I have server A and Server B.
Iam able to ssh from server A to server B as 'root' user password less successfully. I have another non-root normal user in server B, My requirement is to ssh from server A to Server B using that non-root normal user.
Here is what I did;
1) Copied the public key from Server A to Server B's non-root normal user authorized_keys files kept in .ssh directory of non-root normal user.
2)On Server B, given the permissions 700 to .ssh directory and given 600 permissions to authorized_keys file.
It is still asking for password, it is not working as expected(passwordless).
Please help.
FYI, root user login from Server A to Server B is working perfectly passwordless and I followed the above steps only. Surprised to see it is not working for a normal user.
Iam able to fix this issue using the below command;
restorecon -R -v /home/
Iam now able to do keybased authentication for non-root user successfully
On server B for other user, .ssh directory permission would be 755 and 644 for authorized_keys . This should work
Use below commands as root user-
ssh-keygen [Leave everything default and enter]
ssh-copy-id server_ip
Then it will ask for remote server password and then you can login to remote server using-
ssh server_ip
Related
I've setup Cygwin and want to ssh with domain user account on windows server 2012 R2. It works fine if I start the sshd service with "Local system account" but if I start the service with a cygserver local account or domain\cygserver then the service starts fine but when I try to ssh I see the message sshd: PID 1944: fatal: seteuid 1801: No such device or address.
ssh in verbose mode on the client shows the following:
debug1: Authentication succeeded (publickey).
Connection to 10.10.10.10 closed by remote host.
Connection to 10.10.10.10 closed.
debug1: Exit status -1
Some articles like https://blog.peterwurst.com/2016/09/15/ssh-server-on-windows-with-cygwin/ suggest to enable the following GPO with cygserver account in it. I tried them still the same error.
Act as part of the operating system
Create a token object
Log on as a service
Replace a process level token
I've verified .ssh and authorized_keys permission and the user home directory exists and also passwd file has the /bin/bash shell for the user.
Any suggestion on how to resolve this issue?
I had this issue, and the solution was to start the CYGWIN ntsec servicem, before starting the CYGWIN OpenSSH service.
Verify the subject user and SSHD account are not locked / disabled.
Confirm that password login works. PKI and password login take different paths to create a process token.
I also had this issue in the log
seteuid XXXXXXXX: No such device or address
and this made the trick
passwd -R
I've encountered a problem of connecting to server via ssh.
I have a server A and B. From server A I run .sh script which parses log on server A, then connects to server B and do the same task. In console everything works fine, but not with web-interface.
I connect to server using cgi whith apache2. When I run script on server A, it parses log and returns relult, however it fails to connect server B.
Here is the log of httpd:
[Thu Nov 22 14:09:34 2018] [error] [client 10.1.68.243] Permission denied, please try again.\r, referer: http://cab-prod-comp-sd/cgi-bin/example-bash.sh?val_x=RDWH.&val_z=1
server A script:
-rwsrwxr-x 1 sas sas 2217 Nov 22 11:25 /sas/oljas_scripts/find_usage_of_tables.sh
server B script:
-rwxrwxr-x 1 sas sas 1202 Nov 19 09:16 find_usage_of_tables.sh
the part where I connect to server B:
SAS_RESULTS=$(ssh sas#sas-p1l-comp /sas/oljas_scripts/find_usage_of_tables.sh $table_name)
Appreciate any help.
Thank you!
EDIT:
Do I need to give a permission to user Apache? How to do this?
This is what I assume from your question:
system A runs httpd with user "apache".
system B has a user called "sas".
you want user "apache" to connect to system B, using "sas" user.
your connect code does not show any password or passphrase being used. You did not mention ssh agent either, so the ssh connection is done via ssh keys.
sshd on system B is configured to allow connections without passwords (i.e. use key authentication). From the comments above, see this: https://superuser.com/questions/543626/ssh-permission-denied-on-correct-password-authentication, John Siu's answer.
On system A, user "apache":
if it does not already have them, in ~/.ssh you should setup a private and a public ssh key (ssh-keygen, check on the web, well documented).
On system B, user "sas":
user "sas", in ~/.ssh, create (if required) a file called authorized_keys.
in this file, put the public key of the "apache" user from system A.
this will allow user "apache" on system A to connect to system B, with user "sas".
Couple traps to avoid, on system B
make sure the permissions on user "sas", ~/.ssh are 700.
permissions on user "sas", ~/.ssh/authorized_keys are 600.
permissions on user "sas", ~ are 700. Here I mean the home directory for "sas". Ex. ~ for "sas" is /home/sas, then if you ls -al /home you should see directory sas with 700.
To debug you can do ssh -v -v -v sas#sas-p1l-comp.
For your question about known_hosts, on system A, when it first connects to system B, if it does not find system B in the file, ssh will add it for you. BUT you have to do it at least once manually. The ssh client will want you to confirm the addition, and this can only be done on the command line. The web interface will not answer the client. So connect once manually, then you will be ok for the web as well.
Until that works, no point trying to setup httpd on system A. This must work at the command line first.
Thanks everyone!
Problem solved by running apache server from user SAS.
I have two Amazon EC2 Ubuntu instances. When I connect to one of them, I can do
ssh ubuntu#54.123.4.56
and the shell uses the correct keyfile from my ~/.ssh directory.
