I've created an RSA public key and I want to add that to authorized_keys file, but there is no such file in my Ubuntu 11.10 machine.
How can I add the key to authorized_keys?
Make sure when executing Michael Krelin's solution you do the following
cat <your_public_key_file> >> ~/.ssh/authorized_keys
Note that without the double >> the existing contents of authorized_keys will be over-written (nuked!) and that may not be desirable.
There is already a command in the ssh suite to do this automatically for you. I.e log into a remote host and add the public key to that computers authorized_keys file.
ssh-copy-id -i /path/to/key/file user#host.com
If the key you are installing is ~/.ssh/id_rsa then you can even drop the -i flag completely.
Much better than manually doing it!
mkdir -p ~/.ssh/
To overwrite authorized_keys
cat your_key > ~/.ssh/authorized_keys
To append to the end of authorized_keys
cat your_key >> ~/.ssh/authorized_keys
I know I am replying too late but for anyone else who needs this, run following command from your local machine
cat ~/.ssh/id_rsa.pub | ssh user#192.168.1.1 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
this has worked perfectly fine. All you need to do is just to replace
user#192.168.1.1
with your own user for that particular host
>ssh user#serverip -p portnumber
>sudo bash (if user does not have bash shell else skip this line)
>cd /home/user/.ssh
>echo ssh_rsa...this is the key >> authorized_keys
Related
I'm writing a C Shell program that will be doing su or sudo or ssh. They all want their passwords in console input (the TTY) rather than stdin or the command line.
Does anybody know a solution?
Setting up password-less sudo is not an option.
expect could be an option, but it's not present on my stripped-down system.
For sudo there is a -S option for accepting the password from standard input. Here is the man entry:
-S The -S (stdin) option causes sudo to read the password from
the standard input instead of the terminal device.
This will allow you to run a command like:
echo myPassword | sudo -S ls /tmp
As for ssh, I have made many attempts to automate/script it's usage with no success. There doesn't seem to be any build-in way to pass the password into the command without prompting. As others have mentioned, the "expect" utility seems like it is aimed at addressing this dilemma but ultimately, setting up the correct private-key authorization is the correct way to go when attempting to automate this.
I wrote some Applescript which prompts for a password via a dialog box and then builds a custom bash command, like this:
echo <password> | sudo -S <command>
I'm not sure if this helps.
It'd be nice if sudo accepted a pre-encrypted password, so I could encrypt it within my script and not worry about echoing clear text passwords around. However this works for me and my situation.
For ssh you can use sshpass: sshpass -p yourpassphrase ssh user#host.
You just need to download sshpass first :)
$ apt-get install sshpass
$ sshpass -p 'password' ssh username#server
For sudo you can do this too:
sudo -S <<< "password" command
I've got:
ssh user#host bash -c "echo mypass | sudo -S mycommand"
Works for me.
The usual solution to this problem is setuiding a helper app that performs the task requiring superuser access:
http://en.wikipedia.org/wiki/Setuid
Sudo is not meant to be used offline.
Later edit: SSH can be used with private-public key authentication. If the private key does not have a passphrase, ssh can be used without prompting for a password.
Maybe you can use an expect command?:
expect -c 'spawn ssh root#your-domain.com;expect password;send "your-password\n";interact
That command gives the password automatically.
This can be done by setting up public/private keys on the target hosts you will be connecting to.
The first step would be to generate an ssh key for the user running the script on the local host, by executing:
ssh-keygen
Enter file in which to save the key (/home/myuser/.ssh/id_rsa): <Hit enter for default>
Overwrite (y/n)? y
Then enter a blank password. After that, copy your ssh key onto the target host which you will be connecting to.
ssh-copy-id <remote_user>#<other_host>
remote_user#other_host's password: <Enter remote user's password here>
After registering the ssh keys, you would be able to perform a silent ssh remote_user#other_host from you local host.
When there's no better choice (as suggested by others), then man socat can help:
(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
socat - EXEC:'ssh -l user server',pty,setsid,ctty
EXEC’utes an ssh session to server. Uses a pty for communication
between socat and ssh, makes it ssh’s controlling tty (ctty),
and makes this pty the owner of a new process group (setsid), so
ssh accepts the password from socat.
All of the pty,setsid,ctty complexity is necessary and, while you might not need to sleep as long, you will need to sleep. The echo=0 option is worth a look too, as is passing the remote command on ssh's command line.
Take a look at expect linux utility.
