recentpopularlog in

kme : ssh   289

« earlier  
Easy SSH and SCP Tunneling Using ProxyJump in Your SSH Config · Jeet Sukumaran
you can make life a lot simpler by setting up your ~/.ssh/config file to make use of the ProxyJump feature:
<code class="language-sshconfig">Host gateway
HostName gateway.institution.edu
User username1
Port 2222
Host remote1
HostName remote1.institution.edu
User username2
ProxyJump gateway</code>

Now you can just:
<code class="language-bash">ssh remote1</code>
ssh  tunneling  remoteaccess 
november 2019 by kme
ssh agent - ssh-add under cygwin - Server Fault
I totally did this.

OK, that other Serverfault.com answer has a typo.

The right thing you want to run is:
<code class="language-bash">eval `ssh-agent`</code>
ssh-agent spits out a bunch of shell statements to set environmental variables. The eval runs them in the current shell. You can invoke ssh-agent that way, or run ssh-agent and then copy-paste its output into your current shell for the same effect.
ssh  ssh-agent  cygwin  linux  unix  doh  solution 
october 2019 by kme
SSH tunnelling for fun and profit: SSH Config
<code>
# turn on pubkey auth per host
Host c1
HostName 192.168.0.1
PubkeyAuthentication yes
IdentityFile ~/.ssh/id_rsa_specific

# turn off pubkey auth for all hosts
Host *
PubkeyAuthentication no
IdentitiesOnly yes
</code>
<code>
# only store hashes of the hostnames
Host *
HashKnownHosts yes
</code>
<code>
# multiplex connections
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600
</code>
ssh  ssh_config  configfile  bestpractices  security  hardening 
october 2019 by kme
ssh - autossh in background does not work - Server Fault
In my case, it was because I forgot to give '-N' to the final 'ssh' command; it died (silently, or else because I used '-q') when it realized that it had no stdin/stdout and no command to run.
ssh  sshtunnelling  portforwarding  autossh  solution 
october 2019 by kme
SSH tunnelling for fun and profit: Autossh
<code class="language-bash">autossh -M 0 -f -T -N cli-mysql-tunnel</code>

And make sure that you have set some value for 'ServerAliveInterval' and 'ServerAliveCountMax':
Unfortunately, this is not too handy, as it must be made sure both ports (the specified one and the one directly above) a free (not used). So in order to overcome this problem, there is a better solution:

ServerAliveInterval and ServerAliveCountMax – they cause the SSH client to send traffic through the encrypted link to the server. This will keep the connection alive when there is no other activity and also when it does not receive any alive data, it will tell AutoSSH that the connection is broken and AutoSSH will then restart the connection.


For example:

<code class="language-bash">autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3"</code>
automation  ssh  sshtunnelling  vpn  remoteaccess  reference  solution 
august 2019 by kme
facerecog/auto-ssh-tunnel: Automatic SSH Tunnel is a Python script which can be used to create a Reverse SSH Tunnel between multiple computers running Linux and a centralized server. Property of Facerecog Asia Pte. Ltd. and 26 Factorial | https://github.c
Automatic SSH Tunnel is a Python script which can be used to create a Reverse SSH Tunnel between multiple computers running Linux and a centralized server. Property of Facerecog Asia Pte. Ltd. and 26 Factorial - facerecog/auto-ssh-tunnel
ssh  tunneling  tunnelmanager  networking  python  utility 
may 2019 by kme
The Monkeysphere Project | http://web.monkeysphere.info/
Frequent users of ssh are familiar with the prompt given the first time you log in to a new server, asking if you want to trust the server's key by verifying the key fingerprint. Unfortunately, unless you have access to the server's key fingerprint through a secure out-of-band channel, there is no way to verify that the fingerprint you are presented with is in fact that of the server you're really trying to connect to.
pki  gpg  ssh  cacert  security  crypto 
february 2019 by kme
Set current working directory on ssh - Super User | https://superuser.com/
Invoke $SHELL instead.
<code class="language-bash">
ssh -t user@server 'cd /home/some/dir ; exec "$SHELL"'
</code>
unix  linux  ssh  putty  tipsandtricks  remoteexecution  sysadmin  solution 
february 2019 by kme
SSH keys - Atlassian Documentation | https://confluence.atlassian.com/
SHA256 format

