I'm using one service which is connected to remote host via ssh. I don't want to store or write ssh keys on that service, I want pass keys to service and execute ssh connection to another host using passed keys before.
To connect to host I used: ssh user#host -i /path/to/key.
How can I use key as the text not a specific file?
I tried ssh user#host -i "key-text-example". It doesn't work like that.
Not as a literal answer to your question, but as the best way to meet your actual need (of connecting via SSH to a remote machine via a system you don't trust to store your private key) -- you should use SSH agent forwarding.
When you pass your private key to a remote system, even transiently, it can be captured; if an attacker is recording everything that goes on on the system with Sysdig, for example, the writes over the FIFO from the process substitution (or the reads done by the SSH client process) will show up plain as day.
Instead of passing the private key to the remote system, agent forwarding sends the request for a signature back from the remote system to your origin machine. (There are even SSH agents for Android, so you can have the request forwarded to your phone -- presumably a device you trust -- such that the private key never leaves it). Similarly, a hardware device such as a YubiKey can store your private key and perform signature operations on behalf of a SSH client -- on behalf of a remote machine when agent forwarding is requested.
For the simple case:
local$ [[ $SSH_AUTH_SOCK ]] || eval "$(ssh-agent -s)"
local$ ssh-add # load the key into your local agent
local$ ssh -A host1 # connects to host1 with agent forwarding enabled
host1$ ssh host2 # asks the ssh agent on "local" to authenticate to host2
host2$
Related
Sorry, if it is a trivial question: I use the port forwarding the port 22 on remote computer is redirected to port 2222 on my local computer. The tunnel is created with the following azure command:
az network bastion tunnel
I can start the first session with ssh
ssh seva#localhost -p 2222
and it works fine However, when I'm starting from another terminal window another ssh session with the same command
ssh seva#localhost -p 2222
the connection hangs and goes through only when the first connection is terminated I'm aware, that I can run multiple sessions with azure native client:
az network bastion ssh
But I need multiple sessions through the same port 'classical way' because it is obviously the way, the Visual Studio Code uses when I trying to connect with it the remote computer. One session is obviously for the terminal window and another one for data transfer.
Many thanks in advance.
=Seva
You can work around this limitation by enabling SSH multiplexing. The first session will setup a control connection, and any subsequent session will simply re-use this. This removes the need for a second connection which, weirdly enough, az network bastion does not seem to support.
To do this for all of your connections, add the following to your SSH client config (ie. ~/.ssh/config):
Host *
# Connection Multiplexing
ControlMaster auto
ControlPersist 600
ControlPath ~/.ssh/ctrl/%C
This should be all you need. If you want/need even more information though check out https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing.
Really hoping someone here can point me in the right direction,
Expected result: SSH successfully into a remote device.
Challenge/Back story:
We have devices out in remote places around the country,
These devices do not have a fixed public IP address
(Using GSM as its internet breakout)
These devices are able to SSH and break out.
My thought, with regards to maintaining these devices is to (if possible) use a server in the cloud as a middle man, have these devices create some sort of a reverse tunnel to our middleman server then have us as admins intercept it or something to that effect.
Again to summarize, Device cannot be ssh'd into directly, but can breakout.
Aim to be able to hit their terminal from the office.
have been looking at mitmssh but not coming right on that front.
Server A (no fixed address, cannot SSH into it directly but has breakout)
Server B (standard server which can be used as a middle man
Server C (Us admins)
Tried something along the lines of "ssh user#serverA -R serverB:12345:ServerA:22"
Which creates the tunnel, but struggling with grabbing hold of that SSH connection.
I think I regularly use something very similar. My target machine connects to the machine with a stable address with:
ssh midpoint -R 2022:localhost:22
my ~/.ssh/config file knows the real HostName. My config file on my work machine defines a ProxyCommand option to use this tunnelled TCP connection. like:
Host target
ProxyCommand ssh -q midpoint nc localhost 2022
the reason for using netcat was to get ssh-agent behaving.
I've just been searching around and it seems OpenSSH now has specific handling for this (-W command line option, and JumpHost in the config file). E.g. https://stackoverflow.com/a/29176698/1358308
I am writing a relatively small bash script that is supposed to update DNS records for a server behind a NAT which might change its external IP address. Essentially a free DynDNS using my DNS provider's API.
I am retrieving the server's IP address using a simple query to an external service. But for the sake of security, before pointing my DNS A record to a new arbitrary IP address given to my by an external service I first need to verify that this indeed is the server's IP address. And this check would need to involve a cryptography step since an active MITM attack could be taking place and just forwarding traffic to the server's real IP address.
So what would be the simplest way (if possible through bash) to verify that this is indeed the server's IP address?
I presume you mean that the bash script is running somewhere other than the server whose IP you need to determine?
