EzDevInfo.com

Remove key from known_hosts

I built several virtual machines during the last few weeks. The problem is, the .ssh/known_hosts gives me the Man in the middle warning. This happens because another fingerprint is associated with the virtual machine IP.

In the .ssh/known_hosts file, however, I don't find the record related to the IP, only two bizarre, key-like strings and "ssh-rsa".

Does anyone have any ideas about how to remove the old key from known_hosts?

Is there a way for one SSH config file to include another one?

In case it matters:

• OS: Ubuntu 10.04
• SSH: OpenSSH_5.3p1 Debian-3ubuntu5

I'd like one SSH config file to include another one. The use case would be to define whatever I want in my default .ssh/config file and then pre-pend a couple of extra things in a separate file (e.g. ~/.ssh/foo.config). I want the second file to incorporate the first one, though, so I don't have to duplicate everything in the first one. Is that doable? Thanks!

Does the right half of the rsa public key matter?

In a public key file "id_rsa.pub" generated by ssh-keygen, does the part after the == matter?

I ask because when I changed "root@somedomain.com" to "root", it seems to still work.

More generally, I am curious about what the purpose of that half is.

How can I find a list of MACs, Ciphers, and KexAlgorithms that my openssh client supports?

Is there a way to make ssh output what MACs, Ciphers, and KexAlgorithms that it supports?

I'd like to find out dynamically instead of having to look at the source.

Checking ssh keys have passphrases

I have a bunch of users, who with SSH keys have access to accounts on other servers. Currently I have a script which collects up the ssh public keys and distributes them to the correct account on the correct servers.

What I want to do, is get that script to check that any given users ssh key has a passphrase before accepting the public key and distributing it.

I've tried a number of things, like using an ssh-agent and ssh-add and then the problem comes when ssh-add gets asked for passphrase.

Is there a way to get something like openssl to check for passphrase, fail slightly with a return code of 1 if the key has a passphrase?

Thanks!

OpenSSH ~/.ssh/config host-specific overrides not working

I've tried setting up my ~/.ssh/config file with the help of this guide. However, the host-specific User override has no effect and ssh tries to connect using the global username instead of the host-specific one. My ssh config is set up like this:

$ cat ~/.ssh/config
User my_global_username

Host dev1
    HostName 10.40.10.41
    User my_username_on_dev_machines

I've also tried putting the global user name below a Host * entry to no avail. The OpenSSH version and build I'm running is OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013 `.

Is OpenSSH sending an email to no-more-sessions@openssh.com every time I connect?

When I try to connect to my EC2 (Ubuntu 14.04.3) server with ssh -v server, I see this at the end of the log:

debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to <domain>.com ([192.168.1.42]:12345).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com  # <!-!-!-!-!-!- What's this?
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_CTYPE = en_US.UTF-8
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-55-generic x86_64)

This is my .ssh/config:

Host server
  HostName domain.com
  User myuser
  IdentityFile ~/path/to/EC2Key.pem
  Port <portnumber>

Which seems normal. I can see two possible reasons here:

1. OpenSSH is trying to make a connection to openssh.com as a user no-more-sessions - but that doesn't make any sense either, why?
2. OpenSSH is trying to send email to no-more-sessions@openssh.com. This makes even less sense, and both options seem a little creepy.

What's happening here?

Can I change the filename of my ssh public/private key pair?

I created a public/private key pair:

ssh-keygen -t rsa -C "me@example.com"

I gave a different key file name than id_rsa since I wanted to create a new separate key from my normal identity.

I gave this key to my hosting provider so that I can login to my server using public key authentication.

I was able to initially login using the key and everything worked.

ssh -i /path/to/key/file user@server.com

I realized I made a spelling error in the key file name and renamed both the public and private key files. Does this affect anything on the server side if the key file has a different name on my client machine?

change default username when ssh to another pc [duplicate]

When I ssh between different pcs I can omit my username (tom) and just type

ssh pc_name

instead of

ssh tom@pc_name

I like this feature, and have got into the habit of using it.

Unfortunately, on one of my computers I went for the user name tommy. Everytime I connect to this computer I forget to write tommy@creative_pc and wonder why my password doesn't work. Is there a way to tell ssh what user name to use when the username is omitted?

Edit: Just found the following question that is similar: How to make ssh log in as the right user? It didn't come up on my initial search.

How to add pointers to filesystems outside the chrooted environment - using chrooted SFTP via OpenSSH

So, I'm pretty sure this is true, but I haven't found a specifically detailed independent reference that directly answers my question. Question being:

How can I add access to a resource that is outside the chroot environment?

I have set up chroot SFTP using OpenSSH's newish ChrootDirectory directive.

Unfortunately, in my environment, I cannot directly restrict chroot to the main directory where certain user resources live. So I created a separate chroot area, and am linking in the required resources.

