I have a script called tnl I use to help \ setup and use tunneling via ssh. It automatically configures the gateway and then figures out what ports should be used by my program. In my configuration file, I may have:
gateway: -system dmgwy01 -start 2000 -background
system: -system foo01
system: -system foo02
system: -system foo03
When I run the command:
$ tnl start dmgwy01
This will start my tunneling with the following ports:
ssh -N -c 3des dmgwy01 -L 2000/foo01/22 -L 2001/foo02/22 -L 2002/foo03/22
Note that I don't have to assign ports to the individual systems. This is done automatically by my script.
Now, I can start a tunnel by doing:
$ tnl ssh foo01
It works great. That is until I change my configuration file and add a new system:
gateway: -system dmgwy01 -start 2000 -background
system: -system bar01
system: -system foo01
system: -system foo02
system: -system foo03
Now, the tunneling starts like this:
ssh -N -c 3des dmgwy01 -L 2000/bar01/22 -L 2001/foo01/22 -L 2002/foo02/22 -L 2003/foo03/22
Note that the port numbering for the various systems have changed. That's fine, I really don't care about the actual port numbers. However, now when I use the tunnel I get:
$ tnl ssh bar01
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx...
Please contact your system administrator.
Add correct host key in $HOME/.ssh/known_hosts to get rid of this message.
Offending RSA key in $HOME/.ssh/known_hosts:1
RSA host key for [localhost]:2000 has changed and you have requested strict checking.
Host key verification failed.
I've traced this to my ~/.ssh/known_hosts file. When I had my original setup, the ~/.ssh/known_hosts was setup this way:
[localhost]:2000 ssh-rsa (Fingerprint for f0001)
[localhost]:2001 ssh-rsa (Fingerprint for foo02)
[localhost]:2002 ssh-rsa (Fingerprint for f0003)
Now, [localhost]:2000 is bar01 and not foo01, so of course their fingerprints differ. I'll also have the same issue trying to get on foo01 or foo02 because their port numbers have changed, and their fingerprints won't match either.
Is there a way to get around this issue? Is it possible to force my .known_hosts to use system names instead of port numbers? Is it possible to somehow add a note to my .known_hosts file that will map host to hostname, and allow me to remap the host names to there previous ports if possible?
I can get around this by turning off StrictHostKeyChecking, but that doesn't necessarily fix the issue. I can simply edit my known_hosts when I change the configuration and recalculate the host keys, but I'm trying to keep things simple.
Any suggestions?
Given that your script tnl already sort out a mapping between the local port number and the name of the host to forward to. It is not just a small step to modify the known_hosts file so that the same local port maps to the same host - each line in known_hosts contains this information.
Related
I get the next message from SSH client every time I try to connect to my server:
The authenticity of host "XXX" can't be established. ECDSA key fingerprint is SHA256:...
Are you sure you want to continue connecting(yes/no/[fingerprint])?
I Understand that this message should only apear my first time connecting, not each and every time.
Why does it happen?
Does it mean that it is a self signed ceetificate?
Have a good day!
There are few things you can try:
Make sure ~/.ssh/known_hosts is writable. Because system will try and add the host key into this file.
Depending on your ssh client, you can set the StrictHostKeyChecking option to no on the command line, and/or send the key to a null known_hosts file. You can also set these options in your config file, either for all hosts or for a given set of IP addresses or host names.
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
This option is not very secure as it may open up Man in the middle attacks. Please carefully consider before doing this.
https://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html
[NOT SECURE] Another way is to use 'BatchMode' in addition to 'StrictHostKeyChecking'. This way, your script will accept a new hostname and write it to the known_hosts file, but won't require yes/no intervention.
ssh -o BatchMode=yes -o StrictHostKeyChecking=no user#server.example.com "uptime"
When I issue ssh -v hostname, it tells me successful. But permission denied(publickey) when issuing ssh -v user#hostname. What's the differences between them? And I try to solve this problem by some ways, but weren't effective. Such as:
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys
Restorecon ~/.ssh/authorized_keys
I guess the problem is about context, because after issuing ssh -v hostname, the debug information tells me unable to get valid context. And issuing ssh[user#]hostname it authorized id_rsa, id_ecdsa, and id_ed25519 and skiping id_dsa (probably the config setting).
When user isn't specified, the .ssh config is searched for a default one for the given host, and if there's none, the same username as on the source machine is used.
To get more information, add copy&paste of the .ssh/config and outputs of both the ssh commands.