The obvious solution would be to connect using ssh with strict host checking (and a remembered server key) or via SSL with certificate versification (you could use a self-signed certificate). The former is a bit easier to do out of the box.
Assuming that $IP is the server's new external IP address, this works by first acquiring the servers SSH keys by running ssh-keyscan on localhost and generating a temporary known hosts file. It then substitutes 127.0.0.1 with the given $IP and initiates an ssh session with the temporary known hosts file to the remote IP address. If the session is established and the key verification is successful the command will exit cleanly. Otherwise it will output the Host key verification failed. message. This will work even if authentication with the server fails as host key verification is done before authentication. The script finally checks whether the ssh output includes the given error message and returns valid or invalid correspondingly.
TMP_KNOWN_HOSTS=$(mktemp)
ssh-keyscan 127.0.0.1 > $TMP_KNOWN_HOSTS
sed -i "s/127\.0\.0\.1/$IP/" $TMP_KNOWN_HOSTS
RESPONSE=$(ssh -n -o "UserKnownHostsFile $TMP_KNOWN_HOSTS" -o "StrictHostKeyChecking yes" $IP true 2>&1)
if ! [[ $RESPONSE = *"Host key verification failed."* ]]; then
echo "valid"
else
echo "invalid"
fi
I have 100 machines to be automatically controlled using passwordless ssh.
However, since passwordless ssh requires id_rsa handshaking, it takes some time for controlling a machine as we can see in the following.
$ time ssh remote hostname
remote
real 0m0.294s
user 0m0.020s
sys 0m0.000s
It takes approximately 0.3 seconds, and doing this all over 100 machines takes around 30 seconds.
What I'm looking for is to make the account on the remote machine no password at all.
Is there a way to do it?
There is a way: use telnet. It provides the same as ssh without authentication and encryption.
The delay may be caused by the host doing a reverse DNS lookup when the client connects, to verify that the client's hostname reverses to the same IP that the client is connecting from. If you disable this option on your server's sshd, you may see less delay when connecting. See the links below for more info:
http://linux-tips.org/article/92/disabling-reverse-dns-lookups-in-ssh
https://unix.stackexchange.com/questions/56941/what-is-the-point-of-sshd-usedns-option
You can try using sshpass
For example, when password is in password.txt file:
sshpass -fpassword.txt ssh username#hostname
what is the Linux command to connect to another server using host name and port number?
how to connect to another server using only host name and port number then check if an existing process is running? the only way i see it working is to log in to the server and run the PS command. but is there a way to do it without logging in directly to the other server and connect only with host name and port number and check the running process?
If you just want to try an arbitrary connection to a given host/port combination, you could try one nmap, telnet or nc (netcat).
Note that you can't necessarily determine whether or not a process is running remotely - it might be running on that port, but simply ignore anything it sees over the port. To really be sure, you will need to run ps or netstat or etc. via ssh or etc.
If you want to use SSH from e.g. a script or, more generally, without typing in login information, then you will want to use public key authentication. Ubuntu has some good documentation on how to set this up, and it's very much applicable to other distrobutions as well: https://help.ubuntu.com/community/SSH/OpenSSH/Keys.
If you have no access to the server you're trying to list processes on at all, then I'm afraid there isn't a way to list running processes remotely (besides remote tools like nmap and so on, as mentioned earlier - you can always probe public ports without authentication [although you might make people angry if you do this to servers you don't own]). This is a feature, not a problem.
telnet connects to most of services. With it you can ensure that port is open and see hello message (if any). Also nc is more low level.
eri#eri-macro ~ $ telnet smtp.yandex.ru 25
Trying 87.250.250.38...
Connected to smtp.yandex.ru.
Escape character is '^]'.
220 smtp16.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
helo
501 5.5.4 HELO requires domain address.
HELO ya.ru
250 smtp16.mail.yandex.net
MAILĀ FROM: <someusername#somecompany.ru>
502 5.5.2 Syntax error, command unrecognized.
If there is plain text protocol you cat talk with service by keyboard. If connection is secured try openssl.
openssl s_client -quiet -connect www.google.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
GET /
<HTML><HEAD>
If protocol is not known you may see much of hieroglyphs or just Connected to ... message.
Try this :
ssh <YOUR_HOST_NAME> 'ps auxwww'
Like Dark Falcon said in the comments, you need a protocol to communicate with the server, a port alone is useless in this case.
By default on unix (and unix like) servers, ssh is the way to go.
Remote Shell with this command. Example is cat a file on the remote machine.
rsh host port 'cat remotefile' >> localfile
host and port self explainitory
remotefile: name of some file on the machine remote logging to in home directory
localfile: name of file cat information to.
Use monitoring software (like Nagios). It looks at your processes, sensors, load and thatever you configured to watch. It continuously stores log. It alerts you by email\sms\jabber if something fails. You can access it with browser or by HTTP API.