I tried using symlinks to do this. e.g.

ln -s /path/to/resource /chroot/dir/resource

But that got a "could not canonicalize directory not found" error

So my solution was to use a bind mount:

mount --bind /path/to/resource /chroot/dir/resource

That worked.

Really, I just wanted general confirmation that symlinks won't work. A link to a good reference describing this would be nice also.

Multiple SSH connections to the same system - is it possible?

I have a linux computer acting as a server which can accept incoming SSH connections.

Is it possible to reliably connect multiple devices at the same time, such as my phone and laptop, as well as other desktops, to the same server using SSH?

Thanks for the help.

PubkeyAcceptedKeyTypes and ssh-dsa key type

I'm trying to test the order in which keys are tried. One of the system's users is using DSA, so I'm trying to test it as an option. I'm getting a Bad key types.

$ ssh -vv -p 1522 jwalton@192.168.1.11
OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /Users/jwalton/.ssh/config
/Users/jwalton/.ssh/config line 2: Bad key types 'ssh-ed25519,ecdsa-sha2-nistp256,ssh-dsa,ssh-rsa'.

I narrowed it down to ssh-dsa. According to ssh_config(5) (its actually part of sshd_config(5), but its listed as a new ssh_config feature in the OpenSSH 7.0 release notes):

 The -Q option of ssh(1) may be used to list supported key types.

However, I can't seem to get it to work:

riemann::~$ ssh -Q 
/usr/local/bin/ssh: option requires an argument -- Q
riemann::~$ ssh -Q dsa
Unsupported query "dsa"
riemann::~$ ssh -Q ssh-dsa
Unsupported query "ssh-dsa"
riemann::~$ ssh -Q ed25529
Unsupported query "ed25529"
riemann::~$ ssh -Q ssh-ed25529
Unsupported query "ssh-ed25529"
riemann::~$ ssh -Q PubkeyAcceptedKeyTypes
Unsupported query "PubkeyAcceptedKeyTypes"

How does one use the ssh -Q option?

What is the key type for ssh-dsa?

git pull does nothing / git push just hangs / debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

I had an issue in ubuntu 13.10 and 12.10 where attempting to connect to github (git clone / pull / push or anything) would fail with no output.

I checked my /.ssh directory for config and any ssh keys. Had no config file and the ssh key for id_rsa was the same one that was live on my github.com account.

I attempted to ping the github servers and was able too.

I followed the github guide to debug the situation - it suggests

ssh -T -v git@github.com

The output stops at:

debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

Anyone have a solution to allow my git pull / push etc to work.

How to determine the port allocated on the server for a dynamically bound openssh reverse tunnel?

When creating reverse tunnels on recent versions of OpenSSH a remote port of 0 can be given to bind any available port:

-R [bind_address:]port:host:hostport

...

If the port argument is `0', the listen port will be dynamically allocated on the server and reported to the client at run time.

openssh ssh client manpage

My question is how I can (in an automated way) determine this port allocation on the server. It seems rather unhelpful that it is reported to the host running the ssh client - but not to the target, which will want to make connections to this port to access services on the client.

Two similar options I can think of are either running

# netstat -ntlp

on the server and look for suspect ports bound on 127.0.0.1 by sshd or by looking at the output of

# lsof -p $PPID | grep TCP | grep LISTEN

But neither of these is pleasant from an automation point of view, and there isn't any way of tying the dynamic ports back to the origin service port if more than one such tunnel is created.

Is there anything I'm missing to effectively get a list of active tunnels (both local and remote port numbers) on the sshd server side, like an equivalent to the SSH_CONNECTION environment variable, but for active tunnels?

For some context, I'm trying to create potentially very many simultaneous reverse tunnels to a host, tunnelling back to the same port number on many different hosts. Having the TCP stack automatically manage the port pool seems like the most effective way of doing this.

How to uninstall/reinstall cygwin to use the sshd?

I installed cygwin/sshd without good results. I removed the c:\cygwin directory to reinstall. I removed the sshd Administrator user by hand.

I reinstalled the cygwin again, then run the 'ssh-host-config -y'. Strangely, it doesn't ask anything about making a new user. And the procedure is really short.

$ ssh-host-config -y
* Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
 Info: Creating default /etc/ssh_config file
 Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
 Info: Creating default /etc/sshd_config file
 Info: Privilege separation is set to yes by default since OpenSSH 3.3.
 Info: However, this requires a non-privileged account called 'sshd'.
 Info: For more info on privilege separation read /usr/share/doc/openssh
ME.privsep.
* Query: Should privilege separation be used? (yes/no) yes
*** Info: Updating /etc/sshd_config file


*** Info: Host configuration finished. Have fun!

When I ran 'cygrunsrv -S sshd', I get an error. "Win 32 error 1069: The service did not start due to logon failure". It's reasonable message, as I deleted the sshd as a user, and the reinstall procedure did nothing for that again.

I see I got something wrong with the uninstallation.

Q: How can I uninstall the sshd related thing perfectly so that I can reinstall it again?