I just set up a new instance, and I'm trying to figure out how to replicate that behavior for this new one. It's a minor thing, just driving me nuts. When I log in with:
ssh -i ~/.ssh/mykey.pem ubuntu#54.987.6.54
it works fine, but with just
ssh ubuntu#54.987.6.54
I get:
Permission denied (publickey).
I have no idea how I managed to get it to work this way for the first server, but I'd like to be able to run ssh into the second server without the "-i abc.pem" argument. Permissions are 600:
-r-------- 1 mdexter mdexter 1692 Nov 11 20:40 abc.pem
What I have tried: I copied the public key from authorized_keys on the remote server and pasted it to authorized_keys on the local server, with mdexter#172.12.34.56 (private key) because I thought that might be what created the association in the shell between that key and that server for the shell.
The only difference I can recall between how I set up the two servers is that with the first, I created a .ppk key in PuTTy so that I could connect through FileZilla for SFTP. But I think SSH is still utilizing the .pem given by Amazon.
How can I tell the shell to just know to always use my .pem key for that server when SSHing into that particular IP? It's trivial, but I'm trying to strengthen my (rudimentary) understanding of public/private keys and I'm wondering if this plays into that.
You could solve this in 3 ways:
By placing the contents of your ~/.ssh/mykey.pem into ~/.ssh/id_rsa on the machine where you are ssh'ing into 2nd instance. Make sure you also change the permissions of ~/.ssh/id_rsa to 600.
Using ssh-agent (ssh-agent will manage the keys for you)
Start ssh-agent
eval `ssh-agent -s`
Add the key to ssh-agent using ssh-add
ssh-add mykey.pem
Using ssh-config file:
You could use ssh config file. From the machine where you are trying to ssh, keep the following contents in the ~/.ssh/config file (make sure to give this file 600 permissions):
Host host2
HostName 54.987.6.54
Port 22
User ubuntu
IdentityFile ~/.ssh/mykey.pem
Once you do that now you could access do the ssh like this:
ssh host2
After performing any of the above steps you should be able to ssh into your second instance with out specifying the key path.
Note: The second option requires you to add the key using ssh-add every time you logout and log back in so to make that a permanent injection see this SO question.
I'm trying to connect to an EC2 AWS instance but when I tried to install PHPMYADMIN the linux console asks me for the root user password, which I forgot about. Could anyone please know how to use .PEM file to login as the root user?
I tried sudo su command but it still asks me for the root user.
Any help is appreciated.
Disclaimer: It is not recommended to login as root.
But still if you want to, then:
Allow PermitRootLogin in /etc/ssh/sshd_config
Restart SSH service
you need to paste the existing public key which is in the /home/ec2-user/.ssh/authorized_keys to /root/.ssh/authorized_keys
Now you should be able to login as root using the .pem key.
You don't need your root password if you are running sudo su -, you need the password of the user you are running the sudo command as. Provided that the user has sudo privileges as root. Then you can just run as root:
yum install phpmyadmin
I created a new keypair and downloaded it to my mac, then set up a new Amazon Linux AMI server with that keypair and my security group. Now I need to put the keypair .pem file that I downloaded in a .ssh file in my users folder? I am unable to create a folder called ".ssh" however because of the name.
Where do I put the keypair on my mac? and what chmods or other commands are then needed to connect to the server from my linux bash? I know "ssh my public DNS" but what other permissions or anything else should I be aware of? Its a newbie question. Thanks.
You'll want to put the keypair in {your home directory}/.ssh . If that folder doesn't exist, create it. Once you put the keypair in there you have to change the permissions on the file so only your user can read it.
Launch the terminal and type
chmod 600 $HOME/.ssh/<your keypair file>
That limits access to the file, and then to limit access to the folder type
chmod 700 $HOME/.ssh
You have to limit the access because the OpenSSH protocol won't let you use a key that other's can view.
Then to log into your instance, from the terminal you would enter
ssh -i <your home directory>/.ssh/<your keypair file> ec2-user#<ec2 hostname>
you can also create a file ~/.ssh/config
chmod it 644
then inside you can add something like this
host mybox-root
Hostname [the IP or dns name]
User root
IdentityFile ~/.ssh/[your keypair here]
then you can just do
$ ssh mybox-root
and you'll login easier.
You can use Java MindTerm to connect to your EC2 server in Macbook pro. It works for me. here are the more details and step by step instruction.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
http://www.openssh.com/ is the suggested one on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-instance-linux.html#using-ssh-client (option 3)
Someone was asking on Mac's an easy way to create the ~/.ssh folder would be by running command ssh-keygen, then use following setup ...
A.
macbook-air$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/sam/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/sam/.ssh/id_rsa.
Your public key has been saved in /Users/sam/.ssh/id_rsa.pub.
B. Then create:
touch ~/.ssh/authorized_keys
C. Fix the permissions:
chmod 600 ~/.ssh/authorized_keys
D. Copy AWS Key to that file:
cp AWS_key.text ~sam/.ssh/authorized_keys
#You would have saved this SSH key earlier when creating the EC2 instance
E. Then test the ssh to AWS Linux server - you will see this error:
ssh -i ./authorized_keys root#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
Please login as the user "ec2-user" rather than the user "root".
F. Re-try that and it should work with allowed AWS user "ec2-user":
ssh -i ./authorized_keys ec2-user#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/
9 package(s) needed for security, out of 12 available
Run "sudo yum update" to apply all updates.
Hope this helps, all the best.