I'm trying to connect to an embedded board of mine through ssh. But upon trying to connect through ssh -v -l root user#xx.xx.xx.xx, I get a series of debug comments:
dico#lithya:~$ sudo ssh -v -l root dico#foxboard2
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: Applying options for *
debug1: Connecting to foxboard2 [10.251.145.180] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 18:14:33:1e:88:5f:ad:13:78:9f:36:10:b9:d2:27:e4
debug1: Host 'foxboard2' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,password).
The connection is being established through port 22 so that isn't the problem. So, clearly there is a problem with public/private key authentication. Therefore, how can I make sure that the private/public keys through both my machine and the board are in sync? Or better yet, how do I solve this issue or completely remove any keys?
UPDATE
I've tried to connect to the board by specifying no public key authentication by ssh -o PubkeyAuthentication=no dico#foxboard2, but now it's asking me for a password. I've checked the site but the password I type is incorrect. How can I remove a password request?
You can copy your public key to the server using:
ssh-copy-id user#xx.xx.xx.xx
It is always better to use keys than passwords.
Make sure your ~/.ssh directory is set to mode 700 (chmod 700 ~/.ssh) and your ~/.ssh/authorized_keys is set to mode 600 (chmod 600 ~/.ssh/authorized_keys).
In your /etc/ssh/sshd_config file set PasswordAuthentication no to turn off password logins.
Related
I've recently installed this stack on AWS EC2:
https://aws.amazon.com/marketplace/pp/B00NO1HJ56/ref=srh_res_product_title?ie=UTF8&sr=0-2&qid=1461119036279
The instance's system log says that the SSH keys were installed here:
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
I have added the public key to my Github account and the fingerprints match.
When cloning a repo I get:
Permission denied (publickey).
From the Github help section https://help.github.com/articles/error-permission-denied-publickey
I run: ssh -vT git#github.com and get:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to github.com [192.30.252.122] port 22.
debug1: Connection established.
debug1: identity file /home/bitnami/.ssh/id_rsa type -1
debug1: identity file /home/bitnami/.ssh/id_rsa-cert type -1
debug1: identity file /home/bitnami/.ssh/id_dsa type -1
debug1: identity file /home/bitnami/.ssh/id_dsa-cert type -1
debug1: identity file /home/bitnami/.ssh/id_ecdsa type -1
debug1: identity file /home/bitnami/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/bitnami/.ssh/id_ed25519 type -1
debug1: identity file /home/bitnami/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: Remote protocol version 2.0, remote software version libssh-0.7.0
debug1: no match: libssh-0.7.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/bitnami/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bitnami/.ssh/id_rsa
debug1: Trying private key: /home/bitnami/.ssh/id_dsa
debug1: Trying private key: /home/bitnami/.ssh/id_ecdsa
debug1: Trying private key: /home/bitnami/.ssh/id_ed25519
debug1: No more authentication methods to try.
I seems the ssh agent is searching /home/bitnami/.ssh/ but the keys are located in /etc/ssh
This is the contents of /home/bitnami/.ssh
authorized_keys
known_hosts
And this is the contents of /etc/ssh
moduli
ssh_host_dsa_key
ssh_host_ecdsa_key.pub
ssh_host_rsa_key
ssh_config
ssh_host_dsa_key.pub
ssh_host_ed25519_key
ssh_host_rsa_key.pub
sshd_config
ssh_host_ecdsa_key
ssh_host_ed25519_key.pub
ssh_import_id
If I check what keys are added to the ssh agent I get:
$ ssh-add -l I get:
The agent has no identities.
Is this simply a matter of adding my public key in /etc/ssh/ to the ssh agent by using ssh-add, so it knows where to look?
I don't understand why the keys are were not installed in /etc/hosts rather than the home directory.
The solution is simply to ignore the keys in /etc/ssh. These keys are used by AWS to access the instance and belongs to the system rather than a user.
So I just generated new keys for the bitnami user and those keys are now correctly sitting in /home/.ssh/
I can now pull my repo from Github.
I first tried to ssh into my EC2 instance and I got this:
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0644 for '/Users/SidRama/Downloads/ec2.pem.txt' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "~/Downloads/ec2.pem.txt": bad permissions
Permission denied (publicly).
So I ran:
sudo chmod 400 ~/Downloads/ec2.pem.txt
Then I executed this
ssh -i ~/Downloads/ec2.pem.txt ec2-user#ec2-52-35-59-123.us-west-2.compute.amazonaws.com -v
But I get Permission denied (publicly) as below:
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 53: Applying options for *
debug1: Connecting to ec2-52-35-59-123.us-west-2.compute.amazonaws.com [52.35.59.111] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file ~/Downloads/ec2.pem.txt type -1
debug1: key_load_public: No such file or directory
debug1: identity file ~/Downloads/ec2.pem.txt-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to ec2-52-35-59-123.us-west-2.compute.amazonaws.com:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305#openssh.com none
debug1: kex: client->server chacha20-poly1305#openssh.com none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ZJbD9iVRP/8EbzmhyBvrC+Vg2W15k+A5cB6dea3+BAA
The authenticity of host 'ec2-52-35-59-123.us-west-2.compute.amazonaws.com (52.35.59.111)' can't be established.
