Perhaps the answer to this question is that it is not possible but hopefully someone knows how to get around this issue. In the past, before the admins configured Kerberos in our school machines I was able to create ssh keys for several purposes. The way this was done was via the ~/.ssh/config file in my machine and the ~/.ssh/authorized_keys in the server. An example of my ssh config file goes as follows
Host sayHI
IdentityFile path/to/sayHiPrivateKey
HostName servername
User myusername
Host sayHey
IdentityFile path/to/sayHeyPrivateKey
HostName servername
User myusername
Then in the authorized_keys file I would have
command="echo hi" ssh-rsa sayHiPublicKeyLONGSTRING....
command="echo hey" ssh-rsa sayHeyPublicKeyLONGSTRING....
ssh-rsa otherkeysformypasswordlessentry
With this setup I could do something like
$ ssh sayHI
hi
$ ssh sayHey
hey
Unfortunately, this has now stopped since we are now using Kerberos to authenticate every day. What this means is that now I have do
$ kinit username#SERVERNAME
Once I put in my password I can use ssh as follows:
$ ssh -K username#hostname
and now I have access. If I do
$ ssh sayHi
this will not work since it asks for my password. If I do
$ ssh -K sayHi
this logs me in but it completely ignores the fact that this was supposed to use an identity so that I can run the command echo hi. Instead it just uses the kerberos credentials and logs me in. So now that I have explain the functionality that I once had, does anyone know if it is possible to recover this using kerberos and ssh? The multiple identities files was useful specially if you wanted to let a friend run a command on your behalf without giving them your password (http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch08_02.htm). I really hope this is still possible somehow. Thanks in advance.
It depends if the server still accepts pubkey authentication or not (it looks like it does not, otherwise the kerberos authentication wouldn't make any sense).
Depending on the vendor of the OS, there might be possible to set up .k5login, but it will probably not solve the issue. Better way to differentiate between the commands would be using some alias on your client:
alias sayHi="ssh -K host echo Hi"
alias sayHello="ssh -K host echo Hello"
in your ~/.bashrc.
Related
I have one script running on server and doing some job on other server
I have many scp commands and ssh commands, this is why each time I have to enter the remote server password at each remote command.
is there any way to establish ssh connection between the servers so I type the remote password only once?
thanks
I would suggest to setup an ssh config together with ssh keys. In a nutshell the config will hold an alias for one or more remote servers.
ssh remote_server1
ssh remote server2
While your config file will look something like this:
Host remote_server1
Hostname 192.168.1.12
user elmo
IdentityFile ~/.ssh/keys/remote.key
...
If an ssh config file is not for you (although I can highly recommend it), you can use sshpass as well.
sshpass -p 't#uyM59bQ' ssh username#server.example.com
Do note that the above does expose your password. If someone else has access to your account, the history command will show the code snippet above.
When I issue ssh -v hostname, it tells me successful. But permission denied(publickey) when issuing ssh -v user#hostname. What's the differences between them? And I try to solve this problem by some ways, but weren't effective. Such as:
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys
Restorecon ~/.ssh/authorized_keys
I guess the problem is about context, because after issuing ssh -v hostname, the debug information tells me unable to get valid context. And issuing ssh[user#]hostname it authorized id_rsa, id_ecdsa, and id_ed25519 and skiping id_dsa (probably the config setting).
When user isn't specified, the .ssh config is searched for a default one for the given host, and if there's none, the same username as on the source machine is used.
To get more information, add copy&paste of the .ssh/config and outputs of both the ssh commands.
When using ssh user#hostname you explcitely try to log in as user on hostname. The login failes because you need to create an authorized_keys file in this user's home, too, as you did for the default user which is used when user is not given. Obviously authentication by password is disabled, else ssh would ask for it.
