I need to use a private rsa key to connect to a server, the file contains the key as follows.
-----BEGIN OPENSSH PRIVATE KEY-----
key
-----END OPENSSH PRIVATE KEY-----
when I try to upload it, Setup/Compagny/Keys/add
I get the following error: Unexpected Error
If I try to convert it to .pem with the following bash command:
ssh-keygen -p -N "" -m pem -f /path/to/key
(console log Key has comment 'amillet#LAPTOP-Q89B7RU7'
Your identification has been saved with the new passphrase)
I am able to create the key so I am trying to establish a connection
with the code bellow :
sftp.createConnection({
username: ID_OF_CONNECTION,
keyId: KEY_ID
hostKey: HOST_KEY,
url: URL_SERVER,
port: PORT_SERVER,
});
I get the following error:"FTP_CANNOT_ESTABLISH_CONNECTION", "details": "Could not establish connection to Auth fail. ",
I then tried to connect via FileZilla with the same file (KEY_ID) and the same information, except the HOST_KEY is retrieved by filezilla
In my code HOST_KEY is the result of
ssh-keyscan -t rsa -p ${PORT_SERVER} ${URL_SERVER}
executed from my terminal
I can't understand why the same information from fileZilla allows me to connect to the server but not from NEtsuite.
I assume you're using the key Id from Setup -> Company Keys
your sample is missing the hostKeyType parameter
hostKeyType: 'rsa'
so:
sftp.createConnection({
username: ID_OF_CONNECTION,
keyId: KEY_ID
hostKey: HOST_KEY,
hostKeyType: 'rsa',
url: URL_SERVER,
port: PORT_SERVER,
});
Related
I've configured Windows 11 ssh-agent following the official documentation and then used ssh-add to add my SSH keys:
PS> Get-Service ssh-agent
Status Name DisplayName
------ ---- -----------
Running ssh-agent OpenSSH Authentication Agent
Command ssh-add -l show the key (just 1):
PS > ssh-add -l
3072 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Marco#PC-MARCO (RSA)
I can successfully connect to a remote machine (i.e. ssh user#remote.mydomain.com) using the SSH key from the Windows machine.
From the documentation:
[...] the extension will automatically forward your local SSH agent if one is running
In fact inside a Visual Studio Code WSL2 container, the ssh-add -l command show the same output:
vscode ➜ /workspaces/test-ssh-agent $ ssh-add -l
3072 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Marco#PC-MARCO (RSA)
However inside the container the same exact command ssh user#remote.mydomain.com ask for a password.
It seems that it doesn't know that for that user/domain the stored SSH key should be used. Any help is much appreciated!
EDIT: this is the debug log, it can't find the private key (of course) because inside the container. What's the point of ssh-agent then?
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/vscode/.ssh/id_rsa
debug3: no such identity: /home/vscode/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ecdsa
debug3: no such identity: /home/vscode/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ecdsa_sk
debug3: no such identity: /home/vscode/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ed25519
debug3: no such identity: /home/vscode/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_ed25519_sk
debug3: no such identity: /home/vscode/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_xmss
debug3: no such identity: /home/vscode/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /home/vscode/.ssh/id_dsa
debug3: no such identity: /home/vscode/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
I followed this guide and most importantly I updated OpenSSH to the latest version available here: https://github.com/PowerShell/Win32-OpenSSH/releases
Now works without any problem.
I have created a realm and added new keystore(RS384) in the Providers section
When I tried authenticate using postman. I am getting below error in Keycloak console
PublicKey wasn't found in the storage. Requested kid: 'Y3RDLAudovJPEU3Z9BMJL3OyuzqsgAj4424CpxnJqkI' . Available kids: '[]'
Kid is available in the Keys section for the Realm. I am not sure what is causing that. Any help on this is so much appreciated
Edit
Client Authentication
Added JWKS keys from certs endpoint
In Postman made call to token endpoint with client_assertion which has signed JWT and got response back "Invalid client: Unable to load Public key "
I think you gave wrong a value(or format) of "Private RSA Key" and "X509 Certificate" file when you add the key-store at Keycloak UI.
it is possible to get the public Key for RS384 by Postman and UI.
I demoed with Keycloak 18.0.0 with "ssh-keygen" & "openssl" on Ubuntu.