ECDSA key fingerprint is SHA256:ZJbD9iVRP/8EbzmhyBvrC+Vg2W15k+A5cB6dea3+BAA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-52-35-59-123.us-west-2.compute.amazonaws.com,52.35.59.111' (ECDSA) to the list of known hosts.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ~/Downloads/ec2.pem.txt
debug1: Authentications that can continue: publickey
debug1: Trying private key: ~/Downloads/ec2.pem.txt
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
I have been trying for some time now. Any help would be deeply appreciated. Thanks in advance.
A few things I would do:
In Amazon, create an elastic IP and assign it to your instance
Use an absolute path and try a different syntax, I usually just do
:
sudo ssh -i /somepath/key.pem ec2-user#51.62.132.180
Reset the known hosts from where you are trying to connect:
sudo ssh-keygen -R 51.62.132.180
sudo ssh-keyscan -H 51.62.132.180 >> ~/.ssh/known_hosts
Double check the IP of the instance and the path to the key
Remove the .txt extension from the key file
I am setting up ssh with public key access, I think I have correctly configured sshd_config and generate id_rsa.pub and authorized_keys.
ssh-kengen -t rsa
cd .ssh
cat id_rsa.pub >> authorized_keys
I also set the permission for these files
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
When I try sudo ssh localhost, it works and no password is asked, but logged in as root.
But when I try ssh localhost, It is still asking for password.
logs generated during this are :-
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/cwei/.ssh/identity type -1
debug1: identity file /home/cwei/.ssh/identity-cert type -1
debug1: identity file /home/cwei/.ssh/id_rsa type 1
debug1: identity file /home/cwei/.ssh/id_rsa-cert type -1
debug1: identity file /home/cwei/.ssh/id_dsa type -1
debug1: identity file /home/cwei/.ssh/id_dsa-cert type -1
debug1: identity file /home/cwei/.ssh/id_ecdsa type -1
debug1: identity file /home/cwei/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/cwei/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-
with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /home/cwei/.ssh/identity
debug1: Offering public key: /home/cwei/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/cwei/.ssh/id_dsa
debug1: Trying private key: /home/cwei/.ssh/id_ecdsa
debug1: Next authentication method: password
cwei#localhost's password:
Ssh public key access is user based. The configuration may be done for the root user. It needs to be done for the local user by configuring local users local .ssh directory.
I'm trying to start a vertica cluster on 3 ec2 instances(node1, node2, node3) which requires root login via ssh between the instances.
On node1, the main node...as a root user, I generated keys using ssh-keygen
On node2 and node3, I edited the /etc/ssh/sshd_config file with this:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no`
then added the id_rsa.pub key to node2 and node3 in both /root/.ssh/authorized_keys and /home/ec2-user/.ssh/authorized_keys
then did a
service sshd restart
I try to login like ssh root#node2 from node1...but I keep get this error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
EDIT:
also changed permitrootlogin to this:
PermitRootLogin without-password
did a -v on ssh and here is what I see
[root#ip-10-205-119-236 .ssh]# ssh -v root#10.205.117.61
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.205.117.61 [10.205.117.61] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.205.117.61' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I see its trying to use id_dsa...but I don't have that file...i have a file called node1 which is what I named my file...
SSH requires quite precise access rights on these files because if it would be different, it is security issue. You need your ~/.ssh to have accessible only by you and your authorized_keys can't be writeable by other:
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
should fix it.
I am attempting to ssh into a a EC2 machine and ssh has stopped working. I'm not sure how I broke it but it is now unable to connect. I already tried creating a new key but it is not helping.
$ ssh -vT ****#****.****-2.compute.amazonaws.com
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to ec2-****.****-2.compute.amazonaws.com [****] port 22.
debug1: Connection established.
debug1: identity file /home/Brad/.ssh/id_rsa type 1
debug1: identity file /home/Brad/.ssh/id_rsa-cert type -1
debug1: identity file /home/Brad/.ssh/id_dsa type -1
debug1: identity file /home/Brad/.ssh/id_dsa-cert type -1
debug1: identity file /home/Brad/.ssh/id_ecdsa type -1
debug1: identity file /home/Brad/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/Brad/.ssh/id_ed25519 type -1
debug1: identity file /home/Brad/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ****
debug1: Host '****.****-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/Brad/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/Brad/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/Brad/.ssh/id_dsa
debug1: Trying private key: /home/Brad/.ssh/id_ecdsa
debug1: Trying private key: /home/Brad/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
I have replaced all of the personal info with *.
Thank you
Nowhere in your command you are referring the ssh private key. Try running command as below:
ssh -i <path_to_the_private_key> ubuntu#<EC2_Hostname>
In above command, note that I have used the username as ubuntu. Depending on which AMI you are using, you should change the username which corresponds to that AMI.