We have 2 Debian servers, one for testing and one for live. I have some scripts which should be executed to transfer data from live to test. For both the servers we use PublicKeyAuthentication where our id_rsa.pub's contents are added to authorized_keys on test server.
Even after doing this, everytime I initiate a transfer from one server to another, I am being asked for password.
I also tried calling ssh-copy-id, but that didn't help and all I got was a duplicate entry in authorized_keys.
Lastly when I try sshpass, I get the following message, and i cannot enter the password as its just a message.
sshpass -v -p 'PASS' ssh root#our_server
SSHPASS searching for password prompt using match "assword"
SSHPASS read: Enter passphrase for key '/root/.ssh/id_rsa':
Any ideas? Thanks.
From the output of sshpass, it seams that it is asking for the password of the key, not the password for the server:
Enter passphrase for key '/root/.ssh/id_rsa'
Protecting your SSH-keys with a password is a good practice, but you can not fully automate things that way, as you discovered. Depending on your situation, you can do either of the following:
Use an SSH-agent. This is a daemon that will ask your password once, and keep the private key cached until you remove it. This still has the benefit that your SSH-key is stored password-protected on disk, but you can use it as a password-less key.
This has the added benefit that you can forward SSH-agent over SSH: if you SSH from your machine to server A, and then further on to server B, this last connection can use the key stored on your machine (instead of having to copy your key to server A).
Remove the password from the key entirely (you can use ssh-keygen to change the password to be blank)
How do you execute data transfer? Is it scp? Check your system usernames, make sure public keys are installed to authorized_keys file for correct user.
Related
I have two servers A and B , i am trying to ssh from A to B using private-key and i don't want to provide password of server B.
I am trying below command for ssh ::
ssh -i <generated_private_key> <user>#<host name>
the private-key is perfectly fine. but still this command asking for password.
In order to use ssh passwordless connection you need to place the contents of ~/.ssh/id_rsa.pub (id_rsa.pub is just an example could be anything you used durring generation) of the user#local_machine to the ~/.ssh/authorized_keys of the some_user#remote_machine.
Further if other issues exist then you should check /var/log/ for the error.
Edit1:
Based on comments (thanks to #Crazy) if you used passphrase durring creation of the key then you need to recreate the key without the passphrase.
I want to copy directories with scp from server A to a remote server B. As i want to do this with a script I generated a private and a public key for the server, which work fine with winScp.
but when i try to copy with shell/skript
scp -i <DIR>/key.ppk $tmpDirA/*.war $username#$server:$TmpDirB
Im getting asked for the passphrase
Enter passphrase for key '<DIR>/key.ppk'
even the passphrase was left empty when generating the keys.
both server(openSuse) have openSsh, protocol 2. and the keys are rsa-keys
This keys are not generated with the server A. Does it matter?
I cant see what point im missing. So thanks for any help.
Are you trying to use a PUTTY private key? Openssh does not support putty private key files, but PUTTYgen can export to a format openssh understands.
Are you sure ssh chooses the right key when copying?
Create a config file in ~/.ssh and define different hosts there, this ensures that ssh chooses the correct key.
Linux man page
I have 2 servers with which I work: first one is application server and another one is archival server.
I access both of these servers using F-Secure SSH Client using the same user id and public-private key pair for authentication. It means that private key is stored on the Windows machine and public key is stored on both servers.
Now I need to access archival server from application server. To do that I have to do a key exchange first.
What is a standard aproach in this case? Do I just copy my private key from Windows to the application server? Would it compromise security? Or I need to generate a new key pare?
I appretiate your help!
P.S. I am relatively new to Unix administration, so don't be very hard on me :)
The standard approach is:
Generate on each machine/user a new private/public key pair
Use authorized keys file in .ssh and add every public key
Copy this authorized keys file to every remote host
Sidenote: The authorized key file as well as the key pairs are user#machine related
Sidenote2: Usually ppl block root completely from this process. Root should be neither accessible via pw auth nor with key auth.
#fyr's answer is correct, however you don't need to manually add or copy anything. You can do it with ssh-copy-id.
