First i will explain my architecture briefly
Openldap Server: Ubuntu 14.04 machine with openldap installed. I followed this article
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps
I have added schema for sshpublickey for every posix account
OpenLDAP client: Ubuntu 14.04 with libpam-ldap nscd installed. Again i followed digital ocean link.
https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps
I changed sshd_config file on OpenLDAP client machine and provided AuthorizedKeysCommand /my/script which queries ldap server and gets sshkey and then i have a key based ssh authentication.
This is working fine so far. Also i have a ubuntu user which is a local user and is not managed by LDAP.
Now when i stop the slapd daemon on Openldap Server machine then
my active ssh session as ubuntu user on client machine hangs(not able to restart any service or run basic commands like ls or cat). Even when i try to login into client machine as ubuntu user which is not managed by LDAP, it fails(it succeeds the authentication but fails to get enviornment variable and open an interactive session )
Excerpt from ssh -v ubuntu#IP
debug1: Authentication succeeded (publickey).
Authenticated to 54.200.221.217 ([54.200.221.217]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
It stucks there and then timedout.
What is the reason behind this? Also is there any flaw with my architecture. I don't want password based ssh as it is prone to hacking.
The reason is that you stopped slapd, of course, and the cure is not to do it. It should be running at all times.
Related
I'm getting an error when using ssh, which tries to use keys from ssh-agent, but fails with this message (when running ssh -v):
debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed
Full log
I can see both of my keys added to the agent when running ssh-add -l:
$ ssh-add -l
3072 SHA256:0i3sqR60WRsAOpFVJyw951NUDW01jkAWFB1na921Asd xxxxxx#somehost (RSA)
4096 SHA256:CG6njka821AOd82j1xGFkyiOjwG/yo921KAIOWm3t/4 xxxxxx#anotherhost (RSA)
The same error appears with no keys or one key inside the agent.
I'm running the fish shell on Archlinux, and also tried this under bash, but it doesn't seem to make a difference. The same setup was working for me on Ubuntu. There seem to be no questions about this exact issue, and I'm stuck with no clues.
I found that this problem on my pc is caused by the windows default ssh client which stores my ssh key files. After upgrading to 8.9 with https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v8.9.0.0p1-Beta I solved this problem.
I'm trying to SSH into AKS windows node using this reference which created debugging Linux node, and ssh into the windows node from the debugging node. Once I enter the Linux node and try to SSH into the windows node, it asks me to type in azureuser password like below:
azureuser#10.240.0.128's password:
Permission denied, please try again.
What is azureuser#(windows node internal IP address)'s password? Is it my azure service password or is it a WindowsProfileAdminUserPassword that I pass in when I create an AKS cluster using New-AzAksCluster cmdlet? Or is it my ssh keypair password? If I do not know what it is, is there a way I can reset it? Or is there a way I can create a Windows node free from credentials? Any help is appreciated. Thanks ahead!
It looks like you're trying to login with your password, not your ssh key. Look for the explanation between those methods. These are two different authentication methods. If you want to ssh to your node, you need to chose ssh with key authentication. You can do this by running the command:
ssh -i <id_rsa> azureuser#<your.ip.adress>
But before this, you need to create key pair. It is well done described in this section. Then you can create the SSH connection to a Linux node. You have everything described in detail, step by step, in the documentation you provide.
When you configure everything correctly, you will be able to log into the node using the ssh key pair. You won't need a password. When you execute the command
ssh -i <id_rsa> azureuser#<your.ip.adress>
you should see an output like this:
The authenticity of host '10.240.0.67 (10.240.0.67)' can't be established.
ECDSA key fingerprint is SHA256:1234567890abcdefghijklmnopqrstuvwxyzABCDEFG.
Are you sure you want to continue connecting (yes/no)? yes
[...]
Microsoft Windows [Version 10.0.17763.1935]
(c) 2018 Microsoft Corporation. All rights reserved.
When you see Are you sure you want to continue connecting (yes/no)? you need to write yes and confirm using Enter.