It allows you to send output to stdio based on simple pattern matching on stdin.
ssh -t -t me#myserver.io << EOF
echo SOMEPASSWORD | sudo -S do something
sudo do something else
exit
EOF
Set SSH up for Public Key Authentication, with no pasphrase on the Key. Loads of guides on the net. You won't need a password to login then. You can then limit connections for a key based on client hostname. Provides reasonable security and is great for automated logins.
echo <password> | su -c <command> <user>
This is working.
a better sshpass alternative is: passh
https://github.com/clarkwang/passh
Login to a remote server
$ passh -p password ssh user#host
Run a command on remote server
$ passh -p password ssh user#host date
other methods to pass the password
-p The password (Default: `password')
-p env: Read password from env var
-p file: Read password from file
here I explained why it is better than sshpass, and other solutions.
You can also pass various parameters as follows:
echo password | echo y | sudo -S pacman -Syu
(Although that's a bad idea, it's just an example)
I had the same problem. dialog script to create directory on remote pc.
dialog with ssh is easy. I use sshpass (previously installed).
dialog --inputbox "Enter IP" 8 78 2> /tmp/ip
IP=$(cat /tmp/ip)
dialog --inputbox "Please enter username" 8 78 2> /tmp/user
US=$(cat /tmp/user)
dialog --passwordbox "enter password for \"$US\" 8 78 2> /tmp/pass
PASSWORD = $(cat /tmp/pass)
sshpass -p "$PASSWORD" ssh $US#$IP mkdir -p /home/$US/TARGET-FOLDER
rm /tmp/ip
rm /tmp/user
rm /tmp/pass
greetings from germany
titus
Building on #Jahid's answer, this worked for me on macOS 10.13:
ssh <remote_username>#<remote_server> sudo -S <<< <remote_password> cat /etc/sudoers
I once had a use case where I needed to run Sudo and ssh in the same command without stdin specifying all the variables needed.
This is the command I used
echo sudopassword | sudo -S -u username sshpass -p extsshpassword ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username#ipaddress " CMD on external machine"
Breaking that command into pieces!
This will allow you to run commands through your machine using Superuser:
echo password | sudo -S -u username
This will allow you to pass ssh password and execute commands on external machines:
sshpass -p sshpassword ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username#ipaddress " CMD on external machine"
make sure you install the sudo and openssh packages on your machine.
One way would be to use read -s option .. this way the password characters are not echoed back to the screen. I wrote a small script for some use cases and you can see it in my blog:
http://www.datauniv.com/blogs/2013/02/21/a-quick-little-expect-script/
USE:
echo password | sudo command
Example:
echo password | sudo apt-get update; whoami
Hope It Helps..
You can provide password as parameter to expect script.
su -c "Command" < "Password"
Hope it is helpful.
I needed to get the fingerprint of a ssh key using:
$ ssh-keygen -lf ~/.ssh/id_rsa_user.pub
after typing:ssh-keygen -lf ~/.ss TAB It was not giving any options.
I had to do:
$ compdef _files ssh-keygen
After that I was available to autocomplete using the files path, but the command autocomplete stop working, so if if I type ssh-keygen - Tab I don't see any more this output:
$ ssh-keygen -
-- option --
-B -- show the bubblebabble digest of key
-C -- provide new comment
-D -- download key stored in smartcard reader
-N -- provide new passphrase
-P -- provide old passphrase
-U -- upload key to smartcard reader
-b -- specify number of bits in key
-c -- change comment in private and public key files
-e -- export key to SECSH file format
-f -- key file
-i -- import key to OpenSSH format
-l -- show fingerprint of key file
-p -- change passphrase of private key file
-q -- silence ssh-keygen
-t -- specify the type of the key to create
-y -- get public key from private key
So wondering if there is a way of having both options enabled so that I can do something like:
ssh-keyg TAB that will give me:
$ ssh-keygen
Then I can do
$ ssh-keygen - TAB
That would print the option menu and been available to do:
$ ssh-keygen -lf ~/.ss TAB
And have list of options what could work so at the end I would get something like:
$ ssh-keygen -lf ~/.ssh/id_rsa_user.pub
For now I just add to my ~/.zshrc this:
compdef _files ssh-keygen
compdef _files adb
compdef _files mysql
...
But I have to do that for avery command I want to use the _files completion, therefore I would like to know if there is a way to always use _files or failover to it.
Any ideas?
Could it be possible to make it behave like csh in where pressing Ctrl+d shows files options?