Assuming that the SSH server on your new machine is already running, from your old machine (which already has an SSH key pair, if not run ssh-keygen), run
ssh-copy-id -i ~/.ssh/mykey user#host
where the -i parameter denotes the location of your public key. The ssh-copy-id tool will add the .pub extension if necessary, so it won't be trying to send your private key.
A real-world example of this, let's say to exchange keys with a Raspberry Pi, would be:
ssh-copy-id -i ~/.ssh/id_rsa pi#192.168.1.11
This will ask for your password, but just once. If the key exchange is successful, you'll be able to ssh into it without needing a password.
I'm new to shellscripting (and not well traveled in the world of Linux) and are trying to get a shellscript to automaticly log into an sftp server with my given. Now this is how far I've gotten
#!/bin/bash
HOST='somehost.com'
USER='someusername'
PASSWD='somepass'
sftp $USER#$HOST
Now this is where I run into trouble. At this point I will be prompted for a password. So how do I get the script to automaticly reply with the password when prompted for it? I also tried finding a way to pass along the password with the sftp command, but with no luck. Can anyone help me figure this out?
Use this code:
#!/bin/bash
HOST='somehost.com'
USER='someusername'
PASSWD='somepass'
echo $PASSWD | sftp $USER#$HOST
It's not a good idea to include the password in a command line or such a script. Anyone who has access to the list of running processes could see your password, it could end up in your shell history and log files. So this would create a security hole.
There is more info in this thread where key based authentication is recommended over your proposed method.
Do not store passwords in script files, unless you are compulsive obsessive about keeping your permissions absolutely tight.
For all things ssh/sftp/scp, use public key authentication. Learn about the settings you can set on both the client and the server ends to make it more secure (ip restrictions, user restrictions, cipher restrictions, number of retries, number of simultaneous logins, etc) That alone should eliminate a lot of insecurity due to scripting issues.
If you absolutely must store a password in a variable, do not export it, and unset it the moment you get done using it.
on local host (where the script will be executed) generate ssh key pair:
scriptuser#scripthost:/~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/michal/.ssh/id_rsa): {press ENTER!}
(...)
copy generated public key from scripthost to the somehost.com and append it to the list of authenticated hosts:
scriptuser#scripthost:/~$ cat ~/.ssh/id_rsa.pub | ssh someuser#somehost.com 'cat >> .ssh/authorized_keys'
now you should be able to use scp or sftp without password:
scriptuser#scripthost:/~$ scp /any/local/file someuser#somehost.com:/remote/location/
use sshpass command.
you can give password along with command
system("ssh test.host.com");
its asking for permentaly add key or not ?
I want automatically it should say yes !
The fact that ssh asks if you want to connect even if the host's public key isn't checked yet is the result of having StrictHostKeyChecking ask (or yes) in your /etc/ssh/ssh_config or ~/.ssh/config. You can set it to no if you want to automatically add unknown host keys to your known_hosts file. If you don't want to make this a permanent configuration change, you can also use it on the command line:
system("ssh -o StrictHostKeyChecking=no test.host.com");
In either case, ssh will issue a warning on host key mismatches an will disable password authentication because of possible man-in-the-middle attacks. You can still login with public-key authentication.
Someone has to agree that the first key is valid. You could require users to add the pertinent information to ~/.ssh/known_hosts manually (or do it yourself).
Run the SSH Agent before you start your application and use it to add a key (option in the menu on Windows or use ssh-add from the command line on Unix).
As Nathon mentioned the right way to fix this is to get the hosts key in your list of known keys. The simple way is to ssh to the host once manually and answer yes and then the key will be cached in $HOME/.ssh/known_hosts. This has to be done for each host you will connect to and for each user that will run the program. If you have admin rights on the system your running ssh from you can also add the host keys to /etc/ssh/ssh_known_hosts to make them available to all users.
If you don't know what host the script will connect to you might need to look into a module like Expect to watch for and respond to the host key prompt. Although automating this step subverts some of the security ssh provides.