We have a Linux Server with 2 users user1 and user2. We have to login from user1 to user2 via ssh such as:
ssh user2#<computer-name>
Both users are on the same server. However, user1 is an automated script where we cant type in manually the password and we dont want to store the password. Therefore, we want to use an ssh key (private to user2 and public to user1).
Thereby, the traffic should not go via the network as it has already a high load. The question is: will be the network connection automatically always via the localhost? If not how to force ssh to use only the localhost?
Are the two users both on the same server ?
If you are on the same OS, you can use to switch between users :
su user2
More details here : https://unix.stackexchange.com/questions/3568/how-to-switch-between-users-on-one-terminal
Related
I'm hosting my file server on GCP debian 10 virtual machine and I want to create passwordless user so people could publicly download files from his home directory.
So I created new user, removed his password with passwd -d username, changed /etc/ssh/sshd_config file so it would allow this exact user to login with empty password and set chroot jail, restarted ssh service.
Unfortunately, when I'm connection via ssh into this user it still prompts me with a password.
This setup was working on the old server, configs are definitly correct and user definitely does not have password. I guess google implemented some additionl protection that dosen't allow me to do what I want.
Maybe someone had already bumbed into the same problem before?
I reached the support and they said google doesn't support passwordless ssh connections.
I want to access MySql database hosted on domain my_domain_name using pymysql ( python library) .
My code is:
connection = pymysql.connect('my_domain_name', user, passd, db)
But I receive this error
(1045, "Access denied for user 'root'#'ip-address' (using password: YES)")
In most answers, people suggest that:
either password is wrong or 'root' user do not have privileges to
access database
But, I can access the database using direct link as: http://www.my_domain_name/phpmyadmin/index.php using same user and password.
I will appreciate your kind help. Thanks
Note: 'my_domain_name' is being converted to an ip_address. When I place this IP to my browser, it takes me to the website of my Internet provider.
Update:
It is clear that domain_name is being replaced with ip_address of Internet provider. How can I resolve this issue? Please do share any link. Thanks.
MySQL access control depends on the IP address of the client not the IP address of the server.
I assume that you're connecting to some cloud instance of MySQL, in other words, it's not running on your local machine. (If it's local just use "localhost" instead of "my_domain_name.")
When you connect to the MySQL server "my_domain_name," it sees an incoming connection from your public IP address. (If you Google for "what's my IP address," the address that Google shows you should match the one in the error message.) If you enter that IP address into your browser, you'll be connecting to your own router. If you got that router from your ISP, it's possible they set it up so that connecting to the router redirects you to the ISP's own home page.
In MySQL, the client address is part of a user's identity. In other words, john#host1 and john#host2 are two different users to MySQL. You specify the host when you create the user:
# Only applies to john connecting from host1
CREATE USER 'john'#'host1' IDENTIFIED BY 'password';
You can also use a wildcard for the client address, which means a user with that name connecting from any client address.
# john can connect from any host
CREATE USER 'john'#'%' IDENTIFIED BY 'password';
Your MySQL instance was probably set up with a user called root#localhost. To connect from somewhere else, you could create another root#my-ip-address user where my-ip-address is your address, however, this user will not be the same as root#localhost. You will have to grant it privileges identical to root#localhost. Accessing MySQL in this way could be inconvenient because if your IP address ever changes, you will lose access. You could create a user root#% instead, which will work from any client, but then you are allowing access to your MySQL server from any client address as long as the user has the password.
The reason you can login from the web administration console is that when you access the console, you're not connecting to the database directly, instead you're interacting with the console, and the console is connecting to the database. The console is running on the same server as MySQL, so when it connects to MySQL, the connection is coming from localhost.
If you want command line access to MySQL, a better strategy would be to SSH to the MySQL server, then use mysql locally to connect as root#localhost.