Generate RS384 private key and public key and certification file
ssh-keygen -t rsa -b 4096 -E SHA384 -m PEM -P "" -f RS384.key
openssl req -new -x509 -key RS384.key -out RS384-cert.pem -days 360
it will create three files
RS384-cert.pem <- certification file
RS384.key <- private key
RS384.key.pub <- public key
Add Keystore with 1.'s files
New Keystore will be created
Can get Key by Postman
can compare public key between UI and openssl generated it.
you can check API call value and JWT creator web site
with KID and public key
https://russelldavies.github.io/jwk-creator/
The issue is I did not add "use":"sig" in the JWKS that is kid is not available
I am trying to use minio as a local S3 server. I am following this article
I downloaded key and cert files.
I added the env parameters:
set MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
set MINIO_KMS_KES_KEY_FILE=D:\KMS\root.key
set MINIO_KMS_KES_CERT_FILE=D:\KMS\root.cert
set MINIO_KMS_KES_KEY_NAME=my-minio-key
I started minio server: D:\>minio.exe server D:\Photos
It logs after sturt up:
Endpoint: http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000
AccessKey: minioadmin
SecretKey: minioadmin
Browser Access:
http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000
Command-line Access: https://docs.min.io/docs/minio-client-quickstart-guide
$ mc.exe alias set myminio http://169.254.182.253:9000 minioadmin minioadmin
Object API (Amazon S3 compatible):
Go: https://docs.min.io/docs/golang-client-quickstart-guide
Java: https://docs.min.io/docs/java-client-quickstart-guide
Python: https://docs.min.io/docs/python-client-quickstart-guide
JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide
.NET: https://docs.min.io/docs/dotnet-client-quickstart-guide
Detected default credentials 'minioadmin:minioadmin', please change the credentials immediately using 'MINIO_ACCESS_KEY' and 'MINIO_SECRET_KEY'
I opened UI in browser: http://localhost:9000/minio/mybacket/
I tried to upload a jpg file and got an exception:
<?xml version="1.0" encoding="UTF-8"?> <Error><Code>InternalError</Code><Message>We encountered an internal error, please try again.</Message><Key>Completed.jpg</Key><BucketName>mybacket</BucketName><Resource>/minio/upload/mybacket/Completed.jpg</Resource><RequestId>1634A6E5663C9D70</RequestId><HostId>4a46a947-6473-4d53-bbb3-a4f908d444ce</HostId></Error>
And I got this exception in minio console:
Error: Post "https://play.min.io:7373/v1/key/generate/my-minio-key": x509: certificate signed by unknown authority
3: cmd\api-errors.go:1961:cmd.toAPIErrorCode()
2: cmd\api-errors.go:1986:cmd.toAPIError()
1: cmd\web-handlers.go:1116:cmd.(*webAPIHandlers).Upload()
Most probably your OS trust store (containing the Root CA certificates) does not trust Let's Encrypt (the Let's Encrypt Authority X3 CA certificate).
The server https://play.min.io:7373 serves a TLS certificates issued by Let's Encrypt.
See:
openssl s_client -showcerts -servername play.min.io -connect play.min.io:7373
Eventually, check your the root CA store of your windows machine.
See: https://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8
Work started using Azure DevOps and im trying to clone a repo on my home computer. I created a ssh key, added it to the list of keys, and changed my git config to my work email. However, azure is still asking for a password...
(base) Name-MacBook-Pro:Company Name$ git clone git#ssh.dev.azure.com:v3/Company/AI/Repo
Cloning into 'Repo'...
Enter passphrase for key '/Users/Name/.ssh/id_rsa':
git#ssh.dev.azure.com's password:
Permission denied, please try again.
git#ssh.dev.azure.com's password:
git#ssh.dev.azure.com: Permission denied (password,publickey).
____________edit________________
Tried to generate again and I'm still having trouble
Create new ssh key
ssh-keygen -t rsa -b 4096 -C “work#email.com” - f ~/.ssh/work_id_rsa
Copy
cat ~/.ssh/work_id_rsa | pbcopy
Add to org and try to clone
ssh-agent bash -c 'ssh-add ~/.ssh/work_id_rsa; git clone https://company#dev.azure.com/Repo'
Cloning into 'Repo'...