Update:
I notice that if I the last argument is an -f the autocomplete works:
ssh-keygen -l -f ~/.sshTAB
But for custom scripts, commands what function, widget alias could help do force the _files completion.?
The solution was to update to zsh this is how I did it:
# check the zsh info
brew info zsh
# install zsh
brew install zsh
# add shell path
sudo vim /etc/shells
# add the following line into the very end of the file(/etc/shells)
/usr/local/bin/zsh
# change default shell
chsh -s /usr/local/bin/zsh
I had issues completing git-flow this was fixed by reinstalling with --without-completions:
$ brew install git --without-completions
Keys are properly deployed in ~/.ssh/authorized_keys
Yet ssh keeps on prompting for a password.
Several issues, mostly privileges - but also related to SELinux on RedHat 6
The following script should fix them all, please replace <user>:<group> with your matching userid and group
chown -R <user>:<group> ~/.ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
restorecon -R -v ~/.ssh
I'd agree with the changes above working on most linux variants in the root account.
I have had a problem with RedHat 6.3 with trying to get a postgres user account to use DSA auth. (6.3 running in VirtualBox)
The issue can be that the basic selinux permissions are wrong. Restorecon wont help in this case.
(After restorecon)
drwx------. postgres postgres unconfined_u:object_r:var_lib_t:s0 .ssh
I have fixed this with :
chcon -R -t ssh_home_t .ssh
This resolved this instance of the problem.
I had also this same issue, the proposed solution above did not solve the case for me. To summarise instructions abowe together:
Check following logfile on target system for possible details of errors: /var/log/secure
Permission of files in users ~/.ssh directory should be 600 and files should be owned By "user:group"
Permission of ~/.ssh directory should be 700 and owned By "user:group"
Permission of home directory of user ie. "~" (="~/.ssh/..") should be 755. If permissions are f.ex 775, ssh key autenthication failed in my system.
br
bruno
The above answer is quite good, I have an addition & a suggestion. The addition is in line 2 below, as home directory permissions not be more permissive than rwxr-x--- for ssh key authentication.
cd ~
chmod g-w,o-rwx .
chmod 700 .ssh
cd .ssh
chmod 600 *
chmod 644 authorized_keys
chmod 644 known_hosts
chmod 644 config
restorecon -R -v ../.ssh
The suggestion is to make use of the -vv option when testing.
I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.
What is the command I need to enter to find my current RSA key fingerprint?
Run the following command to retrieve the SHA256 fingerprint of your SSH key (-l means "list" instead of create a new key, -f means "filename"):
$ ssh-keygen -lf /path/to/ssh/key
So for example, on my machine the command I ran was (using RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:
$ ssh-keygen -E md5 -lf <fileName>
Bonus information:
ssh-keygen -lf also works on known_hosts and authorized_keys files.
To find most public keys on Linux/Unix/OS X systems, run
$ find /etc/ssh /home/*/.ssh /Users/*/.ssh -name '*.pub' -o -name 'authorized_keys' -o -name 'known_hosts'
(If you want to see inside other users' homedirs, you'll have to be root or sudo.)
The ssh-add -l is very similar, but lists the fingerprints of keys added to your agent. (OS X users take note that magic passwordless SSH via Keychain is not the same as using ssh-agent.)
The newer SSH commands will list fingerprints as a SHA256 Key.
For example:
ssh-keygen -lf ~/.ssh/id_dsa.pub
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)
If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.
ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)
Also available: -E sha1
Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.
To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!
To see your key on Ubuntu, just enter the following command on your terminal:
ssh-add -l
You will get an output like this:
2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23 yourName#ubuntu (RSA)
If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with:
ssh-agent bash (thanks to #Richard in the comments) and then re-run ssh-add -l
A key pair (the private and public keys) will have the same fingerprint; so in the case you can't remember which private key belong to which public key, find the match by comparing their fingerprints.
The most voted answer by Marvin Vinto provides the fingerprint of a public SSH key file. The fingerprint of the corresponding private SSH key can also be queried, but it requires a longer series of step, as shown below.
Load the SSH agent, if you haven't done so. The easiest way is to invoke
$ ssh-agent bash
or
$ ssh-agent tcsh
(or another shell you use).
Load the private key you want to test:
$ ssh-add /path/to/your-ssh-private-key
You will be asked to enter the passphrase if the key is password-protected.
