I have 100 machines to be automatically controlled using passwordless ssh.
However, since passwordless ssh requires id_rsa handshaking, it takes some time for controlling a machine as we can see in the following.
$ time ssh remote hostname
remote
real 0m0.294s
user 0m0.020s
sys 0m0.000s
It takes approximately 0.3 seconds, and doing this all over 100 machines takes around 30 seconds.
What I'm looking for is to make the account on the remote machine no password at all.
Is there a way to do it?
There is a way: use telnet. It provides the same as ssh without authentication and encryption.
The delay may be caused by the host doing a reverse DNS lookup when the client connects, to verify that the client's hostname reverses to the same IP that the client is connecting from. If you disable this option on your server's sshd, you may see less delay when connecting. See the links below for more info:
http://linux-tips.org/article/92/disabling-reverse-dns-lookups-in-ssh
https://unix.stackexchange.com/questions/56941/what-is-the-point-of-sshd-usedns-option
You can try using sshpass
For example, when password is in password.txt file:
sshpass -fpassword.txt ssh username#hostname
Related
I have created ssh keys and registered my public key on the target host under .ssh/.authorized_keys.
And it also generally works. I just observe a strange behavior: When I try to login the first time in the morning, I see "Server refused our key" and get forced to enter my passphrase. Any consecutive attempts then work fine and I see in the console output that it's registering with my key.
If I don't log in for a longer time, then a new login would show the same behavior as above and I get forced to enter my passphrase.
So I was wondering: Is there maybe a configurable value that prevents me registering with my key after certain time that I can just increase or deactivate?
You may find your answer here. Some servers are configured to verify the hosts before they can login for the first time.
https://unix.stackexchange.com/questions/42643/ssh-key-based-authentication-known-hosts-vs-authorized-keys
We can make SSH automatically write new host keys to the known_hosts file by setting StrictHostKeyChecking to “no” in the ~/.ssh/config file.
StrictHostKeyChecking=no
I'm using one service which is connected to remote host via ssh. I don't want to store or write ssh keys on that service, I want pass keys to service and execute ssh connection to another host using passed keys before.
To connect to host I used: ssh user#host -i /path/to/key.
How can I use key as the text not a specific file?
I tried ssh user#host -i "key-text-example". It doesn't work like that.
Not as a literal answer to your question, but as the best way to meet your actual need (of connecting via SSH to a remote machine via a system you don't trust to store your private key) -- you should use SSH agent forwarding.
When you pass your private key to a remote system, even transiently, it can be captured; if an attacker is recording everything that goes on on the system with Sysdig, for example, the writes over the FIFO from the process substitution (or the reads done by the SSH client process) will show up plain as day.
Instead of passing the private key to the remote system, agent forwarding sends the request for a signature back from the remote system to your origin machine. (There are even SSH agents for Android, so you can have the request forwarded to your phone -- presumably a device you trust -- such that the private key never leaves it). Similarly, a hardware device such as a YubiKey can store your private key and perform signature operations on behalf of a SSH client -- on behalf of a remote machine when agent forwarding is requested.
For the simple case:
local$ [[ $SSH_AUTH_SOCK ]] || eval "$(ssh-agent -s)"
local$ ssh-add # load the key into your local agent
local$ ssh -A host1 # connects to host1 with agent forwarding enabled
host1$ ssh host2 # asks the ssh agent on "local" to authenticate to host2
host2$
I am trying to ssh into my server at work (CentOS) from my laptop (Ubuntu). When I am at home, I do it by running the following script on the server (I start it while I am physically at work):
ssh -R (port #):localhost:22 (name#home ip)
I do this because it doesn't accept connections from external IPs. Then, I can ssh into the specified port on my laptop, and it works fine.
However, when I am actually at work, I cant ssh to the server. The other people in my office can. They do this very simple command (only works while they are at work, since they need an IP from inside the system):
ssh (username)#(work ip)
And they are automatically logged in. When I do that, I get no response; no public key denial, no wrong username, no response at all. Eventually it times out. But I know the server has ssh running, because everyone else can do it.
Additionally, if I do this on my laptop, while at work:
ping (work ip)
I do get response packets, with no loss, almost no lag. But ssh doesn't work.
I can ssh to other places from my laptop, both while I am at home and at work. So my laptop is properly configured to ssh to things, it just doesn't reach the work server for some reason. I talked to the guy who set it up and he insists there is no whitelist; the only security from internal IPs (and I am physically on site, so I have an internal IP, so there should be no need to do the ssh -r like I do at home) is the private/public RSA key system, and I know the keys must be already set up, because it works when I do the ssh -R from home. Plus, if the keys were not set up, I would get a public key denial, instead of no response at all, right?
If I do ssh -vv, this is the last line before it times out:
debug1: Connecting to ccny6 [work ip] port 22.
