I have two Amazon EC2 Ubuntu instances. When I connect to one of them, I can do
ssh ubuntu#54.123.4.56
and the shell uses the correct keyfile from my ~/.ssh directory.
I just set up a new instance, and I'm trying to figure out how to replicate that behavior for this new one. It's a minor thing, just driving me nuts. When I log in with:
ssh -i ~/.ssh/mykey.pem ubuntu#54.987.6.54
it works fine, but with just
ssh ubuntu#54.987.6.54
I get:
Permission denied (publickey).
I have no idea how I managed to get it to work this way for the first server, but I'd like to be able to run ssh into the second server without the "-i abc.pem" argument. Permissions are 600:
-r-------- 1 mdexter mdexter 1692 Nov 11 20:40 abc.pem
What I have tried: I copied the public key from authorized_keys on the remote server and pasted it to authorized_keys on the local server, with mdexter#172.12.34.56 (private key) because I thought that might be what created the association in the shell between that key and that server for the shell.
The only difference I can recall between how I set up the two servers is that with the first, I created a .ppk key in PuTTy so that I could connect through FileZilla for SFTP. But I think SSH is still utilizing the .pem given by Amazon.
How can I tell the shell to just know to always use my .pem key for that server when SSHing into that particular IP? It's trivial, but I'm trying to strengthen my (rudimentary) understanding of public/private keys and I'm wondering if this plays into that.
You could solve this in 3 ways:
By placing the contents of your ~/.ssh/mykey.pem into ~/.ssh/id_rsa on the machine where you are ssh'ing into 2nd instance. Make sure you also change the permissions of ~/.ssh/id_rsa to 600.
Using ssh-agent (ssh-agent will manage the keys for you)
Start ssh-agent
eval `ssh-agent -s`
Add the key to ssh-agent using ssh-add
ssh-add mykey.pem
Using ssh-config file:
You could use ssh config file. From the machine where you are trying to ssh, keep the following contents in the ~/.ssh/config file (make sure to give this file 600 permissions):
Host host2
HostName 54.987.6.54
Port 22
User ubuntu
IdentityFile ~/.ssh/mykey.pem
Once you do that now you could access do the ssh like this:
ssh host2
After performing any of the above steps you should be able to ssh into your second instance with out specifying the key path.
Note: The second option requires you to add the key using ssh-add every time you logout and log back in so to make that a permanent injection see this SO question.
Related
I'm trying to connect my Atlassian BitBucket with an AWS EC2.
I followed all the right steps and it's working. The one thing that got me into trouble was launching the ssh-agent with eval ssh-agent -s and then ssh-add mybitbucket.pub to add the identity.
However, the issue is that the identity does not persist. Meaning that if log back in, in order to do any git operations, I have to do eval ssh-agent -s and ssh-add mybitbucket.pub again.
[root#ip-10-0-1-112 themes]# ssh-add -l
The agent has no identities.
Any recommended workarounds?
Steps taken so far:
Login EC2
Sudo su -
ssh-keygen -t rsa
eval ssh-agent -s
ssh-add mybitbucket.pub
copy the key in BitBucket's web interface.
Thanks!
In the case where you only need the key when you are ssh'd to the instance, you can set up ssh-agent forwarding. This means that when you connect to a specified host, the remote server is allowed to use the keys from your local ssh-agent in order to connect to things, such as the bitbucket account.
So, what you could do is add your public key to the BitBucket account, which would then allow you to access BitBucket via ssh because your local machine has your private key. Then, by enabling ssh-agent forwarding, when you ssh to the EC2 instance, you allow that instance to use your private key access BitBucket without ever storing your private key on the instance.
Here's an article on how to set this up:
https://developer.github.com/guides/using-ssh-agent-forwarding/
In short, add the following to your ~/.ssh/config:
Host example.com
ForwardAgent yes
Where example.com is the public IP of your AWS instance, or the EIP assigned to it, etc.
I have updated my system with sudo apt-get update.
There was a update of PAM (The Pluggable Authentication Module). I don't remember the message, but there was like a pink screen and I decided to choose no (sorry for that poor explanation).
After that the update continues until something like ssh stop/waiting and then nothing happens. I couldn't cancel this und decided to reboot my Ubuntu Server (14.04 LTS).
After that I cannot connect with a user to this machine with ssh -X user#host. Only the owner can connect. But no other user.
With ssh -v user#host I get the error
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
Then I recognized that there are a lot of missing files in my ~/.ssh/ directory.
There is only the file known_hosts. I think there should be also the files: Readme, authorized_keys, bup, deprec, id_dsa, id_dsa.pub.
Do I have to reinstall ssh?
You do not need to reinstall ssh.
Many of those files are generate as you use ssh and related commands.
The most important files in my experience (which you will generate) are:
authorized_keys: contains public keys which are authorized to connect.
id_dsa and id_dsa.pub (or id_rsa, etc.) are the private key and public key (with .pub suffix) are the keys you offer when attempting a connection. These are generated by executing ssh-keygen.
Also, config is nice to use, but also not necessary. see man ssh_config.
Restoring connections from other machines
It appears you've lost the authorized_keys file you had. If you wish to continue connecting via publickey from other machines, you will need to put the public key from the other machine into your authorized_keys file.
Ensure authorized_keys file exists (if not: touch ~/.ssh/authorized_keys)
Copy the public key (id_rsa.pub for example) from the machine[s] you will be connecting from.
Paste the public key[s] into authorized_keys, one per line.
