Develop Reference

Passwordless ssh connection from Windows

How can I create an ssh key from Windows and install it on a Linux host using OpenSSH to log in without a password for each connection?

CREATE AND INSTALL SSH KEY
First of all, we need to create a new key in the Windows pc (where we start the connection) using:
ssh-keygen -t rsa
Don't change the default path or remember where you saved the key, it will be used for the next command.
Press enter another two times to avoid using a passphrase (if you don't want it).
After that, if you haven't change the default path, the key will be created into {USERPROFILE}\.ssh\id_rsa.pub.
Now, you can usually use the command ssh-copy-id for installing the key on the remote host, but unfortunately this command is not available on Windows, so we have to install it using this command:
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh {REMOTE_HOST} "cat >> .ssh/authorized_keys"
or if your key is not in the default path:
type {RSA_KEY_PATH} | ssh {REMOTE_HOST} "cat >> .ssh/authorized_keys"
and replace the {RSA_KEY_PATH} with your RSA path.
Replace {REMOTE_HOST} with the remote host IP/Name (like pi#192.168.0.1), launch the command, insert the password if required, and the work is done!
IMPORTANT!
SETTING UP .ssh FOLDER
If the ~/.ssh folder is not existing in your remote host, you need to configure them, this is usually done by the command ssh-copy-id, but we can not access to this power from Windows!
You need to connect to the remote host in ssh and create the .ssh directory and the authorized_keys file for the first time:
ssh {REMOTE_HOST}
Create the .ssh directory:
mkdir ~/.ssh
Set the right permissions:
chmod 700 ~/.ssh
Create the authorized_keys file:
touch ~/.ssh/authorized_keys
Set the right permissions:
chmod 600 ~/.ssh/authorized_keys
NOTE
The authorized_keys is not a folder, if you try to create it using mkdir, the SSH connection passwordless will not work, and if you debug the ssh on the host, you will notice an error/log similar to:
~/.ssh/authorized_keys is not a key file.
ADD YOUR SSH KEY ON YOUR AGENT
Run those two lines on your Windows pc to add the created key on your cmd/powershell:
ssh-agent $SHELL
ssh-add

How to know the SSH key's length?

How to know the SSH key's length?
I'm getting the following error for my git pull just recently,
$ git pull
> GitLab: Your SSH key must be at least 2048 bits.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
where everything had been working fine before.
Instead of guessing (or trial-n-error) which key is the culprit, is it possible to list all my SSH keys' length?
UPDATE:
Only git pull is giving me above error. I.e., my public key is still fine:
$ ssh -T git#salsa.debian.org
Welcome to GitLab, #myid-guest!
The ssh-keygen -lf might not be the answer, as I'm following https://docs.gitlab.com/ee/ssh/, who recommends to use ed25519 as default key, and who also instructs that, to generate a new ED25519 SSH key pair, do ssh-keygen -t ed25519 -C "email#example.com". However, my ssh-keygen -lf reports that
$ ssh-keygen -lf id_ed25519.pub
256 SHA256:PO2bk6B...
It is unlikely that the recommend ED25519 SSH key is only 256 bits long.


Can you try
ssh-keygen -lf keygen.pub

You might have accidentally deleted the public key that Gitlab uses to authenticate you.
I would recommend contacting them, otherwise look up into it.

openWRT Dropbear SSH key authentication fails with "unknown algo"

Good day, I'm trying to figure out how to get a user to ssh into openWRT with only a key.
I followed these instructions:
https://wiki.openwrt.org/oldwiki/dropbearpublickeyauthenticationhowto.
In short:
On a Linux box:
If you haven't already got a
.ssh/id_dsa.pub
ssh-keygen -t dsa
scp ~/.ssh/id_dsa.pub root#192.168.1.1:/tmp
On openWRT:
cd /etc/dropbear
cat /tmp/id_*.pub >> authorized_keys
chmod 0600 authorized_keys
When I try and ssh in, I get this error:
authpriv.warn dropbear[2085]: Pubkey auth attempt with unknown algo for 'MyUser' from 1.2.3.4:11111
I have tried generating a RSA key too, same result.
I can log in as the user using a password:
authpriv.notice dropbear[2089]: Password auth succeeded for 'MyUser' from 1.2.3.4:11111

Maybe it's the problem of the OpenWRT version.
Try ${HOME}/.ssh/authorized_keys instead.

travis-ci - ssh-add asking for my passphrase

I am working on a continuous integration with Travis CI.
This is my configuration:
before_install:
- echo -e "Host *\n\tStrictHostKeyChecking no\n" > ~/.ssh/config
- echo -e $id_rsa.pub > ~/.ssh/id_rsa.pub
- echo -e $id_rsa > ~/.ssh/id_rsa
- sudo chmod 600 ~/.ssh/*
- sudo chmod 644 ~/.ssh/config
- eval `ssh-agent -s`
- ssh-add ~/.ssh/id_rsa
...
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/travis/.ssh/id_rsa:
On the ssh-add step, it ask me the passphrase and it's stop the deployment. I have tested with an other ssh key without passphrase but it don't fix my issue.
I have tested lot of solution like yes $MY_PASSWORD | ssh-add ~/.ssh/id_rsa or echo "$MY_PASSWORD" | ssh-add ~/.ssh/id_rsa but it don't works.
I have added to my .ssh/config (you can see it in my config):
Host *
StrictHostKeyChecking no
isn't it supposed to make it don't ask me the passphrase ?
Maybe someone have an idea ?
Thanks :)

You are using encrypted private key (which is good), but it needs the passphrase (which is bad for scripting). There are several possibilities you can proceed:
Remove the passphrase from the key and use it unencrypted (less secure)
ssh-keygen -p -P "old_passphrase" -N "" -f ~/.ssh/id_rsa
Use sshpass tool to unlock the key (storing the passphrase next to the key in the script basically defeats the security of encrypted key)
sshpass -p passphrase ssh-add ~/.ssh/id_rsa

I had resolved my problem.
I had different problem in basic utilisation of environment variables and echo.
My environment variables names were not good. "$id_rsa.pub" in travis was interpreted by $id_rsa . ".pub" so it added some wrong characters to my content. I renamed it to id_rsa_pub.
I forget to transform " " in "\ " and newlines by "\n" and with travis and his environment variables, you must write "\\n" instead of just "\n".
My issue was in part because bad ssh files, and because I use a rsa key with password. In my case it's not important to have a password so i deleted it.
For that i use the answer of jakuje. My ssh key is now installed correctly in each builds.
Thank you for your help !

How to enter private key password with ansible

I have the vagrant virtual machine running.
I can ssh into it using ssh vagrant#192.168.0.28 then it ask me the pass phrase for the private key , which I can enter and then it logs me in.
but if I use:
ansible all -m ping
then I get this:
192.168.0.28 | FAILED => FAILED: ssh moor#192.168.0.28:22 : Private key file is encrypted
To connect as a different user, use -u <username>.
How can I enter pass phrase in ansible?
I tried ansible -k but it says authentication failed.

Try using ssh as the transport. Generally, Ansible uses paramiko which is not as friendly for interactive sessions:
ansible all -c ssh -m ping
If that doesn't work, I didn't see anything on running Ansible with an ssh key pass phrase on the documentation or in the code, so you might have to remove it with something like this:
openssl rsa -in private_key_with_pass_phrase -out private_key_without_pass_phrase

i have tried
cd ~/.ssh/
openssl rsa -in id_rsa -out id_rsa_without_pass_phrase
and got error
unable to load Private Key
routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
solution was to run this command:
cd ~/.ssh/
ssh-keygen -p -f id_rsa -m PEM