I want to transfer some files from my local to remote, like github does it. I want to happend it very smooth like in shell script. I tried creating one shell script which automates the process of ssh authentication without password but for first time it exposes my remote server password. I dont want to do it that way. Like in git we can't see their server password. Is there any possible way that we can do ?
I used this article script to automate ssh login. http://www.techpaste.com/2013/04/shell-script-automate-ssh-key-transfer-hosts-linux/
As i mentioned, you can use the scp command, like this:
scp /local_dir/some*.xml remote_user#remote_machine:/var/www/html
This requires that you need connect to the remote machine without password, only with ssh key-authentication.
Here is a link: http://linuxproblem.org/art_9.html to help you.
The important steps: (automatic login from host A / user a to Host B / user b.)
a#A:~> ssh-keygen -t rsa
a#A:~> ssh b#B mkdir -p .ssh
a#A:~> cat .ssh/id_rsa.pub | ssh b#B 'cat >> .ssh/authorized_keys'
I have this linux machine with ssh server installed, I can access the server using username="ubuntu". ssh server blocks clients that try to connect using "root" username.
So connection can be made by:
ssh -i mykey ubuntu#myserver
I can get files that belong to "ubuntu" using :
scp -i mykey ubuntu#myserver:<file location> ./
However, what I really want is to get files that belong to "root" username, (Note: I can't access the server with username "root" for obvious security reasons).
so is there a way to do download files that are under "root" username?
I was thinking to do some magic in the server side that enables me to do that.(I don't know how :) )
if this help: I have root access and also I can create files on my server side. but I'm not allowed to change the file permission under the root(if someone get hold of these files I'll be fired)
You can try monster like this
ssh ubuntu#myhost 'sudo cat /path/to/file | uuencode' | uudecode > path/to/local
You should have uuencode and uudecode on coresponding hosts.
Or if file is text you can skip uuencode part
ps: see related topic
You could do it the other way around.
Log into the the pc with the file you want with
ssh ubuntu#myserver
Then gain superuser privileges
sudu su
and then copy the files you want
scp /the_file_you_want ubuntu#myhost:/the_location_and_filename_you_want
Some other ways you can find here
https://unix.stackexchange.com/questions/106480/how-to-copy-files-from-one-machine-to-another-using-ssh
enable ssh on your machine
(if fedora) (for ubuntu you can find command on google easily)
service sshd on
From your local machine
ssh -i ubuntu#myserver
change to root
su
enter password
and copy files using scp
scp somefile.extension randomuser#localmachine:/some/path/
I hope it helps
I was referring to http://www.mtu.net/~engstrom/ssh-agent.php
My public key is listed under ~/.ssh/authorized_keys at remote1. During SSH login connect,
it's working fine(loaded my private key under connection-Auth), it asked for passphrase which I provided then login is successful.
But when switching between servers like from remote2, do SSH remote1, it would ask for a password. Trying to set up SSH agent forwarding according to that site but was to no avail...ssh-add never prompts me for private-key-passphrase or was it wrong what i was doing trying to follow the process described?
I basically did
$ eval ssh-agent
$ ssh-add (some do ssh-add ~/.ssh/id_rsa--> wonder wat id_rsa is referring to as I only have the auth_keys file under .ssh)
Saw some resources described to do chmod 600 ~/.ssh/authorized_keys, but not sure if that's applicable to my case.
ssh-agent wrap another command, you can for example wrap a shell
ssh-agent bash
Then, in that shell, you need to add your private key, and type your passphrase :
ssh-add /path/to/your/private/key # (by default : ~/.ssh/id_rsa)
Then, when you use ssh to connect, add the -A option :
ssh -A user#remote1
That's it, your key is forwarded, you can see it if you type (on remote1) :
ssh-add -L
You can now connect to your remote2, using that private key.
Be careful when you use ssh forwarding. Anyone with root access on remote1 could use your identity to connect on remote2 while you are connected.
I am pretty sure that ~/.ssh/authorized_keys must always be chmod 600. This is a sensitive file that must be protected.