2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
1024 SHA256:RezPkAnH1sowiJM0NQXH90IohWdzHc3fAisEp7L3O3o bitbucket.org (DSA)

md5 format

97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 (RSA)
35:ee:d7:b8:ef:d7:79:e2:c6:43:9e:ab:40:6f:50:74 (DSA)
ssh  publickeyauthentication  bitbucket  git  hostkeyverification  fingerprints  solution 
november 2018 by kme
GitLab.com settings | GitLab | https://docs.gitlab.com/
<code>
DSA 7a:47:81:3a:ee:89:89:64:33:ca:44:52:3d:30:d4:87 p8vZBUOR0XQz6sYiaWSMLmh0t9i8srqYKool/Xfdfqw
ECDSA f1:d0:fb:46:73:7a:70:92:5a:ab:5d:ef:43:e2:1c:35 HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
ED25519 2e:65:6a:c8:cf:bf:b2:8b:9a:bd:6d:9f:11:5c:12:16 eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8
RSA b6:03:0e:39:97:9e:d0:e7:24:ce:a3:77:3e:01:42:09 ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ
</code>
gitlab  ssh  fingerprint  hostkeyfingerprints  reference  fuckina  solution 
may 2018 by kme
macos - How to use Mac OS X Keychain with SSH keys? - Super User | https://superuser.com/
This worked!
Add the pass phrase to each ssh key to keychain: (option -k loads plain private keys only, skips certificates)
<code class="language-bash">ssh-add -K [path/to/private SSH key]</code>
ssh  keychain  mac  osx  macos  annoyance  sierra  solution 
march 2018 by kme
Testing your SSH connection - User Documentation [https://help.github.com/]
<code>The authenticity of host 'github.com (IP ADDRESS)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)?
</code>

<code>The authenticity of host 'github.com (IP ADDRESS)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)?
</code>
git  github  ssh  hostkey  fingerprint  security  reference 
march 2018 by kme
linux - Find pid of a certain ssh instance - Super User | https://superuser.com/
What I actually did was *not* put 'ssh' in the background (no '-f') and then capture the PID with '$!'.
Give pgrep a go:
<code class="language-bash">pgrep -f 'ssh .* -nNCTR'</code>
ssh  backgroundprocess  sshtunnels  processmanagement  unix  tipsandtricks  worksok  solution 
february 2018 by kme
linux - What does "key_load_public: no such file or directory" mean? - Super User | https://superuser.com/
It means literally what it says: there is no such file or directory that ssh wanted to access.

However, it talks about the file mentioned below, not above. You have just the regular public keys, but you do not have the SSH certificates for them (presumably because you just don't need them). OpenSSH however will always try to load the associated .pub-cert file for each identity key.
ssh  ssh-agent  debugging  publickeyauthentication 
january 2018 by kme
keyring - Private SSH key with password no longer stays unlocked for session - elementary OS Stack Exchange | https://elementaryos.stackexchange.com/
Script 90x11-common_ssh-agent should somehow start your ssh-agent. But not add the keys. If you want to add a key with the first usage, you can configure ssh to do so in ~/.ssh/config:

AddKeysToAgent yes
ssh  ssh-agent  keyring  elementaryos  ubuntu  annoyance  solution 
january 2018 by kme
Enable Tab Completion for SSH Aliases
Blog formatting gremlins ate a bunch of extra backlashes, so you can't just copy-and-paste. The correct version with the missing backslashes is:

<code class="language-bash">
complete -o default -o nospace -W \
"$(/usr/bin/env ruby -ne 'puts $_.split(/[,\s]+/)[1..-1].reject{|host| host.match(/\*|\?/)} if $_.match(/^\s*Host\s+/);' < $HOME/.ssh/config)" \
scp sftp ssh
</code>
bash  essential  movein  ssh  configfile  tabcompletion  bashcompletion  solution 
december 2017 by kme
GitHub's SSH key fingerprints - User Documentation
Public key fingerprints can be used to validate a connection to a remote server.