When using ssh user#hostname you explcitely try to log in as user on hostname. The login failes because you need to create an authorized_keys file in this user's home, too, as you did for the default user which is used when user is not given. Obviously authentication by password is disabled, else ssh would ask for it.
Perhaps the answer to this question is that it is not possible but hopefully someone knows how to get around this issue. In the past, before the admins configured Kerberos in our school machines I was able to create ssh keys for several purposes. The way this was done was via the ~/.ssh/config file in my machine and the ~/.ssh/authorized_keys in the server. An example of my ssh config file goes as follows
Host sayHI
IdentityFile path/to/sayHiPrivateKey
HostName servername
User myusername
Host sayHey
IdentityFile path/to/sayHeyPrivateKey
HostName servername
User myusername
Then in the authorized_keys file I would have
command="echo hi" ssh-rsa sayHiPublicKeyLONGSTRING....
command="echo hey" ssh-rsa sayHeyPublicKeyLONGSTRING....
ssh-rsa otherkeysformypasswordlessentry
With this setup I could do something like
$ ssh sayHI
hi
$ ssh sayHey
hey
Unfortunately, this has now stopped since we are now using Kerberos to authenticate every day. What this means is that now I have do
$ kinit username#SERVERNAME
Once I put in my password I can use ssh as follows:
$ ssh -K username#hostname
and now I have access. If I do
$ ssh sayHi
this will not work since it asks for my password. If I do
$ ssh -K sayHi
this logs me in but it completely ignores the fact that this was supposed to use an identity so that I can run the command echo hi. Instead it just uses the kerberos credentials and logs me in. So now that I have explain the functionality that I once had, does anyone know if it is possible to recover this using kerberos and ssh? The multiple identities files was useful specially if you wanted to let a friend run a command on your behalf without giving them your password (http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch08_02.htm). I really hope this is still possible somehow. Thanks in advance.
It depends if the server still accepts pubkey authentication or not (it looks like it does not, otherwise the kerberos authentication wouldn't make any sense).
Depending on the vendor of the OS, there might be possible to set up .k5login, but it will probably not solve the issue. Better way to differentiate between the commands would be using some alias on your client:
alias sayHi="ssh -K host echo Hi"
alias sayHello="ssh -K host echo Hello"
in your ~/.bashrc.
I have this linux machine with ssh server installed, I can access the server using username="ubuntu". ssh server blocks clients that try to connect using "root" username.
So connection can be made by:
ssh -i mykey ubuntu#myserver
I can get files that belong to "ubuntu" using :
scp -i mykey ubuntu#myserver:<file location> ./
However, what I really want is to get files that belong to "root" username, (Note: I can't access the server with username "root" for obvious security reasons).
so is there a way to do download files that are under "root" username?
I was thinking to do some magic in the server side that enables me to do that.(I don't know how :) )
if this help: I have root access and also I can create files on my server side. but I'm not allowed to change the file permission under the root(if someone get hold of these files I'll be fired)
You can try monster like this
ssh ubuntu#myhost 'sudo cat /path/to/file | uuencode' | uudecode > path/to/local
You should have uuencode and uudecode on coresponding hosts.
Or if file is text you can skip uuencode part
ps: see related topic
You could do it the other way around.
Log into the the pc with the file you want with
ssh ubuntu#myserver
Then gain superuser privileges
sudu su
and then copy the files you want
scp /the_file_you_want ubuntu#myhost:/the_location_and_filename_you_want
Some other ways you can find here
https://unix.stackexchange.com/questions/106480/how-to-copy-files-from-one-machine-to-another-using-ssh
enable ssh on your machine
(if fedora) (for ubuntu you can find command on google easily)
service sshd on
From your local machine
ssh -i ubuntu#myserver
change to root
su
enter password
and copy files using scp
scp somefile.extension randomuser#localmachine:/some/path/
I hope it helps
I connected 3 data nodes(in all these data nodes pass-wordless is working fine) in my cluster which are working fine but when i try to connect another data node pass-wordless ssh not working in fourth data node.
IP address of first three data nodes:
172.20.93.192(name node)
172.20.94.189(data node)
172.20.94.145(data node)
172.20.94.193(data node)
now my fourth data node's IP address is 172.20.95.6 where password-less is not working.
I am generating keys with
ssh-keygen -t rsa
I am doing the same process for the fourth data node as above three data nodes but it is not working. Why? what may be the reason?
