I have successfully generated the ssh key, but when i tried to add it to ssh-agent it is showing me this error
** 03/03/2020 19:39.04 /home/sahilra/Desktop/DOcs/Web_Dev/git_projects ** ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mobaxterm/.ssh/id_rsa.
Your public key has been saved in /home/mobaxterm/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ISmtoclG2l6aWE9wHa4AS/4jzXKy/cVJk93sU7XJNw4 sahilra#SAHILRA01
The key's randomart image is:
+---[RSA 2048]----+
|.. . |
|oo + o |
|..+ + * . . |
| =+* = .o.o o o|
|.+B*= +S. o E =.|
| =B*. o o . . o o|
|..+.. + o . |
| . . . |
| . |
+----[SHA256]-----+
$SSH_AUTH_SOCk=/tmp/ssh-I4LHdw/agent.2102
and agent is also running
**/home/sahilra/Desktop/DOcs/Web_Dev/git_projects ** ssh-add ~/.ssh/id_rsa
Could not add identity "/home/mobaxterm/.ssh/id_rsa": agent refused operation
still the probem exists
Answer from here with some comments:
In the last step use sudo ssh-add ...
It worked for me (I also used mobaxterm).
Not sure if you were able to resolve this but I ran into the same problem.
so your public key is save here : Your public key has been saved in /home/mobaxterm/.ssh/id_rsa.pub
You can clip > /home/mobaxterm/.ssh/id_rsa.pub and then add it to your github account.
You may still encounter connectivity issue... for me the owrkaround was the configure github locally using
$ git config --global user.name "John Doe"
$ git config --global user.email johndoe#example.com
I am having create difficulty finding reliable information on creating SSH keys in order to remove the need for username and password when doing git push and pull for a main repo and separate nested repos.
To make sure I have no existing errors deleted them from
https://github.com/settings/keys
And then followed this guide which in a nutshell advises:
Check for existing, I deleted all from here as well
ls -al ~/.ssh
then (accepting defaults with no passkey)
ssh-keygen -t rsa -b 4096 -C "your_email#example.com"
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa
clip < ~/.ssh/id_rsa.pub
and pasting key at https://github.com/settings/keys
The guide seems to end here, however attempt to push the repo gives:
fatal: HttpRequestException encountered.
An error occurred while sending the request.
Username for 'https://github.com':
What steps have been missed here please.
Attempting to push via git bash
I want to access my github repositories via ssh. When I access the repository for the first time, I am asked If I want to add the github ssh server to my known_hosts file, which works fine. That request also shows me the RSA key fingerprint of that server and I can manually verify that it is the same that is provided by github here.
These are the SHA256 hashes shown in OpenSSH 6.8 and newer (in base64 format):
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA)
SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA)
The problem is that I want to prevent that request by adding a public key
to my known_hosts file before my first access to my git repository. This can be done by using the ssh-keyscan -t rsa www.github.com command which will give me a public key in the format required by the known_hosts file. But people mention repeatedly, that this is not safe and is vulnerable to man-in-the-middle attacks. What they do not mention is how to do it right.
So how can I use the RSA fingerprint provided on the github page to safely get the public host key of the ssh server? I am more or less looking for an option to the ssh-keyscan command that lets me add the expected rsa fingerprint and causes the command to fail if the hosts fingerprint does not match the given one.
Thank you for your time!
I would not use ssh-keyscan in that case.
Rather, I would use it and double-check the result by comparing its fingerprint with the one provided by GitHub.
And then proceed with an SSH GitHub test, to check I do get:
Hi username! You've successfully authenticated, but GitHub does not
provide shell access.
So, as recommended here, for the manual process:
ssh-keyscan github.com >> githubKey
Generate the fingerprint:
ssh-keygen -lf githubKey
Compare it with the ones provided by GitHub
Finally, copy githubKey content to your ~/.ssh/known_hosts file.
You can automate that process (still including the fingerprint step check) with wercker/step-add-to-known_hosts: it is a wercker step, but can be extrapolated as its own independent script.
- add-to-known_hosts:
hostname: github.com
fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
type: rsa
But that would lack the check against help.github.com/articles/github-s-ssh-key-fingerprints: see below.
Using nmap does not help much, as explained here:
using nmap to get the SSH host key fingerprint and then comparing it to what ssh-keyscan says the fingerprint: In both cases, the fingerprint comes from the same place.
It's just as vulnerable to MITM as any other of these automated solutions.
The only secure and valid way to verify an SSH public key is over some trusted out-of-band channel. (Or set up some kind of key-signing infrastructure.)
Here, help.github.com/articles/github-s-ssh-key-fingerprints remains the "trusted out-of-band channel".
Based on VonC's answer, the script below can verify and add the key automatically. Use it like this:
$ ./add-key.sh github.com nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
It tells you whether it successfully verified and saved the fingerprint.
