I want to copy directories with scp from server A to a remote server B. As i want to do this with a script I generated a private and a public key for the server, which work fine with winScp.
but when i try to copy with shell/skript
scp -i <DIR>/key.ppk $tmpDirA/*.war $username#$server:$TmpDirB
Im getting asked for the passphrase
Enter passphrase for key '<DIR>/key.ppk'
even the passphrase was left empty when generating the keys.
both server(openSuse) have openSsh, protocol 2. and the keys are rsa-keys
This keys are not generated with the server A. Does it matter?
I cant see what point im missing. So thanks for any help.
Are you trying to use a PUTTY private key? Openssh does not support putty private key files, but PUTTYgen can export to a format openssh understands.
Are you sure ssh chooses the right key when copying?
Create a config file in ~/.ssh and define different hosts there, this ensures that ssh chooses the correct key.
Linux man page
Related
I have a script which should simply copy some file from Server A to Server B. To be able to do so, during the script is running I am asked to manually type the Passphrase. My question is how can I automate that, so the Passphrase is automatically added?
scp -i ${SCPKEY} ${SCPFILETOCOPY} ${SCPUSER}#${SCPDEST}
this is an example of the command I use in the script
I couldn't find any solution on the web. I tried using the sshpass but it did not work...
The Problem is basically with the 2 side authentication.
Thank you in advance for all your help!
Provided you are using public-private key pair authentication (looking at the command you listed), then you have 2 options:
(Recommended security-wise): use ssh-agent before using your script, this way you will have to supply the key pair password just once in your interactive session. As long as the session is open, your script will run without asking for the key passphrase.
$ ssh-agent bash
$ ssh-add
Then run your script.
2. (Not recommended security-wise) Save your private key unencrypted, i.e without the passphrase, then your script will work even NOT in interactive terminal session. The downside is of course anyone who can read your dir on the server can steal the private key.
I have two servers A and B , i am trying to ssh from A to B using private-key and i don't want to provide password of server B.
I am trying below command for ssh ::
ssh -i <generated_private_key> <user>#<host name>
the private-key is perfectly fine. but still this command asking for password.
In order to use ssh passwordless connection you need to place the contents of ~/.ssh/id_rsa.pub (id_rsa.pub is just an example could be anything you used durring generation) of the user#local_machine to the ~/.ssh/authorized_keys of the some_user#remote_machine.
Further if other issues exist then you should check /var/log/ for the error.
Edit1:
Based on comments (thanks to #Crazy) if you used passphrase durring creation of the key then you need to recreate the key without the passphrase.
We have 2 Debian servers, one for testing and one for live. I have some scripts which should be executed to transfer data from live to test. For both the servers we use PublicKeyAuthentication where our id_rsa.pub's contents are added to authorized_keys on test server.
Even after doing this, everytime I initiate a transfer from one server to another, I am being asked for password.
I also tried calling ssh-copy-id, but that didn't help and all I got was a duplicate entry in authorized_keys.
Lastly when I try sshpass, I get the following message, and i cannot enter the password as its just a message.
sshpass -v -p 'PASS' ssh root#our_server
SSHPASS searching for password prompt using match "assword"
SSHPASS read: Enter passphrase for key '/root/.ssh/id_rsa':
Any ideas? Thanks.
From the output of sshpass, it seams that it is asking for the password of the key, not the password for the server:
Enter passphrase for key '/root/.ssh/id_rsa'
Protecting your SSH-keys with a password is a good practice, but you can not fully automate things that way, as you discovered. Depending on your situation, you can do either of the following:
Use an SSH-agent. This is a daemon that will ask your password once, and keep the private key cached until you remove it. This still has the benefit that your SSH-key is stored password-protected on disk, but you can use it as a password-less key.
This has the added benefit that you can forward SSH-agent over SSH: if you SSH from your machine to server A, and then further on to server B, this last connection can use the key stored on your machine (instead of having to copy your key to server A).
Remove the password from the key entirely (you can use ssh-keygen to change the password to be blank)
How do you execute data transfer? Is it scp? Check your system usernames, make sure public keys are installed to authorized_keys file for correct user.
Does anybody have an idea how can I use an ssh private key in a script to scp some files from a server using a private key to connect but make sure the key can't be extracted to be used for something else?
The servers are already deployed and new users or new keys can't be generated.
I have the root key. The script/ app should just grab a few files from a folder without exposing the key to the user.
I think you have your ideas about public/private keys backwards.
If I give you my public key, then my private key allows me to access your computer. This effectively solves your problem, as you should never share your private key, and you'll append public keys to ~/.ssh/authorized_keys file on the server you want to access.
It sounds like you already have the private key to access the server, so no need to encrypt, as you use that to access the server not the other way around.
Use it scp -i ...
Hopefully helpful, here's a tutorial on setting up keys:
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
I have 2 servers with which I work: first one is application server and another one is archival server.
I access both of these servers using F-Secure SSH Client using the same user id and public-private key pair for authentication. It means that private key is stored on the Windows machine and public key is stored on both servers.
Now I need to access archival server from application server. To do that I have to do a key exchange first.
What is a standard aproach in this case? Do I just copy my private key from Windows to the application server? Would it compromise security? Or I need to generate a new key pare?
I appretiate your help!
P.S. I am relatively new to Unix administration, so don't be very hard on me :)
The standard approach is:
Generate on each machine/user a new private/public key pair
Use authorized keys file in .ssh and add every public key
Copy this authorized keys file to every remote host
Sidenote: The authorized key file as well as the key pairs are user#machine related
Sidenote2: Usually ppl block root completely from this process. Root should be neither accessible via pw auth nor with key auth.
#fyr's answer is correct, however you don't need to manually add or copy anything. You can do it with ssh-copy-id.
Assuming that the SSH server on your new machine is already running, from your old machine (which already has an SSH key pair, if not run ssh-keygen), run
ssh-copy-id -i ~/.ssh/mykey user#host
where the -i parameter denotes the location of your public key. The ssh-copy-id tool will add the .pub extension if necessary, so it won't be trying to send your private key.
A real-world example of this, let's say to exchange keys with a Raspberry Pi, would be:
ssh-copy-id -i ~/.ssh/id_rsa pi#192.168.1.11
This will ask for your password, but just once. If the key exchange is successful, you'll be able to ssh into it without needing a password.