I had a very similar problem today with CentOS servers. The problem turned out that the /root folder had wrong permissions. In fact, the /var/log/secure log file showed this error:
Sep 3 09:10:40 nec05 sshd[21858]: Authentication refused: bad ownership or modes for directory /root
This is what it wrongly was:
[root#nec05 ~]# ls -ld /root
drwxrwxrwx. 32 root root 4096 Sep 3 09:54 /root
Using chmod fixed it:
[root#nec05 ~]# chmod 550 /root
[root#nec05 ~]# ls -ld /root
dr-xr-x---. 32 root root 4096 Sep 3 09:54 /root
After that, passwordless login worked on this particular server.
More information would be required to get the "real" cause. However here it goes two of the most common problems I have found and not related to the key configuration itself (taking into account that you use Linux :)):
SSHD in the remote machine is configured in restricted mode for "root" and you are trying to ssh as root. SOLUTION: Copy /etc/ssh/sshd.conf from one of the working machines to the faulty and restart ssh server.
Home folder of the user used for remote login has invalid permissions. Many default configurations for SSH Daemons contain restrictions about the permissions of the user home folder for security purposes. SOLUTION: Compare with working nodes and fix. (Sometimes you would see a warning/error log in /var/log/messages.
If you follow the process to integrate the keys from the scratch and review the permissions for all the files involved you should face no issues.
Please answer back with sshd.conf file as well as the logs from a remote login with -v (ssh -v IPADDR) for a better analysis.
I went through the same errors recently. All my file permissions are set up correctly but still ssh asks for password. Finally I figured out it is due to one missing at /etc/ssh/sshd_config: you shoud add "AuthorizedKeysFile %h/.ssh/authorized_keys", so that sshd will look for the publickey file at your home dir.
After doing this the problem is gone.
You would have to more elaborate your problem i.e. whether you are using the same private-public key pair for all servers.
Secondly you must try ssh with -v flag it will give you some hint like which private key it is using for authentication, what is the cause of authentication failure.
Thirdly Verify the permission of .ssh/authorized_keys at server end. It should not have write permission to group or other users.
You can simply use
ssh-keygen -f # to generate ssh key pair.
ssh-copy-id # #to copy public key in the server's authorized key.
troubleshoot checklist:
example: Machine A passwordless login to B
turn off selinux on B
FOR BOTH A&B: make sure correct permission for .ssh(700) and .ssh/authorized_keys (600)
check on B: /etc/ssh/sshd_config: PubkeyAuthentication yes
check firewall on B
check the log /var/log/secure
if you've renamed id_rsa/id_rsa.pub to example id_rsa_b/id_rsa_b.pub, you should do ssh -i .ssh/id_rsa_b user#MachineB
refer
I am going to explain with example:
Suppose there are two server server1(192.168.43.21) and server2(192.168.43.33).If you want password less ssh between server1 and server2 where user is admin then follow below steps-
To install run command: yum install openssh-server openssh-clients
To create ssh key run command : ssh-keygen -t rsa on server1 and server2
SELINUX disable at : vim /etc/selinux/conifg
SELIINUX=disabled
After changing SELINUX need to reboot.
Add user to AllowUsers ,AllowGroups and PermitEmptyPasswords on at :
vim /etc/ssh/sshd_config
AllowUsers admin
AllowGroups admin
After update restart sshd: systemctl restart sshd
Go to home directory of admin user : cd ~
Go to ssh folder : cd .ssh and copy id_rsa.pub key from server1 and paste it into server server2 authorized.key file of .ssh folder.
note: Instead of manually copy we can use:
From server2 use command: `ssh-copy-id admin#serve1`
From server1 use command: `ssh-copy-id admin#server2`
Now try ssh from server1 to server2 and server2 to server1
From server1 command: `ssh admin#server2`
From server2 command: `ssh admin#server1`
If not working then check firewall user use command:
To check status of firewall run command: firewall-cmd --state
If it is running then check ssh port is added or not using below command:
firewall-cmd --list-all
If port is not added then need need to add to desired zone.
If firewall is not mandatory to active in that cat you can stop firewall and
mask it using below command:
systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld
Please check if selinux is disabled.
In my case, worked after selinux disabled.
Method in linux is to generate encrypted key (either with rsa or dsa ) for that user , save that key in authorized key , assign rights to that folder and file in it.
1: Generate key with command
ssh-keygen –t dsa –P '' –f ~/.ssh/id_dsa
Your public key has been saved in /home/username_of_pc/.ssh/id_dsa.pub
2:Add that key in authorized key.
Cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
Set permissions for folder where it’s saved.
if you need it on another server then simply copy it to other machine.
3:Check ssh by simply typing
ssh localhost
It should not ask for password and only display last login time , then it’s setup correctly. Remember not to use root for ssh.