I'm newbie to Linux and trying to set up a passphrase-less ssh. I'm following the instructions in this link: http://wiki.hands.com/howto/passphraseless-ssh/.
In the above link, it said:"One often sees people using passphrase-less ssh keys for things like cron jobs that do things like this:"
scp /etc/bind/named.conf* otherdns:/etc/bind/
ssh otherdns /usr/sbin/rndc reload
which is dangerous because the key that's being used here is being offered root write access, when it need not be.
I'm kind of confused by the above commands.
I understand the usage of scp. But for ssh, what does it mean "ssh otherdns /usr/sbin/rndc reload"?
"the key that's being used here is being offered root write access."
Can anyone also help explain this sentence more detail? Based on my understanding, the key is the public key generated by one server and copied
to otherdns. What does it mean "being offered root write access"?
it means to run a command on a remote server.
the syntax is
ssh <remote> <cmd>
so in your case
ssh otherdns /usr/sbin/rndc reload
is basically 4 parts:
ssh: run the ssh executable
otherdns: is the remote server; it's lacking a user information, so the default user (the same as currently logged in; or the one configured in ~/.ssh/config for this remote machine)
/usr/sbin/rndc is a programm on the remote server to be run
reload is an argument to the program to be run on the remote machine
so in plain words, your command means:
run the program /usr/sbin/rndc with the argument reload on the remote machine otherdns
[SSH] "Could not open a connection to your authentication agent". error
I am trying to add ssh keys into my ssh agent. I start by making sure that the ssh-agent is running.
exec ssh-agent bash
I make sure that ssh-agent is running.
ps axu | grep [s]sh
and get the following
root 1562 ... ssh-agent bash
The env variables are set correctly.
SSH_AGENT_PID=1562
SSH_AUTH_SOCK=/tmp/ssh-699iHAxuK4xX/agent.1561
However when I try to add the private key using
sudo ssh-add ~/.ssh/peter-key
I get the ssh error
Could not open a connection to your authentication agent.
I have tried the suggestions on stackoverflow and serverfault but nothing.
Note: I am running a linux machine on one of the free tier AWS machines with ubuntu. My instance's security group allow (temporarily) all incoming and outgoing ssh connections from any IP address. Anyone know what the error could be?
Just use
ssh-add ~/.ssh/peter-key
...not...
sudo ssh-add ~/.ssh/peter-key
Using sudo (optionally/configurably, but typically) clears a number of environment variables, including the ones you just verified were set. (Compare output of sudo env and plain env to see this effect).
If you must use sudo to read the key, then you can ensure that the necessary environment variable is set on the other side by doing so explicitly yourself:
sudo env "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" ssh-add ~/.ssh/peter-key
However, it's possible for security-sensitive programs working with UNIX domain sockets to check the ownership and permission of software on the other end of that socket, and to refuse to communicate with anything running on a user account different from what they expect, so it's possible that this approach may not be future-proof against security features added to ssh-agent.
I created a new keypair and downloaded it to my mac, then set up a new Amazon Linux AMI server with that keypair and my security group. Now I need to put the keypair .pem file that I downloaded in a .ssh file in my users folder? I am unable to create a folder called ".ssh" however because of the name.
Where do I put the keypair on my mac? and what chmods or other commands are then needed to connect to the server from my linux bash? I know "ssh my public DNS" but what other permissions or anything else should I be aware of? Its a newbie question. Thanks.
You'll want to put the keypair in {your home directory}/.ssh . If that folder doesn't exist, create it. Once you put the keypair in there you have to change the permissions on the file so only your user can read it.
Launch the terminal and type
chmod 600 $HOME/.ssh/<your keypair file>
That limits access to the file, and then to limit access to the folder type
chmod 700 $HOME/.ssh
You have to limit the access because the OpenSSH protocol won't let you use a key that other's can view.
Then to log into your instance, from the terminal you would enter
ssh -i <your home directory>/.ssh/<your keypair file> ec2-user#<ec2 hostname>
you can also create a file ~/.ssh/config
chmod it 644
then inside you can add something like this
host mybox-root
Hostname [the IP or dns name]
User root
IdentityFile ~/.ssh/[your keypair here]
then you can just do
$ ssh mybox-root
and you'll login easier.
You can use Java MindTerm to connect to your EC2 server in Macbook pro. It works for me. here are the more details and step by step instruction.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
http://www.openssh.com/ is the suggested one on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-instance-linux.html#using-ssh-client (option 3)
Someone was asking on Mac's an easy way to create the ~/.ssh folder would be by running command ssh-keygen, then use following setup ...
A.
macbook-air$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/sam/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/sam/.ssh/id_rsa.
Your public key has been saved in /Users/sam/.ssh/id_rsa.pub.
B. Then create:
touch ~/.ssh/authorized_keys
C. Fix the permissions:
chmod 600 ~/.ssh/authorized_keys
D. Copy AWS Key to that file:
cp AWS_key.text ~sam/.ssh/authorized_keys
#You would have saved this SSH key earlier when creating the EC2 instance
E. Then test the ssh to AWS Linux server - you will see this error:
ssh -i ./authorized_keys root#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
Please login as the user "ec2-user" rather than the user "root".
F. Re-try that and it should work with allowed AWS user "ec2-user":
ssh -i ./authorized_keys ec2-user#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/
9 package(s) needed for security, out of 12 available
Run "sudo yum update" to apply all updates.
Hope this helps, all the best.