I use Dyndns to provide a domain name to outside clients, e.g. ralph.com, so that when my provider changes my IP address, they can still access my site. This works. However, when I try to administer the server using ssh remotely, I get messages about invalid ssh key and “man in the middle” attacks. I am unable to connect to the server to correct the ssh key problem. What can I do to either connect when this happens, or prevent this from happening?
The only thing you can do is to disable the host key verification.
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
See here for more details : http://linuxcommando.blogspot.fr/2008/10/how-to-disable-ssh-host-key-checking.html
Related
We are looking to connect dbt to Postgres using SSH bastion.
I followed the comments left under this issue, but I get a timeout error.
A few questions:
How should the profiles.yml be configure to connect via SSH? I added ssh-host but that did not get it working.
Is there any other configurations that I'd need to set up?
I just hacked my way through figuring this out and the steps listed in the above comment were very helpful for someone with zero experience in this realm who still needs to use dbt with a bastion host. Here is specifically how I did this and some helpful resources I came across. Hopefully others will find these examples helpful.
You register a public SSH key with the remote location, tied to a
private key that lives on your machine
Github has a helpful guide for how to do this: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
Add keys to ~/.ssh/config: Adding an RSA key without overwriting.
I also had to add IgnoreUnknown UseKeychain to ~/.ssh/config
You use a CLI tool (e.g. ssh, autossh) to "forward" a local port to
the remote location (bastion host)
To forward the local port to the bastion host, save your user/bastion host/db host into environment variables. I used Postgres so it looked like this.
ssh -l $BASTION_USER $BASTION_HOST -p 22 -N -C -L "5432:${POSTGRES_HOST}:5432";
In profiles.yml, instead of putting the host/port of a remote
database, you put localhost and the number of the "forwarding" port
Then in my ~/.dbt/profiles.yml looks includes this:
dev:
type: postgres
threads: 1
host: localhost
port: 5432
user: POSTGRES_USER
pass: POSTGRES_PWD
dbname: POSTGRES_DB_NAME
schema: dbt_tmp
Voila! Your connection is forwarded to the bastion host, authenticated
via SSH, and passed along to the database
At that point I ran dbt debug against my target and it connected with all checks passed.
I think you need to follow Jeremy's instructions from this comment:
The basic idea, as I remember it:
You register a public SSH key with the remote location, tied to a
private key that lives on your machine
You use a CLI tool (e.g. ssh,
autossh) to "forward" a local port to the remote location (bastion
host)
In profiles.yml, instead of putting the host/port of a remote
database, you put localhost and the number of the "forwarding" port
Voila! Your connection is forwarded to the bastion host, authenticated
via SSH, and passed along to the database
To be fair, he was also asking for definitive walkthroughs and included the caveat that this has had varying levels of success based on the particulars of the client, host, environment etc.
I want to connect via ssh to the server and from this server connect to another server via ssh. Do you know if there are any extensions that would allow me to do so?
Can you just use
ssh -t userid1#machine1 "ssh userid2#machine2"
assuming that you have a ssh client on the first target?
I have a droplet on DigitalCloud with Ubuntu 14.04 and PostgreSQL 9.3. On local machine i have the same configuration.
My ssh connection is working so there is no problem with it. It must be somewhere in my Postgres connection or environment settings.
So what i have already done on the server is:
changed the listening port in /etc/ssh/sshd_config
Port 4321
enabled remote connections in /etc/postgresql/9.3/main/pg_hba.conf
host all all 0.0.0.0/0 md5
added listening addresses in /etc/postgresql/9.3/main/postgresql.conf
listen_addresses = '*'
And here is my local connection settings:
Here is my Properties tab screen
Here is my SSH Tunnel tab screen
I use just the same (and only) id_rsa.pub file which i used to establish my ssh connection before. Which is working. And this is an error that i get upon trying to connect:
SSH error: Authentication by identify file failed with error code -16
[Unable to extract public key from private key file: Wrong passphrase
or invalid/unrecognized private key file format]
My passphrase was set to empty.