For usage info, use ./add-key.sh --help
The script:
#!/usr/bin/env bash
# Settings
knownhosts="$HOME/.ssh/known_hosts"
if [ "x$1" == "x-h" ] || [ "x$1" == "x--help" ] || [ ${#1} == 0 ]; then
echo "Usage: $0 <host> <fingerprint> [<port>]"
echo "Example: $0 github.com nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8"
echo "The default port is 22."
echo "The script will download the ssh keys from <host>, check if any match"
echo "the <fingerprint>, and add that one to $knownhosts."
exit 1
fi
# Argument handling
host=$1
fingerprint=$2
port=$(if [ -n "$3" ]; then echo "$3"; else echo 22; fi)
# Download the actual key (you cannot convert a fingerprint to the original key)
keys="$(ssh-keyscan -p $port $host |& grep -v ^\#)";
echo "$keys" | grep -v "^$host" # Show any errors
keys="$(echo "$keys" | grep "^$host")"; # Remove errors from the variable
if [ ${#keys} -lt 20 ]; then echo Error downloading keys; exit 2; fi
# Find which line contains the key matching this fingerprint
line=$(ssh-keygen -lf <(echo "$keys") | grep -n "$fingerprint" | cut -b 1-1)
if [ ${#line} -gt 0 ]; then # If there was a matching fingerprint (todo: shouldn't this be -ge or so?)
# Take that line
key=$(head -$line <(echo "$keys") | tail -1)
# Check if the key part (column 3) of that line is already in $knownhosts
if [ -n "$(grep "$(echo "$key" | awk '{print $3}')" $knownhosts)" ]; then
echo "Key already in $knownhosts."
exit 3
else
# Add it to known hosts
echo "$key" >> $knownhosts
# And tell the user what kind of key they just added
keytype=$(echo "$key" | awk '{print $2}')
echo Fingerprint verified and $keytype key added to $knownhosts
fi
else # If there was no matching fingerprint
echo MITM? These are the received fingerprints:
ssh-keygen -lf <(echo "$keys")
echo Generated from these received keys:
echo "$keys"
exit 1
fi
My one-liner allows for error reporting on failure:
touch ~/.ssh/known_hosts && if [ $(grep -c 'github.com ssh-rsa' ~/.ssh/known_hosts) -lt 1 ]; then KEYS=$(KEYS=$(ssh-keyscan github.com 2>&1 | grep -v '#'); ssh-keygen -lf <(echo $KEYS) || echo $KEYS); if [[ $KEYS =~ '(RSA)' ]]; then if [ $(curl -s https://help.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints | grep -c $(echo $KEYS | awk '{print $2}')) -gt 0 ]; then echo '[GitHub key successfully verified]' && ssh-keyscan github.com 1>~/.ssh/known_hosts; fi; else echo \"ssh-keygen -lf failed:\\n$KEYS\"; exit 1; fi; unset KEYS; fi
GitHub now offers this information in its Meta API, see About GitHub's IP addresses. The JSON output includes the public SSH keys, so assuming your HTTPS client correctly verifies the certificate chain, you can fetch the keys from there.
Below is an Ansible task that accomplishes this:
# Copyright 2022 Google LLC.
# SPDX-License-Identifier: Apache-2.0
- name: Add github.com public keys to known_hosts
ansible.builtin.known_hosts:
path: /etc/ssh/ssh_known_hosts
name: github.com
# Download the keys from the GitHub API and prepend 'github.com' to them to
# match the known_hosts format.
key: |
{% for key in (lookup('ansible.builtin.url',
'https://api.github.com/meta',
split_lines=False, validate_certs=True)
|from_json)['ssh_keys'] %}
github.com {{ key }}
{% endfor %}
~/.ssh/config
# User_A
Host github.com-User_A
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
# User_B
Host github.com-User_B
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_user_b
IdentitiesOnly yes
# http://serverfault.com/questions/400633/capistrano-deploying-to-different-servers-with-different-authentication-methods
Host example.com
IdentityFile ~/.ssh_keys/example_env.pem
ForwardAgent yes
On local machine:
$ ssh -T git#github.com
Hi User_B! You've successfully authenticated, but GitHub does not provide shell access.
On remote machine
~$ ssh remote_user#example.com
[remote_user#example ~]$ ssh -T git#github.com
Hi User_A! You've successfully authenticated, but GitHub does not provide shell access.