Now, as others have said, type
$ ssh-add -l
1024 fd:bc:8a:81:58:8f:2c:78:86:a2:cf:02:40:7d:9d:3c you#yourhost (DSA)
fd:bc:... is the fingerprint you are after. If there are multiple keys, multiple lines will be printed, and the last line contains the fingerprint of the last loaded key.
If you want to stop the agent (i.e., if you invoked step 1 above), then simply type `exit' on the shell, and you'll be back on the shell prior to the loading of ssh agent.
I do not add new information, but hopefully this answer is clear to users of all levels.
Reproducing content from AWS forums here, because I found it useful to my use case - I wanted to check which of my keys matched ones I had imported into AWS
openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c
Where:
primary.pem is the private key to check
Note that this gives a different fingerprint from the one computed by ssh-keygen.
The fastest way if your keys are in an SSH agent:
$ ssh-add -L | ssh-keygen -E md5 -lf /dev/stdin
Each key in the agent will be printed as:
4096 MD5:8f:c9:dc:40:ec:9e:dc:65:74:f7:20:c1:29:d1:e8:5a /Users/cmcginty/.ssh/id_rsa (RSA)
$ ssh-add -l
will also work on Mac OS X v10.8 (Mountain Lion) - v10.10 (Yosemite).
It also supports the option -E to specify the fingerprint format so in case MD5 is needed (it's often used, e.g. by GitHub), just add -E md5 to the command.
On Windows, if you're running PuTTY/Pageant, the fingerprint is listed when you load your PuTTY (.ppk) key into Pageant. It is pretty useful in case you forget which one you're using.
This is the shell function I use to get my SSH key finger print for creating DigitalOcean droplets:
fingerprint() {
pubkeypath="$1"
ssh-keygen -E md5 -lf "$pubkeypath" | awk '{ print $2 }' | cut -c 5-
}
Put it in your ~/.bashrc, source it, and then you can get the finger print as so:
$ fingerprint ~/.ssh/id_rsa.pub
d2:47:0a:87:30:a0:c0:df:6b:42:19:55:b4:f3:09:b9
Sometimes you can have a bunch of keys in your ~/.ssh directory, and don't know which matches the fingerprint shown by GitHub/Gitlab/etc.
Here's how to show the key filenames and MD5 fingerprints of all the keys in your ~/.ssh directory:
cd ~/.ssh
find . -type f -exec printf "\n{}\n" \; -exec ssh-keygen -E md5 -lf {} \;
(For what the parameters mean, refer to this answer about the find command.
Note that the private/public files that belong to one key have the same fingerprint, so you'll see duplicates.
If your SSH agent is running, it is
ssh-add -l
to list RSA fingerprints of all identities, or -L for listing public keys.
If your agent is not running, try:
ssh-agent sh -c 'ssh-add; ssh-add -l'
And for your public keys:
ssh-agent sh -c 'ssh-add; ssh-add -L'
If you get the message: 'The agent has no identities.', then you have to generate your RSA key by ssh-keygen first.
Google Compute Engine shows the SSH host key fingerprint in the serial output of a Linux instance. The API can get that data from GCE, and there is no need to log in to the instance.
I didn't find it anywhere else but from the serial output. I think the fingerprint should be in some more programmer-friendly place.
However, it seems that it depends on the type of an instance. I am using instances of Debian 7 (Wheezy) f1-micro.
If you need to obtain that from the private key do it:
ssh-keygen -y -f key > key.pub && ssh-keygen -lf key.pub
To check a remote SSH server prior to the first connection, you can give a look at www.server-stats.net/ssh/ to see all SHH keys for the server, as well as from when the key is known.
That's not like an SSL certificate, but definitely a must-do before connecting to any SSH server for the first time.
On Fedora I do locate ~/.ssh which tells me keys are at
/root/.ssh
/root/.ssh/authorized_keys
I am getting a 500 error because the owner of some of my files is set incorrectly, its set at 0 0 when the rest are at 510 510?? How do I fix this, I've read something about ssh?
Yes, SSH is right. You need to use SSH to connect to your server (using openssh and the "ssh" program in Linux, or PuTTy in Windows) and issue the command webdestroya already posted:
$ ssh yourserver -l username <host>
OR
$ ssh yourserver [username#]<host>
And then issue the command to change your file permissions:
$ chown 510:510 thefile.file
chown 510:510 thefile.file
If it is a linux server, you can use the chown and chgrp commands to change the owner and group of a file.
You can also use the chmod command to change the permissions of a given file - EG: 777 means that everyone has access to a file (probably not what you want, just an example: