I understand the issue but not sure how to fix it :(
Problem Story:
I've installed pageant in my windows10 and added ssh keys(keys generated through puttygen) into it. configured putty session in windows10 with agent forwarding to access the servers(linux) with out using typing/credentials.
whenever I open putty session to login to any server, putty talks to the pageant and load/used my credentials without my involvement to enter credentials,.
keys deployed to all over servers when I do ssh form one server to another server the pageant works fine and able to access,no issue at all untill paegent inactive....I'm happy till this part
when i use ssh in cron auto job, it unable to calls the keys from linux to pageant(win10).
how to make this to run in linux(cron)
Of course not, as the cron does not run in the context of your SSH session.
So it cannot talk to local Pageant.
Even if the cron knows what user did create the job, how could it know, which of potentially many SSH sessions, you have opened, it should query for the keys? And what, if you actually do not have any SSH session open? The cron job should work even, when you are not connected to the server.
You have to have the keys stored on the server, where cron runs. There's no other way around that.
Related
Let's state a situation:
I have the possibility to run arbitrary commands on a server as an unprivileged user, through "unconventional means".
I do not have the possibility to login using ssh to that server, either as my unprivileged user or anything else. So I do not have currently a CLI allowing me to run any commands I would like in a "normal" way.
I can ping that server and nothing prevents me to connect to arbitrary ports.
I still would like to have a command line to allow me to run arbitrary command as i wish on that server.
Theoretically nothing would prevent me to launch any program as my unprivileged user, including one that would open a port, allow some remote user to connect to it and just forward any commands to bash, returning the result. I just don't know any good program to do that.
So, does any one know? I looked at ways to launch ssh_server as an unprivileged user but some users reported that recent versions of ssh_server do not allow that anymore. Actually I don't even need ssh specifically, any way to get a working CLI would do the trick. Even a crappy node.js program launching an http server would work, as long as I have a CLI (... and it's not excessively crappy, the goal is to have a clean CLI, not something that bugs every two characters).
In case you would ask why I would like to do that, it's not related to anything illegal ^^. I just have to work with a very crappy Jenkins server for which I'm not allowed to have direct access to its agents. Whoever is responsible for that server doesn't give a sh** about its users' needs so we have to use hacky solutions just to have some diagnostic data about that server (like ram, cpu and disk usage, installed programs, etc...). Having a CLI that I can launch some time instead of altering a build configuration and waiting 20 minutes to have an answer about what's going on would really help.
Thanks in advance for any answer.
So do you have shell access to the server at least once? E.g., during the single day of the month when you are physically present at the site of your client or the outsourcing contractor?
And if you have shell access then, can you or your sysmin install Cockpit?
It listens on port 9090.
You can then use the credentials of your local user and open a terminal window in your browser. See sidebar item "Terminal" on the screenshots of the cockpit homepage.
According to the documentation
Cockpit has no special privileges and doesn’t run as root. It creates a session as the logged in user and has the same permissions as that user.
First of all, I am aware that this question has been posted several times in stack overflow here, here, here, as well as in some other places.
However, I decided to open a new thread (and taking the risk of being downvoted) because I don't think there is an actual issue with my machine, but with PUTTY.
Environment description
In a nutshell, I have a windows machine running a virtual machine (VMWare).
Host machine: Windows 7 (64 bit)
Guest machine: CentOS 6 with graphic windows environment.
Network connection perfectly setup, so no problems with firewall. Both machines are pingeable from each other, and I can surf the internet from both
Selinux disabled on guest machine
Putty is properly configured (or so I think). The reasons to back up the statement is that I can SSH the guest machine from the host machine with the encrypted SSH keys that I created for that matter. However, I think there is still some configuration missing. Keep reading.
I have configured GITOLITE on the guest machine, and it is up and running.
Although not relevant for this issue, I have a Samba share configured on the guest machine, were I have all my repos. The share is accessible from the host machine, and I can edit the files with no problem whatsoever.
VM Player 7
Guest machine recently restarted and no additional commands have been issued.
PUTTY installed in the host machine
Case scenario #1 (it works)
This case scenario describes the behaviour I expect to achieve. Basically, this procedure is being done within the VM itself. That means, by operating the machine through the VM Player.
Open a terminal as root
service sshd status yields openssh-daemon (pid 1557) is running...
ssh-add -l yields 2048 1b:31 [...] b8:de Git Admin (RSA), 2048 d2:58 [...] f6:2b pando (RSA) and (2048) be:9b [...] dc:e9 web (RSA). These are the three users I have configured in my virtual machine. The SSH keys have been automatically loaded and added to the list of identities of the SSH service.