The issue was that by default, MySql server does't assign necessary privileges to the user to access database remotely. So, open your SqlServer console and use this command to assign privileges to the 'root' user as:
GRANT ALL ON root.* TO 'root'#'ip_address_of_server' IDENTIFIED BY 'password_for_root' ;
FLUSH PRIVILEGES;
OR
GRANT ALL ON root.* TO 'root'#'server_name' IDENTIFIED BY 'password_for_root' ;
FLUSH PRIVILEGES;
Refer to this answer for more information:
pymysql cannot connect to mysql
So I am using RHEL 7. I have two servers with the following user accounts
root (obvious)
admin
I want the setup to work in the following manner.
passwordless SSH from server 1 to server 2 using the admin user, but the SSH initiation is done from the root user always.
We are not allowed to do ssh key exchange for the root user, but the app that we are working with uses root to ssh to the other nodes.
I hope I am making sense here :)
SSH using root user to server2, but internally it should use admin user's key and connect to server2 using admin user.
I have tried to confiure /etc/ssh/ssh_config file and added host/user config there, now I am able to run ssh server2 from root user and it connects to server2 using my defined admin user in the ssh_config file but it prompts for a password every time which I don't want.
Key exchange with admin is already done and tested to be working fine when I issue ssh as admin user.
Thanks in advance.
In the same file /etc/ssh/ssh_config you need to add the key to use, something like this:
Host srv2
User admin
IdentityFile /home/admin/.ssh/id_rsa
So I've a VM that has SSH login. In this machine I only want one user ( lets say admin) to be able to login in via SSH.
Ive changed the sshd_config and added the AllowUsers admin directive. The problem is that I can still login to the machine with the user user, for example.
The host is a Ubuntu server and I'm accessing it via vSphere Client.
Is there anything I'm missing here?
In ssh, it is possible to set up passwordless logins to a remote user, using only public key authentication. Out of curiosity, what is actually going on code-wise, when passwordless login has been set up?
Is the ssh-server daemon storing user passwords, and then applying them automatically, when they have authenticated a public key, or can the ssh-server, using some system-call magic, circumvent the password authentication procedure of a user account entirely?
The ssh server daemon is typically running as root (or another privileged user), and can thus simply spawn a login session running as whichever user is required. No password involved.
Other things that work in a similar manner are the -u flag for sudo, and the su command when already running as root.
The sshd (SSH daemon) process runs privileged on your server (e.g. root), so after it successfully completes authentication, it spawns a login shell as the user logging in.
You are starting from the point of assuming a password is a requirement for authentication. But it is really only one way there. On modern Linux the PAM subsystem controls authentication and authorization. You could make a PAM module that allowed you to login if you answered three questions correctly. Or know the right number. Or to be even more outlandish your "password" could be a music sequence entered over a MIDI device :-)
Something needs to tie your entered name with a Unix UID and then match that to an authentication mechanism. SSH is doing this by:
taking the name you provide and getting the "password entry" for it via PAM
using the "password entry" to locate the $HOME of the user
validate the SSH key in $HOME/.ssh/authorized_keys against the key sent in the authentication
If all of the above works, start a shell as the UID of the user
As you can see this process is not going around password authentication. Password authentication is simply one of the ways in the door. We are accustomed to this method via 'login' or ssh exposing a password prompt. But there are many ways. The core requirement is the program performing the authentication has root privileges.
Everyone already mentioned that sshd runs as a privileged daemon.
So how does passwordless public key authentication works?
When a user connects to sshd, by default unless configured otherwise, sshd will require the remote connection to present a key. In the absence of the key, sshd will attempt to ask for other methods of proof of identity of the remote user, one of which is interactive password.
Before one can start using passwordless public key authentication, one must register his public key. This usually involves copying public key to user's .ssh/authorized_keys file. There is a cli ssh-copy-id that can do exactly this.
How does private/public key authentication works then? When a user connects to ssh daemon, the ssh client will read the user's private key, usually stored in .ssh under different filenames such as id_rsa or identity or id_dsa. The ssh client will generate the public key from the private key and present the public key to sshd. The sshd daemon will compare the received public key against the user's authorized_keys. If a match is found, the connection is allowed. Then sshd will spawn a process and a shell and will drop the provileges to the user's privilege.