If i try to connect without SSH tunnel there is another error:
Error connecting to the server: SSL error: unknown protocol expected
authentication request from server, but received S
I'm a complete newbie to it and I may have missed something important. So tell me if you want me to provide any other info on this matter.
EDIT 1:
If i use correct id_rsa file (without pub) then i get this same error:
Error connecting to the server: SSL error: unknown protocol expected
authentication request from server, but received S
I use just the same (and only) id_rsa.pub file
The first issue is that this is the wrong file. See if you have a file in the same place named "id_rsa" without the ".pub" extension. That is the file you should use as the identity file.
RSA ssh keys come in two files: "id_rsa" contains the private key, while "id_rsa.pub" contains the public key. id_rsa.pub is installed onto the server that you are connecting to, while id_rsa is used by the client that is making the connection to the server.
(Key files can be named something other than "id_rsa", of course. The point is that the private key is in foobar, while the public key is in foobar.pub.)
If you don't have an id_rsa file, then you should generate a new key and keep both files this time.
The second issue is that you have the wrong port on the Properties tab. The port number on the properties tab is the port that the PG server is running on. You should set this to 5432 or whatever port your server is actually listening on. It seems you should also set the "host" on the properties tab to "localhost", but I don't know if this is required.
Error connecting to the server: SSL error: unknown protocol expected authentication request from server, but received S
What is happening now is that your tunneled PG connection is going to port 4321 on the remote host, which is the SSH server. It happens that the first thing an SSH server sends to a new client is a version string, which looks like "SSH-2.0-OpenSSH_6.9" I don't know the PG protocol, but apparently your client reads the "S" in the SSH string and immediately knows it's not connected to a PG server.
I received this error when trying to establish an SSH tunnel using pgAdmin3
I specified the private key location on my local machine (had to
enable hidden files on my Mac finder to see it),
entered the tunnel
host (used public host IP) and
checked the 'Identity file' option.
I don't have a password set on my key.
Received this error:
Authentication by identify file failed with error code -18
What am I doing wrong (or what do I need to do differently)?
I was getting this continously on windows (VM).
So I decided pgAdmin's built in ssh tunnel was no good and just used gSTM (On linux).
Forwarding the port from the remote server 5432 to local host 5555 worked.
Then I could just use pgAdmin III on Linux to connect.
You could probably use command line like this if you don't want to use a graphical tool such as gSTM.
ssh -fNg -L 5555:localhost:5432 {your_username}#{yourdomain.com}
Source: http://dustindavis.me/ssh-tunnel-in-pgadmin3-for-postgresql/
You can also use putty on windows to forward ports.
See Connection | SSH | Tunnels menu in the PuTTY Configuration.
http://www.akadia.com/services/ssh_putty.html
Then you can access it.
Of course be very carefull messing about in a remote database.
It is a good idea to label them a red or orange colour in pgAdmin to easily identify the ones that are not on your local network.
I have been using rockmongo as my client for mongodb on localhost for testing.
For prodction i DONT want a client online as this might reduce security.
Is there a client which will allow me to connect SSH? kind of like MySql Workbench?
or
Can rockmongo stay on my local computer and i connect to EC2 instance which has mongodb for production viewing?
or
Is there a better alternative to all of this?
My setup is a standard LAMP stack. willing to make any changes necessary.
MongoHub has the option to connect over ssh, but the app kind of sucks. It crashes a lot.
A more generic approach would be to just create your own ssh tunnel to your production server, and then connect over that through whatever client you want. The client won't care as long as it can make the connection.
On OSX/Linux, creating an ssh tunnel might look like this:
ssh -L 8080:127.0.0.1:27017 -f -C -q -N username#domain.com
This would open a local port 8080 which will forward the traffic to the localhost interface at the mongodb default port 27017 on the remote side. You would point your client at 127.0.0.1:8080 as if mongodb were running there locally.
Check some of these out - http://www.mongodb.org/display/DOCS/Admin+UIs
One workaround would be to set that file in a separate folder and make a .htaccess file that restricts access to only your ip address. Any requests not from your ip address would get denied access...