How to handle ssh key? - linux

system("ssh test.host.com");
its asking for permentaly add key or not ?
I want automatically it should say yes !

The fact that ssh asks if you want to connect even if the host's public key isn't checked yet is the result of having StrictHostKeyChecking ask (or yes) in your /etc/ssh/ssh_config or ~/.ssh/config. You can set it to no if you want to automatically add unknown host keys to your known_hosts file. If you don't want to make this a permanent configuration change, you can also use it on the command line:
system("ssh -o StrictHostKeyChecking=no test.host.com");
In either case, ssh will issue a warning on host key mismatches an will disable password authentication because of possible man-in-the-middle attacks. You can still login with public-key authentication.

Someone has to agree that the first key is valid. You could require users to add the pertinent information to ~/.ssh/known_hosts manually (or do it yourself).

Run the SSH Agent before you start your application and use it to add a key (option in the menu on Windows or use ssh-add from the command line on Unix).

As Nathon mentioned the right way to fix this is to get the hosts key in your list of known keys. The simple way is to ssh to the host once manually and answer yes and then the key will be cached in $HOME/.ssh/known_hosts. This has to be done for each host you will connect to and for each user that will run the program. If you have admin rights on the system your running ssh from you can also add the host keys to /etc/ssh/ssh_known_hosts to make them available to all users.
If you don't know what host the script will connect to you might need to look into a module like Expect to watch for and respond to the host key prompt. Although automating this step subverts some of the security ssh provides.

Related

How do I automatically provide arguments in interactive terminal?

I frequently have to connect to vpn for work. So rather than typing the whole cmd, i want to type something like vpn in terminal and it picks up the password from somewhere and the vpn gets connected.
The process I do now is..
sudo openvpn --config <configfile.ovpn>
I'll be prompted to type the password and when i do that it gets connected.
For the same I explored alias but I suppose alias is for much simpler task. Any solutions, how to pass password automatically when terminal ask for it?
You can create an alias and use it .
In your .bashrc, you can create an alias
alias vpn=« Your command »
Then you will just type the command vpn.
Here a link that can help you
When the password is asked interactively the best options is add the --askpass argument and send the password through a file.
openvpn --config <configfile.ovpn> --askpass <file with cred>
You can also add automatically the password using expect or similar, but the best option is using the own openvpn.
--askpass [file]
Get certificate password from console or file before we daemonize.
For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to
type the password. The --askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password
you should omit the -nodes option when you use the openssl command line tool to manage certificates and private keys.
If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using
an encrypted key.
You can put the password into a file and point your OpenVPN client configuration to it.
It is obviously a bad idea for security to store passwords in plain text on your hard drive!
If you still want to do it, put your user name and password in a plain text file on two lines, like so:
username
password
Add a line
auth-user-pass passwordfile
to your OpenVPN client configuration where passwordfile is the name of the file.
Note this only works in OpenVPN 2 and is no longer supported in version 3. See this blog post about it: https://openvpn.net/blog/openvpn-3-linux-and-auth-user-pass/

Shell Script - How do i extend it to include password for network devices?

I use a very basic shell script to log into network devices from my jumpbox.
For eg.
$ cat login
ssh -l varun `echo $1`
$ login 10.10.10.1
Enter Password:
I need to manually enter the password everytime. My jumpbox has limited libraries/etc so is there an easy way i can extend the same 'login' script to include my password also?
Additionally, there are times when ssh related questions show up before the password so would love to have them included also to make my life easier. I basically need to say yes to add the fingerprint.
Eg.
$ login 10.10.10.2
The authenticity of host 'router2 (10.10.10.2)' can't be established.
RSA key fingerprint is a0:c5:5e:51:45:f3:4a:21:45:14:c4:67:4a:44:e1:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'router2' (RSA) to the list of known hosts.
Would appreciate any suggestions or pointers but would really prefer to keep it simple like my initial script. This is for daily login and NOT for automation. I have no intent to use this on multiple devices/etc, it is purely for ease of not entering credentials a million times a day :)

ssh using private-key without password

I have two servers A and B , i am trying to ssh from A to B using private-key and i don't want to provide password of server B.
I am trying below command for ssh ::
ssh -i <generated_private_key> <user>#<host name>
the private-key is perfectly fine. but still this command asking for password.
In order to use ssh passwordless connection you need to place the contents of ~/.ssh/id_rsa.pub (id_rsa.pub is just an example could be anything you used durring generation) of the user#local_machine to the ~/.ssh/authorized_keys of the some_user#remote_machine.
Further if other issues exist then you should check /var/log/ for the error.
Edit1:
Based on comments (thanks to #Crazy) if you used passphrase durring creation of the key then you need to recreate the key without the passphrase.