I see other people have posted similar questions, but the responses they seem to generally be "is the server running the ssh service" etc, which I know it is as other people can ssh to do (as can I if I'm using the ssh -r tunnel), so none of those responses did me much good, unfortunately.
Summary: I can ssh to a server from OFF site via a ssh tunnel, but can't ssh to it while I am right next to it using direct ssh, even though I can ping it, and others can ssh to it.
The most possible reason for the same is your ISP. I too had this issue few months back. They had closed ssh ports. Ask them and get it released.
Just a confirmation, try to do ssh to other IP's as well. It wont work either if your ISP has blocked it.
My intention is to display stats like Load avg and RAM usage from a remote server onto an LCD panel 24/7. I would like the information to be updated once every 1-3 seconds.
Other threads have suggested using SSH commands to retrieve the information.
ssh root#192.168.1.252 uptime && cat /proc/meminfo
Is using SSH suitable for my purposes, my concern is that
my log files may be bloated because of all the login attempts
overhead of setting up and tearing down an SSH connection every few second.
Is there any such package out there or do I have to code it myself? I would prefer one that keeps the connection open to reduce overhead. I do not require encryption as both servers are on LAN.
Thanks in advance.
Several things to note:
Don't use root if you don't need to. For uptime and cat /proc/meminfo you certainly don't need root. Use another user.
Note the difference between these two:
ssh user#hostname uptime && cat /proc/meminfo
ssh user#hostname 'uptime && cat /proc/meminfo'
The first one will execute cat /proc/meminfo on your local machine, the second will execute it on the remote. I think you want to use the second version. (You want the CPU info of the remote machine, not your local machine, do you?)
You can use connection multiplexing to hit two birds with one stone: reduce the overhead of establishing new connections and avoid polluting the server log. To do this, add a configuration like this in your ~/.ssh/config file:
Host somename
User the_username
Hostname the_hostname
ControlMaster auto
ControlPath ~/.ssh/master-somename
You can choose any somename, it's like an alias. With this setting, you can connect to the server simply as:
ssh somename
While this remote session is still alive (until you logout), you can open new connections from another terminal, and they will reuse the existing connection, bypassing authentication and effectively eliminating the overhead of new connections.
This is actually a common trick when working with slow remote servers where establishing new connections is a noticeable overhead. In fact I use this setting to apply it to all remote servers I work with:
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r#%h:%p
I usually recommend this trick for everyone.
what is the Linux command to connect to another server using host name and port number?
how to connect to another server using only host name and port number then check if an existing process is running? the only way i see it working is to log in to the server and run the PS command. but is there a way to do it without logging in directly to the other server and connect only with host name and port number and check the running process?
If you just want to try an arbitrary connection to a given host/port combination, you could try one nmap, telnet or nc (netcat).
Note that you can't necessarily determine whether or not a process is running remotely - it might be running on that port, but simply ignore anything it sees over the port. To really be sure, you will need to run ps or netstat or etc. via ssh or etc.
If you want to use SSH from e.g. a script or, more generally, without typing in login information, then you will want to use public key authentication. Ubuntu has some good documentation on how to set this up, and it's very much applicable to other distrobutions as well: https://help.ubuntu.com/community/SSH/OpenSSH/Keys.
If you have no access to the server you're trying to list processes on at all, then I'm afraid there isn't a way to list running processes remotely (besides remote tools like nmap and so on, as mentioned earlier - you can always probe public ports without authentication [although you might make people angry if you do this to servers you don't own]). This is a feature, not a problem.
telnet connects to most of services. With it you can ensure that port is open and see hello message (if any). Also nc is more low level.
eri#eri-macro ~ $ telnet smtp.yandex.ru 25
Trying 87.250.250.38...
Connected to smtp.yandex.ru.
Escape character is '^]'.
220 smtp16.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
helo
501 5.5.4 HELO requires domain address.
HELO ya.ru
250 smtp16.mail.yandex.net
MAIL FROM: <someusername#somecompany.ru>
502 5.5.2 Syntax error, command unrecognized.
If there is plain text protocol you cat talk with service by keyboard. If connection is secured try openssl.
openssl s_client -quiet -connect www.google.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
GET /
<HTML><HEAD>
If protocol is not known you may see much of hieroglyphs or just Connected to ... message.
Try this :
ssh <YOUR_HOST_NAME> 'ps auxwww'
Like Dark Falcon said in the comments, you need a protocol to communicate with the server, a port alone is useless in this case.
By default on unix (and unix like) servers, ssh is the way to go.
Remote Shell with this command. Example is cat a file on the remote machine.
rsh host port 'cat remotefile' >> localfile
host and port self explainitory
remotefile: name of some file on the machine remote logging to in home directory
localfile: name of file cat information to.
Use monitoring software (like Nagios). It looks at your processes, sensors, load and thatever you configured to watch. It continuously stores log. It alerts you by email\sms\jabber if something fails. You can access it with browser or by HTTP API.