SSH authenticate with public key (not private key) - linux

Is it possible to connect to a server using a public key? The server holds the private key in authorized_keys, and the client can connect with:
ssh -i id_rsa.pub server
It is the exact opposite as the usual way with public/private keys: the client keeps the public key, and the server holds the private key.
Now the reason: For machines being deployed to customers, I want to setup a remote connection to rescue the machines in case of problems.
the machine initiates a reverse SSH connection to the rescue server: connect using the public key (the same on all the machines: ssh -i id_rsa.pub -NR 64000:localhost:22 rescue#server)
the machine opens a channel, but cannot execute commands (prompt /bin/false)
on the server, do a SSH to the machine through the open channel and authenticate with the private key (the usual way: ssh -i id_rsa -p 64000 localhost).

You can't use keys to authenticate in opposite order of private/public, because of the way how asymmetric cryptography works.
The alternative solution for you can be to use openssh certificates as described in manual pages and many how-to's.

Related

How to use a certificate from a Azure Key Vault to connect to a Azure Virtual Machine through Bastion?

I want to secure an azure virtual machine. Currently, I have a login and a password that I use to connect in SSH with Putty.
My idea is to create an RSA certificate in an Azure Key Vault (I managed to do that just fine) and use it to connect to my virtual machine through Bastion. I have no problem using the certificate instead of a password:
However, I first need to configure the machine to use this certificate instead of the currently defined password. I figured it must happen in the reset password tab, but I cannot find what to put inside SSH public key:
I cannot find a way to retrieve the public key from the azure portal, I can download the certificate under the CER or the PFX format, but I tried to get the public key from those files using OpenSSL, but no matter what I do it is invalid.
How can I get a public key that follows the format "ssh-rsa AAAA... username#domainname" that azure requires from a certificate generated in an Azure Key Vault or a from a .pfx or .cer file?
I tried to reproduce the same in my environment and got the results like below:
To reset SSH public key check the below workarounds:
Try to login to your terminal or cloud bash like below:
ssh username#host
sudo -i
By default, ssh-keygen will generate an RSA key purse with one public and private key
ssh-keygen -t rsa -b 2048
y
ssh-keygen will generate public/private RSA key pair -> Next click Enter if you do not specify any dir it will generate under /root/ .ssh/id_rsa I tried with default one click enter -> overwrite y -> Enter passphrase click Enter -> Enter like below:
The public key will be saved in /root/.ssh/id_rsa.pub. SSH key command generated both public/private under the home directory of user root
cd /root/.ssh/
ls
Now, Try to add the public key to the target server
id_rsa - private key
id_rsa.pub - public key
Use the public key and paste in vm and update like below:
When I try to login my SSH it got login with public key without getting the password-authentication successfully like below:
Now, I tried to connect virtual machine through Bastion it's connected successfully like below:

SSH using other users key

Is it possible to create a UNIQUE key that can be used by all users to ssh to a server? I need to avoid creating a new key for each user and copying it to the server.
More in deep, I would create a key pair in a specific <key_path>, then copy the public key on the server and then let all the users ssh to the server just like this:
ssh -i <key_path> server-user#the-server
I tried to create a keypair with a specific user (call it userA) with no passphrase:
ssh-keygen -t rsa -f <key_path>
But when I try to use the userA's key with a different user (call it userB), I'm asked to enter the passphrase, even if there's no passphrase, and if I just press enter on the passphrase, I'm asked to insert the server-user password:
ssh -i <key_path> server-user#the-server
Enter passphrase for key <key_name>:
server-user#the-server's password:
I know I could generate a key for userA and another key for userB, but in my case I need to use the same key for different users.

EMR Presto LDAPS: authenticator not loaded

LDAPS is correctly set up using docker-openldap.
Certificates correctly generated and deployed (also tried self generated certificates)
ldapwhoami and ldapsearch both works
Presto complains authenticator not loaded, with DEBUG level logging it says "simple bind failed: outbound connection failed"
It turns out by default osixia/openldap container will run with TLS client certificate verification on (demand). This requires a local certificate and a private key, i.e. the ldap server will try to validate client owns a valid certificate.
ldapwhoami works because the client certificate was imported to local machine, but on Presto node only a root certificate was imported during initialization.
The error message was not clear, showing UncheckedException, authenticator not loaded, simple bind failed, etc.
The solution is to disable client certificate verification. When launching the docker, add --env LDAP_TLS_VERIFY_CLIENT=try or never.
Importing the private key to default Java keystore might also work if client verification is desired.

Using ssh keys from Vault to ssh via Jenkins Pipeline

I am trying to use ssh private keys stored in Hashicorp Vault to ssh to some servers in Jenkins Pipeline. I have the following code
stage('Syncing Scripts') {
steps {
script {
withVault([configuration: vaultConfiguration, vaultSecrets: vaultSecrets]) {
remoteCommands.copyLocalDirToServer(credentials, "server_files/*", "${username}#${host}", "~/server_path")
}
}
}
}
Library code for remoteCommands
void copyLocalDirToServer(String credentials, String localDir, String server, String remoteDir, int timeoutSec=10) {
sshagent(credentials : [credentials]) {
checkConnectivity(credentials, server, timeoutSec)
sh "scp -r ${localDir} ${server}:${remoteDir} "
}
}
username, host are two environemnt variable bound via Vault. credentials currently refers to an ssh key stored in Jenkins credentials. The Pipeline is working.
Vault is supposed to be the single source of truth. The ssh keys are stored in Vault and I am able to get them. But the problem is that I get a string from Vault in an environment variable. I am not sure how to pass that to the ssh command. Creating a file to pass to the ssh command puts the ssh keys in plain text on Jenkins which is not recommended.
To avoid this I had to duplicate the ssh keys in Jenkins credentials. I would like to avoid this duplication.
What is a possible solution to pass a secret ssh key fetched from a secret provider (like Vault) to ssh command running in Jenkins Pipeline that does not compromise on security best practices?

ssh connection to ec2 instance without password

I need a help, I was setting up a keyboard-interactive, close the server session, and now I can not enter? I have my key (.pem) to enter, but now it asks for a password and the server does not have a password, I use the key to enter
What I have done when I had the same problem (aws says it's key pair, but in fact you just have private key when you generate a 'key pair' in aws console):
download the private ssh key *.pem on your computer
generate the pubkey : ssh-keygen -y -f aws.pem > aws.pub (replace aws by the name of your key)
import the public key (*.pub) in ec2 key pairs
create a new instance and associate key pair (depends how you create instance, I can tell you for terraform)
now you can ssh to your ec2 instance ssh -i aws.pem user#host
Note
I think the first step is not required, you can just generate key pair on your PC with ssh-keygen, then import the public key in ec2 without the need of generating any keys from aws

Resources