These are GitHub's public key fingerprints (in hexadecimal format):

16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 (RSA)
ad:1c:08:a4:40:e3:6f:9c:f5:66:26:5d:4b:33:5d:8c (DSA)

These are the SHA256 hashes shown in OpenSSH 6.8 and newer (in base64 format):

SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA)
SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA)
ssh  fingerprint  security  github  pubkeyauth 
june 2017 by kme
linux - What is /var/empty and why is this directory used by sshd? - Server Fault


It is just an empty directory, where some processes (e.g. one of sshd processes, but it could be anything else) may chroot() to ("chroot jail"). This way processes that do not need file access do not have any files to access, so their privileges cannot be abused.
unix  security  chroot  ssh 
april 2017 by kme
openssh - SHA256 ssh fingerprint given by the client but only md5 fingerprint known for server - Super User
<code class="lang-bash">
# md5 on current OpenSSH
ssh-keygen -l -f key.pub -E md5

# sha256 on old OpenSSH
awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub |
base64 -d | # -d = decode
sha256sum -b | # -b = binary
awk '{print $1}' |
xxd -r -p | # -r = hex to binary; -p = "plain hexdump"
base64 # re-encode
</code>

Also, when the 'ssh-keygen' on the server is too old (<v5.8) to have the '-E' option:
<code>Host example.org
FingerprintHash md5</code>
ssh  fingerprint  publickeyauthentication  authentication  fuckina  solution 
march 2017 by kme
linux - What command do I use to see what the ECDSA key fingerprint of my server is? - Stack Overflow
This still doesn't allow me to verify keys that are presented in SHA256 format upon first connecting to the host. I have to run 'ssh-keyscan localhost' and compare the ECDSA key that I get with what's already in my ~/.ssh/known_hosts. Too late, if you've already been MITM'd.
ssh  security  sysadmin  publickey  authentication  keyfingerprint  almost  solution 
february 2017 by kme
Connecting to Your Linux Instance Using SSH - Amazon Elastic Compute Cloud
NB: It doesn't seem like you can verify the host SSH key fingerprint except on the first boot. The command for that is:
aws ec2 get-console-output --instance-id instance_id

Note:

Ensure that the instance is in the running state, not the pending state. The SSH HOST KEY FINGERPRINTS section is only available after the first boot of the instance.


Also:
Important

Your default security group does not allow incoming SSH traffic by default.
sysadmin  aws  ssh  keyfingerprint  solution 
february 2017 by kme
The authenticity of host 'gitlab.com (54.93.71.23)' can't be established - Troubleshooting - GitLab Community Forum
See: https://about.gitlab.com/gitlab-com/settings/

This should be googleable, and it's not. I shouldn't have to dig for the support web site, then the community support, and then be linked back to some other support article that the GitLab.com site search didn't find in the first place.
After I added ssh key and try to push my files i seen this message

The authenticity of host 'gitlab.com (54.93.71.23)' can't be established.
ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw.
Are you sure you want to continue connecting (yes/no)?

Any Suggestions?
gitlab  errormessage  solution  ssh  publickeyauthentication  authentication  keyfingerprint  needshelp 
january 2017 by kme
GitLab.com settings | GitLab
RSA: b6:03:0e:39:97:9e:d0:e7:24:ce:a3:77:3e:01:42:09
SHA256: ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ
gitlab  ssh  publickeyauthentication  keyfingerprints  solution 
january 2017 by kme
Use the SSH protocol with Bitbucket Cloud - Atlassian Documentation
This article doesn't even have the fingerprints anymore; you have to go to <strike>https://confluence.atlassian.com/bitbucket/troubleshoot-ssh-issues-271943403.html</strike>. Ugh, which is now actually moved to https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html.
Technically, you should record the server's public host key before connecting to it for the first time. Depending on the security protocols in your network, the system administrator may maintain a centrally located list of approved known hosts. The public key fingerprints for the Bitbucket server are:
SHA256 format

2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
1024 SHA256:RezPkAnH1sowiJM0NQXH90IohWdzHc3fAisEp7L3O3o bitbucket.org (DSA)

md5 format

97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 (RSA)
35:ee:d7:b8:ef:d7:79:e2:c6:43:9e:ab:40:6f:50:74 (DSA)

To get the format suitable for storage in the known hosts, you can use the following ssh-keyscan command:

$ ssh-keyscan -t rsa bitbucket.org
# bitbucket.org SSH-2.0-OpenSSH_5.3
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
ssh  publickeyauthentication  bitbucket  git  hostkeyverification  fingerprints  solution 
october 2016 by kme
Fix Vagrant's Authentication failure after re-building the box · GitHub
$ vagrant ssh-config
Host default
HostName 127.0.0.1
User vagrant
Port 2202
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
PasswordAuthentication no
IdentityFile /home/ten0s/.vagrant.d/boxes/ten0s-VAGRANTSLASH-centos6.5_x86_64/0/virtualbox/vagrant_private_key
IdentitiesOnly yes
LogLevel FATAL

# generate public key out of new private (-y key)
$ ssh-keygen -y -f /home/ten0s/.vagrant.d/boxes/ten0s-VAGRANTSLASH-centos6.5_x86_64/0/virtualbox/vagrant_private_key > /home/ten0s/.vagrant.d/boxes/ten0s-VAGRANTSLASH-centos6.5_x86_64/0/virtualbox/vagrant_private_key.pub

# copy new identity. will ask for vagran't password, which is `vagrant'
$ ssh-copy-id -i /home/ten0s/.vagrant.d/boxes/ten0s-VAGRANTSLASH-centos6.5_x86_64/0/virtualbox/vagrant_private_key -p 2202 vagrant@127.0.0.1
vagrant  annoyance  errormessage  ssh  publickeyauthentication  solution 
august 2016 by kme
#9297 (Changed fingerprint - Cannot fix) – Cyberduck
I removed everything from ~/.ssh/known_hosts and this seemed to help.
cyberduck  errormessage  ssh  maybeolution 
june 2016 by kme
python - UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 1 - Stack Overflow
If you are working on a remote host, look at /etc/ssh/ssh_config on your local PC.

When this file contains a line:

SendEnv LANG LC_*

comment it out with adding # at the head of line. It might help.

With this line, ssh sends language related environment variables of your PC to the remote host. It causes a lot of problems.


No problems with my terminal. The above answers helped me looking in the right directions but it didn't work for me until I added 'ignore':

fix_encoding = lambda s: s.decode('utf8', 'ignore')

As indicated in the comment below, this may lead to undesired results. OTOH it also may just do the trick well enough to get things working.
locale  utf8  annoyance  headache  encoding  ssh  python  webdevel  fuckina  solution 
june 2016 by kme
SSH agent forwarding and screen
To have SSH within a screen session use the symlink, add the following line to ~/.screenrc:

setenv SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock

To update the symlink we'll use the ~/.ssh/rc file which is executed by SSH on each connection. This can be any executable file, so something like the following script will do:

if test "$SSH_AUTH_SOCK" ; then
ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi


Also, from the comments, the same thing can be done in a ~/.bashrc:

if [[ -n "$SSH_TTY" && -S "$SSH_AUTH_SOCK" ]]; then
ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi


And for tmux (courtesy: https://stackoverflow.com/a/23187030)
# fix ssh agent when tmux is detached
setenv -g SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock
screen  tmux  ssh  ssh-agent  dotfiles  solution 
june 2016 by kme
SSH keys - ArchWiki
Start ssh-agent with systemd user

It is possible to use the systemd/User facilities to start the agent.

~/.config/systemd/user/ssh-agent.service

[Unit]
Description=SSH key agent

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

Add export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket" to your shell's startup file, for example .bash_profile for Bash. Then enable or start the service.


Another helpful tip:

\
All the user services will be placed in ~/.config/systemd/user/. If you want to run services on first login, execute systemctl --user enable service for any service you want to be autostarted. </blockquote
linux  authentication  ssh-agent  ssh  publickeyauthentication  maybesolution 
june 2016 by kme
Adding github to known_hosts with ansible · GitHub
- name: ensure github.com is a known host
lineinfile:
dest: /root/.ssh/known_hosts
create: yes
state: present
line: "{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
regexp: "^github\\.com"


Nice task, but 2 points to be noted

this "blindly" accept the scanned key as the legit one ... no-where its fingerprint is compared to the expected one
if using /etc/ssh/ssh_config option HashKnownHosts yes, this ansible task leaves the host (github.com) unhashed in dest: /root/.ssh/known_hosts
known_hosts  ssh  publickeyauthentication  github  ansible  solution 
june 2016 by kme
« earlier      
per page:    204080120160

Copy this bookmark:





to read