Password for 'https://company#dev.azure.com':
fatal: Authentication failed for 'https://comapny#dev.azure.com/Repo'
In case this is the issue which may caused by ourside(Microsoft). I tried again with SSH clone and its succeed:
This issue should caused by your SSH key format. Since I could not know clearly which method are you using to generate the key, but in your issue, it should because the public key authenticate fails, so then it asked for the password of your account.
Ensure your private key has the follow format:
-----BEGIN RSA PRIVATE KEY-----
*
*
*
-----END RSA PRIVATE KEY-----
If not, please re-generate with the following command:
ssh-keygen -t rsa
Then configure public key into the org.
EDIT
I've been using more than one Azure DevOps account for some time now and I just wanted to point out 2 other ways you could use the right key:
using the -i flag
-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files).
ref.: https://linux.die.net/man/1/ssh
using a configuration file (~/.ssh/config) and changing the hostname (remote)
instead of git clone git#ssh.dev.azure.com:v3/Company/AI/Repo you'd git clone git#whatever_name_you_configured:v3/Company/AI/Repo
Microsoft has a post about it that may help:
https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-i-have-multiple-ssh-keys--how-do-i-use-different-ssh-keys-for-different-ssh-servers-or-repos
Original answer:
The method to generate the key is actually fine (OpenSSH), and I have more than one SSH Key on my .ssh, so I assume that does not matter as well. Probably you can't have more than one key using the same algorithm.
What I believe was the actual problem was the name of the key.
You used:
ssh-keygen -t rsa -b 4096 -C “work#email.com” - f ~/.ssh/work_id_rsa
which is great (big number of bytes :)
but that "work_id_rsa" will never be found when you test the connection, for example:
ssh -v git#ssh.dev.azure.com
Just to test I renamed and remove mine.
In short, here's the result:
pires#avell:~$ ssh -v git#ssh.dev.azure.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to ssh.dev.azure.com [51.144.61.32] port 22.
debug1: Connection established.
(removed for brevity)
debug1: Authenticating to ssh.dev.azure.com:22 as 'git'
(removed for brevity)
debug1: Host 'ssh.dev.azure.com' is known and matches the RSA host key.
debug1: Found key in /home/pires/.ssh/known_hosts:3
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
(((((important detail here:)))))
debug1: Will attempt key: /home/pires/.ssh/id_rsa
debug1: Will attempt key: /home/pires/.ssh/id_dsa
debug1: Will attempt key: /home/pires/.ssh/id_ecdsa
debug1: Will attempt key: /home/pires/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/pires/.ssh/id_ed25519 ED25519 SHA256: *************
debug1: Will attempt key: /home/pires/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/pires/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/pires/.ssh/id_rsa
debug1: Trying private key: /home/pires/.ssh/id_dsa
debug1: Trying private key: /home/pires/.ssh/id_ecdsa
debug1: Trying private key: /home/pires/.ssh/id_ecdsa_sk
debug1: Offering public key: /home/pires/.ssh/id_ed25519 ED25519 SHA256:************
(((((and here:)))))
debug1: Authentications that can continue: password,publickey
debug1: Trying private key: /home/pires/.ssh/id_ed25519_sk
debug1: Trying private key: /home/pires/.ssh/id_xmss
debug1: Next authentication method: password
git#ssh.dev.azure.com's password:
So, actually OpenSSH will never find it. I mean, I didn't put a work_id_rsa there, but it doesn't matter because it does not look for everything inside the folder, in your case, it expects a /home/pires/.ssh/id_rsa to be exactly there. Or better, whatever ~ points to + /.ssh/id_encryptionmethod
Also, since it couldn't find the private key to authenticate, it falls back to password.
I'm trying to run a container that will expose a golang service from a package that I have on a private GitHub repo.
Since I am working with GCE, my starter image is google/debian:wheezy.
After installing all the required dependancies and tools, I am running
RUN go get github.com/<my_org>/<my_package>
where the package is a private repo.