I've setup Cygwin and want to ssh with domain user account on windows server 2012 R2. It works fine if I start the sshd service with "Local system account" but if I start the service with a cygserver local account or domain\cygserver then the service starts fine but when I try to ssh I see the message sshd: PID 1944: fatal: seteuid 1801: No such device or address.
ssh in verbose mode on the client shows the following:
debug1: Authentication succeeded (publickey).
Connection to 10.10.10.10 closed by remote host.
Connection to 10.10.10.10 closed.
debug1: Exit status -1
Some articles like https://blog.peterwurst.com/2016/09/15/ssh-server-on-windows-with-cygwin/ suggest to enable the following GPO with cygserver account in it. I tried them still the same error.
Act as part of the operating system
Create a token object
Log on as a service
Replace a process level token
I've verified .ssh and authorized_keys permission and the user home directory exists and also passwd file has the /bin/bash shell for the user.
Any suggestion on how to resolve this issue?
I had this issue, and the solution was to start the CYGWIN ntsec servicem, before starting the CYGWIN OpenSSH service.
Verify the subject user and SSHD account are not locked / disabled.
Confirm that password login works. PKI and password login take different paths to create a process token.
I also had this issue in the log
seteuid XXXXXXXX: No such device or address
and this made the trick
passwd -R
I use putty in windows to login in my Debian server. But when I set my server address and type root username and type server password putty shows
access denied for password
Now how can I fix that to access server?
At first check SSH-server config at /etc/ssh/sshd_config in Debian. Perhaps there can be any parameter that denied remote access.
I tried to add slave in master machine. But when it adds it ask for password. That I didn't understand.
Master = jhamb
Slave = naveen, raja, gaurav
Please solve below error. Looking for your kind response.
Snapshot of console :-
when I try to add any hosts it shows these lines
0successful
HOST DTID
ANY NAME NO SUCH HOST
vim /etc/hosts shows :-
# Do not remove the following line, or various programs
# that require network functionality will fail.
#127.0.0.1 localhost.localdomain localhost
10.40.54.180 gaurav.my.domain #node 1 slave
10.40.54.92 naveen.my.domain #node 2 slave
10.40.55.31 raja.my.domain #node 3 slave
10.40.55.113 localhost.localdomain #node 4 master
#::1 localhost6.localdomain6 localhost6
EDITED
I write here, about my work, what I do till now
Download pvm3 tar file.
Setup all the variables to run PVM.
export PVM_RSH=/ur/bin/ssh
make passwordless connection between master and slave.
Run simple code on single machine, it works.
When I tried to add slave on master, by using command
add naveen.my.domain
it says the same, as of above image.
I think now it is sufficient information.
EDIT NO. 2
when I run ssh -v naveen#10.40.54.92, it says,
......
.....
debug1: Authentications that can continue: publickey, password
debug1: Next Authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key:pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0:new [client-session]
debug1: Entering Interactive session.
debug1: Sending environment.
.......
.....
When you add a slave, PVM tries to start pvmd on that machine. To do that, it will try to login via ssh(1). So the line "user#host password:" are from ssh.
You can try it yourself:
> ssh naveen.my.domain
This article explains what you can do to allow ssh login onto a different machine without giving it a password every time and without compromising the security of SSH: 3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id
EDIT Here is the important part of the image above:
Verifying Local Path to "rsh"
Rsh found in /usr/bin/ssh - O.K.
Testing Rsh/Rhosts Access to Host ...
PVM can use rsh(1) and ssh(1) to login remotely. Don't every use rsh(1). It's unsecure, brittle and ugly.
The output suggests that PVM uses ssh. You can verify that by looking at the process list while PVM asks for the password: You should see a ssh child process with PVM as the parent.
So for some reason, your password-less SSH setup is broken.
EDIT 2 Security isn't easy :-) What you need to understand is that there is a software which remembers the password for you. That's the "ssh agent."
When SSH asks you for a password, then there can be many reasons:
The ssh agent isn't running
Your key isn't loaded in the ssh agent
The wrong key is loaded in the ssh agent
You made it work and started a new terminal / new process and that new process doesn't "see" the ssh agent.
To check these:
Make sure you see a ssh agent running with your user ID in the process list.
Make sure the correct key is loaded (add it again if in doubt)
Make sure that ssh naveen works correctly.
Try pvm in the same console where you tried ssh naveen