Note:
ssh-add -l shows all the mentioned keys enlisted
deploy.rb contains:
set :repository, "git#User_B:<REPO_NAME>"
ssh_options[:forward_agent] = true
I am trying to deploy my application using Capistrano to an Amazon EC2 instance for which I the .pem file is already added to my local machine using ssh-add and it can be seen enlisted in output for ssh-add -l.However I am facing following error while deploying:
** [example.com :: err] ERROR: Repository not found.
** fatal: The remote end hung up unexpectedly
Following is the full output of my cap deploy command:
$ cap bat deploy
triggering load callbacks
* executing `bat'
triggering start callbacks for `deploy'
* executing `multistage:ensure'
* executing `deploy'
* executing `deploy:update'
** transaction: start
* executing `deploy:update_code'
updating the cached checkout on all servers
executing locally: "git ls-remote git#User_B:<REPO_NAME> <BRANCH_NAME>"
command finished in 6296ms
* executing "if [ -d /srv/<APP_NAME>/shared/cached-copy ]; then cd /srv/<APP_NAME>/shared/cached-copy && git fetch -q origin && git fetch --tags -q origin && git reset -q --hard df84fadff305e1729991caddde47f6802e424d57 && git clean -q -d -x -f; else git clone -q git#User_B:<REPO_NAME> /srv/<APP_NAME>/shared/cached-copy && cd /srv/<APP_NAME>/shared/cached-copy && git checkout -q -b deploy df84fadff305e1729991caddde47f6802e424d57; fi"
servers: ["example.com"]
[example.com] executing command
** [example.com :: err] ERROR: Repository not found.
** fatal: The remote end hung up unexpectedly
command finished in 3811ms
*** [deploy:update_code] rolling back
* executing "rm -rf /srv/<APP_NAME>/releases/20130723222237; true"
servers: ["example.com"]
[example.com] executing command
command finished in 477ms
failed: "sh -c 'if [ -d /srv/<APP_NAME>/shared/cached-copy ]; then cd /srv/<APP_NAME>/shared/cached-copy && git fetch -q origin && git fetch --tags -q origin && git reset -q --hard df84fadff305e1729991caddde47f6802e424d57 && git clean -q -d -x -f; else git clone -q git#User_B:<REPO_NAME> /srv/<APP_NAME>/shared/cached-copy && cd /srv/<APP_NAME>/shared/cached-copy && git checkout -q -b deploy df84fadff305e1729991caddde47f6802e424d57; fi'" on example.com
So I guess this error is caused due to conflicts arising between multiple SSH keys getting detected i.e. on local machine User_B(who is a member of the repository) is used as default however on remote machine User_A(who is not having access to the repository) is used.
If my assumption is correct can anybody please help me in getting this problem solved? Is there any way in which a specific user config can be used while agent forwarding? If not then what could be the solution to this?
Thanks.
Ok it seems like the sequence in which keys are listed in ~/.ssh/config matters.
Initially it was
# User_A
Host github.com-User_A
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
# User_B
Host github.com-User_B
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_user_b
IdentitiesOnly yes
# http://serverfault.com/questions/400633/capistrano-deploying-to-different-servers-with-different-authentication-methods
Host example.com
IdentityFile ~/.ssh_keys/example_env.pem
ForwardAgent yes
Afterwards I did this:
# User_B
Host github.com-User_B
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_user_b
IdentitiesOnly yes
# User_A
Host github.com-User_A
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
# http://serverfault.com/questions/400633/capistrano-deploying-to-different-servers-with-different-authentication-methods
Host example.com
IdentityFile ~/.ssh_keys/example_env.pem
ForwardAgent yes
But after doing that I didn't restarted the machine, thus the changes were not in effect.
This morning after I started my machine after posting above problem I found that it is working:
On local machine:
$ ssh -T git#github.com
Hi User_B! You've successfully authenticated, but GitHub does not provide shell access.
On remote machine
$ ssh -T git#github.com
Hi User_B! You've successfully authenticated, but GitHub does not provide shell access.
Hope this helps somebody else in case he faces a similar problem.
Thanks.
I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.
What is the command I need to enter to find my current RSA key fingerprint?
Run the following command to retrieve the SHA256 fingerprint of your SSH key (-l means "list" instead of create a new key, -f means "filename"):
$ ssh-keygen -lf /path/to/ssh/key
So for example, on my machine the command I ran was (using RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:
$ ssh-keygen -E md5 -lf <fileName>
Bonus information:
ssh-keygen -lf also works on known_hosts and authorized_keys files.
To find most public keys on Linux/Unix/OS X systems, run
$ find /etc/ssh /home/*/.ssh /Users/*/.ssh -name '*.pub' -o -name 'authorized_keys' -o -name 'known_hosts'
(If you want to see inside other users' homedirs, you'll have to be root or sudo.)
The ssh-add -l is very similar, but lists the fingerprints of keys added to your agent. (OS X users take note that magic passwordless SSH via Keychain is not the same as using ssh-agent.)
The newer SSH commands will list fingerprints as a SHA256 Key.
For example:
ssh-keygen -lf ~/.ssh/id_dsa.pub
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)
If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.
ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)
Also available: -E sha1
Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.
To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!
To see your key on Ubuntu, just enter the following command on your terminal:
ssh-add -l
You will get an output like this:
2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23 yourName#ubuntu (RSA)
If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with:
ssh-agent bash (thanks to #Richard in the comments) and then re-run ssh-add -l
A key pair (the private and public keys) will have the same fingerprint; so in the case you can't remember which private key belong to which public key, find the match by comparing their fingerprints.
The most voted answer by Marvin Vinto provides the fingerprint of a public SSH key file. The fingerprint of the corresponding private SSH key can also be queried, but it requires a longer series of step, as shown below.
Load the SSH agent, if you haven't done so. The easiest way is to invoke
$ ssh-agent bash
or
$ ssh-agent tcsh
(or another shell you use).
Load the private key you want to test:
$ ssh-add /path/to/your-ssh-private-key
You will be asked to enter the passphrase if the key is password-protected.
Now, as others have said, type
$ ssh-add -l
1024 fd:bc:8a:81:58:8f:2c:78:86:a2:cf:02:40:7d:9d:3c you#yourhost (DSA)
fd:bc:... is the fingerprint you are after. If there are multiple keys, multiple lines will be printed, and the last line contains the fingerprint of the last loaded key.
If you want to stop the agent (i.e., if you invoked step 1 above), then simply type `exit' on the shell, and you'll be back on the shell prior to the loading of ssh agent.
I do not add new information, but hopefully this answer is clear to users of all levels.
Reproducing content from AWS forums here, because I found it useful to my use case - I wanted to check which of my keys matched ones I had imported into AWS
openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c
Where:
primary.pem is the private key to check
Note that this gives a different fingerprint from the one computed by ssh-keygen.
The fastest way if your keys are in an SSH agent:
$ ssh-add -L | ssh-keygen -E md5 -lf /dev/stdin
Each key in the agent will be printed as:
4096 MD5:8f:c9:dc:40:ec:9e:dc:65:74:f7:20:c1:29:d1:e8:5a /Users/cmcginty/.ssh/id_rsa (RSA)
$ ssh-add -l
will also work on Mac OS X v10.8 (Mountain Lion) - v10.10 (Yosemite).
It also supports the option -E to specify the fingerprint format so in case MD5 is needed (it's often used, e.g. by GitHub), just add -E md5 to the command.
On Windows, if you're running PuTTY/Pageant, the fingerprint is listed when you load your PuTTY (.ppk) key into Pageant. It is pretty useful in case you forget which one you're using.
This is the shell function I use to get my SSH key finger print for creating DigitalOcean droplets:
fingerprint() {
pubkeypath="$1"
ssh-keygen -E md5 -lf "$pubkeypath" | awk '{ print $2 }' | cut -c 5-
}
Put it in your ~/.bashrc, source it, and then you can get the finger print as so:
$ fingerprint ~/.ssh/id_rsa.pub
d2:47:0a:87:30:a0:c0:df:6b:42:19:55:b4:f3:09:b9
Sometimes you can have a bunch of keys in your ~/.ssh directory, and don't know which matches the fingerprint shown by GitHub/Gitlab/etc.
Here's how to show the key filenames and MD5 fingerprints of all the keys in your ~/.ssh directory:
cd ~/.ssh
find . -type f -exec printf "\n{}\n" \; -exec ssh-keygen -E md5 -lf {} \;
(For what the parameters mean, refer to this answer about the find command.
Note that the private/public files that belong to one key have the same fingerprint, so you'll see duplicates.
If your SSH agent is running, it is
ssh-add -l
to list RSA fingerprints of all identities, or -L for listing public keys.
If your agent is not running, try:
ssh-agent sh -c 'ssh-add; ssh-add -l'
And for your public keys:
ssh-agent sh -c 'ssh-add; ssh-add -L'
If you get the message: 'The agent has no identities.', then you have to generate your RSA key by ssh-keygen first.
Google Compute Engine shows the SSH host key fingerprint in the serial output of a Linux instance. The API can get that data from GCE, and there is no need to log in to the instance.
I didn't find it anywhere else but from the serial output. I think the fingerprint should be in some more programmer-friendly place.
However, it seems that it depends on the type of an instance. I am using instances of Debian 7 (Wheezy) f1-micro.
If you need to obtain that from the private key do it:
ssh-keygen -y -f key > key.pub && ssh-keygen -lf key.pub
To check a remote SSH server prior to the first connection, you can give a look at www.server-stats.net/ssh/ to see all SHH keys for the server, as well as from when the key is known.
That's not like an SSL certificate, but definitely a must-do before connecting to any SSH server for the first time.
On Fedora I do locate ~/.ssh which tells me keys are at
/root/.ssh
/root/.ssh/authorized_keys