I have added my GitHub SSH keys to allow the cloning from the private repo to the docker file:
ADD priv/id_rsa /root/.ssh/id_rsa
ADD priv/id_rsa.pub /root/.ssh/id_rsa.pub
Still, I am getting an error during the go get process when go tried to clone the repo:
# cd .; git clone https://github.com/<my_org>/<my_package> /gopath/src/github.com/<my_org>/<my_package>
Cloning into '/gopath/src/github.com/<my_org>/<my_package>'...
fatal: could not read Username for 'https://github.com': No such device or address
package github.com/<my_org>/<my_package>: exit status 128
To debug the problem, from the Dockerfile, I am running:
RUN ssh-keyscan -t rsa github.com 2>&1 >> /root/.ssh/known_hosts
And this tells me there are some problems. It looks like validating the private key is OK but something weird is going on the the public key. This is the complete ssh-keyscan result:
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.252.129] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version libssh-0.6.0
debug1: no match: libssh-0.6.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
Warning: Permanently added the RSA host key for IP address '192.30.252.129' to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
I have tried chmod 600 and chmod 700 on the priv/public keys, this did not help.
Any clues? Has anyone succeeding in running go get that fetches from private repos on debian from docker?
I figured this out after a bit of hacking around. Not an ideal solution as it involves installing SSH, plus building a private key into the container. This example is based on the official Docker golang image (Debian Wheezy):
The main difference to your example is that you need a git config command to force ssh instead of the default https.
FROM golang
RUN apt-get update && apt-get install -y ca-certificates git-core ssh
ADD keys/my_key_rsa /root/.ssh/id_rsa
RUN chmod 700 /root/.ssh/id_rsa
RUN echo "Host github.com\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config
RUN git config --global url.ssh://git#github.com/.insteadOf https://github.com/
ADD . /go/src/github.com/myaccount/myprivaterepo
RUN go get github.com/myaccount/myprivaterepo
RUN go install github.com/myaccount/myprivaterepo
go get is trying to use https, completely ignoring ssh.
You will have to setup ~/.netrc:
ADD priv/.netrc /root/.netrc
Where netrc looks like:
machine github.com login github-username password github-password
ref:
https://stackoverflow.com/a/13724351/145587
In the newest version of golang (v1.11) there are now modules.
To quote the source:
A module is a collection of related Go packages that are versioned together as a single unit. Most often, a single version-control repository corresponds exactly to a single module.
Using the latest version of golang will allow you to have dependencies that are in private repositories. Essentially by running the $ go mod vendor command will create a vendor directory locally for all external dependencies. Now making sure your docker image has Golang v1.11, you will update your Dockerfile with the following:
WORKDIR /<your repostiory>
COPY . ./
Elaborating on OneOfOne's ~/.netrc answer, this is what I am doing with Jenkins on linux:
FROM golang:1.6
ARG GITHUB_USER=$GITHUB_USER
ARG GITHUB_PASS=$GITHUB_PASS
# Copy local package files to the container's workspace.
ADD . /go/src/github.com/my-org/my-project
WORKDIR /go/src/github.com/my-org/my-project/
# Build application inside the container.
RUN echo "machine github.com\n\tlogin $GITHUB_USER\n\tpassword $GITHUB_PASS" >> ~/.netrc && \
go get github.com/tools/godep && \
go get github.com/onsi/ginkgo/ginkgo && \
godep restore && \
ginkgo -r --randomizeAllSpecs --randomizeSuites --failOnPending && \
godep go install && \
rm -f ~/.netrc
ENTRYPOINT /go/bin/my-project
EXPOSE 8080
The docker build command is:
docker build \
--build-arg GITHUB_USER=xxxxx \
--build-arg GITHUB_PASS=yyyyy \
-t my-project .
The two ARG directives map --build-args so docker can use them inside the Dockerfile.
The first and last lines of RUN create and remove the ~/.netrc.
In Jenkins, I use the same creds from git pull in the build command.
In this strategy, the password is not echoed during the docker build process and not saved on any layer of your docker image. Also note that the gingko test results are printed to console during the build.
i had this problem in Github and i fix it using personal access token:
first of all please use ARG for your Dockerfile vars(inputs):
after that configure your git with github personal access token
GITHUB_PAT -> github personal access token
FROM golang:1.17 as builder
ARG GITHUB_PAT
WORKDIR /your-app
COPY go.mod .
COPY go.sum .
RUN git config --global url."https://${GITHUB_PAT}:x-oauth-basic#github.com/".insteadOf "https://github.com/"
RUN go mod download
COPY . .
RUN go build -ldflags '-w -s' -o ./out ./main.go
FROM golang:1.17
WORKDIR /app
COPY --from=builder /your-app/out ./
WORKDIR /app/
ENTRYPOINT [ "./out" ]