the following error messages
Status: Connected to domain.com
Error: Connection closed by server with exitcode 1
Error: Could not connect to server
Either way it seems it doesn't allow me to use this newuser anywhere.
My server details
Linux 2.6.18-308.11.1.el5 GNU/Linux
(Red Hat 4.1.2-52)
Centos
Regarding FTP, the FTP server commonly used on Linux systems requires users to have a shell that's listed in the file /etc/shells. For example, this online ftpd man page says that, among other things, "The user must have a standard shell returned by getusershell(3).". The page for getusershell() shows that it reads shells from /etc/shells.
You could probably make FTP work adding /bin/false to /etc/shells. Your Linux system might have a more suitable shell available, like /usr/sbin/nologin.
Regarding SFTP, the ssh server normally provides SFTP service by by invoking a program called sftp-server. If you examine the server's sshd_config file, you'll probably find a line like this:
Subsystem sftp /usr/lib/openssh/sftp-server
sshd runs the subsystem program as a shell command, using the user's shell. If you set the user's shell to /bin/false, then sshd ends up running the command:
/bin/false -c /usr/lib/openssh/sftp-server
/bin/false ignores its command-line arguments and exits with code 1, so the SFTP client's session drops immediately after it starts.
sshd has an internal SFTP server component that can be used instead of the external program. The usual way of limiting SSH access to SFTP for some users is to set up a Match group within sshd_config, forcing the internal-sftp command for certain classes of users. Here are a couple examples of that:
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP#SFTP-only_Accounts
https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
Dont use "-s /bin/false". Use "-s /sbin/nologin" instead and it should be fine.
Make sure your account password hasn't expired. Mine did, and Filezilla exited with error code 1.
After logging onto the server and updating the account password (prompted immediately after connecting), I am now able to connect with SFTP & Filezilla.
Probably is a password related issue, check account
chage -l <user>
account must not be expired.
FTP doesn't allow /usr/sbin/nologin user
Response: 220 Welcome to the Scent Library's File Service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
filezilla 530 error - but password is correct
vsftpd: 530 Login incorrect
530 Login or password incorrect!
How can I connect via FTP using FileZilla? I get a 530 error.
Response: 220 Welcome to Test FTP service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
Error: Critical error
Error: Could not connect to server
Change user's shell
usermod -s /usr/sbin/nologin username
Then edit "/etc/shells" file and add this line
/usr/sbin/nologin
In order to connect to the server using ftp, you also need to run a ftp server / service or daemon.
An example of such ftp server is "vsftpd"
After installing it, you will also need to configure it and allow anonymous ftp access or ftp access to existing users
You will find the configuration file in the path "/etc/vsftpd/vsftpd.conf"
The below link might be useful for you --
https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-on-centos-6--2