Log out as root from the CLI. I am now an standard user (the pando user).
Edit one file in one of the repos
git commit -a -m "My message" is successful because the Git Admin key is in the identity list of the SSH agent
git push origin master is also successful, for the same reasons
Case scenario #2 (it does not work)
This case scenario describes the same procedure, but from the Putty terminal. I added to the Pageant the same SSH keys as described in Case Scenario #1, point 3. It looks like everything is Ok with Putty, because I can successfully SSH my virtual machine
Open the Putty Terminal. I am logged in as user pando (which is one of the identities mentioned in Case Scenario 1).
su
service sshd status yields openssh-daemon (pid 1557) is running... (notice that it is the same result as we got in point #2 of the first case scenario)
ssh-add -l yields Could not open a connection to your authentication agent
Because the previous step failed, I have all the issues described in the hyperlinked threads at the beginning of this post.
Now, I am familiar with that procedure of eval $(ssh-agent) and then to manually add the SSH keys on my SSH folder. In fact, I do that every time I SSH the virtual machine. But I actually prefer not to do it.
I am also familiar with adding some script to the .bashsrc file, but the last time I did it, I got a colateral effect with Puppet.
So the basic question is: What's the difference betwen both case scenarios, even though I am using the same SSH keys? Is it that Pageant is not forwarding the keys? If so, why am I able to SSH my machine? Why should I change the .bashrc file of my pando user in the second case scenario, when I can achieve exactly the same thing without it in the first case scenario? I guess I am missing a fundamental piece of information here
Hope that makes sense.
Regards.
openssh-daemon and authentication-daemon are not the same thing. You are interested in the authentication one aka ssh-agent, which is your personal key-store. The openssh-deamon aka sshd is server that is running system-wide and which is accepting connections to your computer.
Desktop environments usually start authentication agents (ssh-agent, seahorse, gnome-keyring) by default so the ssh-add works for you. But the connection is stored in environment variables, which are dropped in transition from your user to superuser (su).
You can allow connection persistence using -m switch to su. This will preserve environment variables and so your connection to authentication agent.
What's the difference between both case scenarios, even though I am using the same SSH keys?
There should be no difference, except the su part dropping environment variables and not executing .bashrc and similar scripts when changing user (you can force su to behave the same way as a login shell using su -l, but it is not the problem). The problem is that the connection to authentication agent is preserved as environment variable and UNIX domain socket, which gets lost during su. You can use su -m it should work for you.
Is it that Pageant is not forwarding the keys?
Forwarding needs to be allowed in PuTTY:
I would like to generate few VMs by script and then depending on some variables I would like to connect to them and make changes there (download/untar/run something). Everything automatically from another script.
The VMs are reachable via IP, but the question is how to connect to them with ssh without any password request. The security is not an issue.
The best fro me would be if ssh could take the password from some file.
Most of answers I found was using sshpass or expect but as I want to be sure that those scripts can be performed from everywhere I don't want to use "non-standard" application.
Any idea?
Thank you!
Create a public key that will be common to these temp vms.
Once the vm is alive, copy the common key to it using ssh-copy-id.
There are tutorials online I'm sure.
How can I execute a process in the remote machine running linux without ssh.Since the machine is scheduled to pxe boot periodically, ssh key will be changed and executing process through a script using ssh is ruled out.
Any idea on how it can be done?
Thanks
If your only problem with ssh is that you can't use key-based authentication, you don't have to rule out ssh entirely, you just have to automate a password-based authentication.
This project looks like it might be a good solution.
This should be more secure than http or telnet, as long as you keep your password and any files that contain it well guarded (which you would have to do with keys anyways).
You can do it via http, but I think this way is not safe.
For example, you can write a php script
<?php
if ($_SERVER['REMOTE_ADDR'] == '127.0.0.1')
system("./yourPrograme");
?>
How about telnet? It's not as secure as SSH though.
I have a need to restart a CentOS service remotely via ssh during an automated, unattended process (executing a build on some software from a build server), but am unsure how to best implement security. Help is needed! ;-)
Environment:
Running an ssh login on a remote box, I want to execute on my server something like:
/sbin/service jetty restart.
The ssh call is being made during a maven build process (probably doesn't affect anything, really).
I want the ssh session to login with a user that has practically zero permissions on the server except to execute the above.
I can set up shared key access for the ssh session.
Thanks!
Good idea to use an ssh key. You can then use a 'forced command' for that particular key, so it won't be able to run any other commands. See http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html