SSH : Copy files without password when using public key authentication.

We have 2 Debian servers, one for testing and one for live. I have some scripts which should be executed to transfer data from live to test. For both the servers we use PublicKeyAuthentication where our id_rsa.pub's contents are added to authorized_keys on test server.
Even after doing this, everytime I initiate a transfer from one server to another, I am being asked for password.
I also tried calling ssh-copy-id, but that didn't help and all I got was a duplicate entry in authorized_keys.
Lastly when I try sshpass, I get the following message, and i cannot enter the password as its just a message.
sshpass -v -p 'PASS' ssh root#our_server
SSHPASS searching for password prompt using match "assword"
SSHPASS read: Enter passphrase for key '/root/.ssh/id_rsa':
Any ideas? Thanks.
From the output of sshpass, it seams that it is asking for the password of the key, not the password for the server:
Enter passphrase for key '/root/.ssh/id_rsa'
Protecting your SSH-keys with a password is a good practice, but you can not fully automate things that way, as you discovered. Depending on your situation, you can do either of the following:
Use an SSH-agent. This is a daemon that will ask your password once, and keep the private key cached until you remove it. This still has the benefit that your SSH-key is stored password-protected on disk, but you can use it as a password-less key.
This has the added benefit that you can forward SSH-agent over SSH: if you SSH from your machine to server A, and then further on to server B, this last connection can use the key stored on your machine (instead of having to copy your key to server A).
Remove the password from the key entirely (you can use ssh-keygen to change the password to be blank)
How do you execute data transfer? Is it scp? Check your system usernames, make sure public keys are installed to authorized_keys file for correct user.

Getting shellscript to input password

I'm new to shellscripting (and not well traveled in the world of Linux) and are trying to get a shellscript to automaticly log into an sftp server with my given. Now this is how far I've gotten
#!/bin/bash
HOST='somehost.com'
USER='someusername'
PASSWD='somepass'
sftp $USER#$HOST
Now this is where I run into trouble. At this point I will be prompted for a password. So how do I get the script to automaticly reply with the password when prompted for it? I also tried finding a way to pass along the password with the sftp command, but with no luck. Can anyone help me figure this out?
Use this code:
#!/bin/bash
HOST='somehost.com'
USER='someusername'
PASSWD='somepass'
echo $PASSWD | sftp $USER#$HOST
It's not a good idea to include the password in a command line or such a script. Anyone who has access to the list of running processes could see your password, it could end up in your shell history and log files. So this would create a security hole.
There is more info in this thread where key based authentication is recommended over your proposed method.
Do not store passwords in script files, unless you are compulsive obsessive about keeping your permissions absolutely tight.
For all things ssh/sftp/scp, use public key authentication. Learn about the settings you can set on both the client and the server ends to make it more secure (ip restrictions, user restrictions, cipher restrictions, number of retries, number of simultaneous logins, etc) That alone should eliminate a lot of insecurity due to scripting issues.
If you absolutely must store a password in a variable, do not export it, and unset it the moment you get done using it.
on local host (where the script will be executed) generate ssh key pair:
scriptuser#scripthost:/~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/michal/.ssh/id_rsa): {press ENTER!}
(...)
copy generated public key from scripthost to the somehost.com and append it to the list of authenticated hosts:
scriptuser#scripthost:/~$ cat ~/.ssh/id_rsa.pub | ssh someuser#somehost.com 'cat >> .ssh/authorized_keys'
now you should be able to use scp or sftp without password:
scriptuser#scripthost:/~$ scp /any/local/file someuser#somehost.com:/remote/location/
use sshpass command.
you can give password along with command

Resources