I was going to add ssh key for the machine I ssh so I do not have to enter password every time, but when I hit ssh-keygen I got this prompt
Enter file in which to save the key (/Users/sanjeevkumar/.ssh/id_rsa):
I decided to accept I thought it will create new file mentioned in parentheses, but I got message saying
/Users/sanjeevkumar/.ssh/id_rsa already exists.
Overwrite (y/n)?
now I am little cautious that where did the existing file come from and for what the existing file is storing the key for.
If I choose to overwrite I don't want to be in situation where there tools stop working !
If you're not sure if you're already using that SSH Key for anything, you should make a back-up copy and then overwrite the key in order to check if anything is broken. (And if it is, just restore this back-up)
Other thing you could do is using your current key as your main one for this other machine.
Related
I haven't logged on to my EC2 recently in a few months. Last time I did, it seems like the RDP file that I downloaded had the password in it. That laptop died.
Today, it seems like AWS/EC2 has changed how things work. I'm able to download the RDP file, but it is prompting for a password. When I try to decrypt the password, it wants me to paste or browse to a file on my disk, which I don't have.
Is there a way to re-download my key info? On security then "Key Pairs", I see the key for this server. Can I download that to my disk, or open it somehow?
I see these steps, but they look overwhelming, i.e. I don't have time for that now; I have real work to do:
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Config.html
I was able to create a new key pair, but not sure if I can associate it with the instance.
When I click "Get Password" this screen appears:
UPDATE 1: I did find my .pem file, so I was able to use that to logon.
Had I not found it, what would I do?
UPDATE 1: I did find my .pem file, so I was able to use that to logon. Had I not found it, what would I do?
Not much really! This is by design. AWS doesn't store your encryption key, and this prevents AWS personnel to access your instance. That's why you get such an ominous warning when pem file is generated: this is your one and only opportunity to see it - don't lose it.
That said, there are several however.
If you changed your Windows password in windows, or created a new AMI and launched a new instance from it - the pem file won't really help. You can probably create 2 administrator accounts; so if one forgets their password, you can reset it with another one.
Second - if your EBS is not encrypted, you can detach it, launch another instance, and attach EBS to new instance. You won't get your instance back, but you will get the data from that drive.
Finally, the "overwhelming" steps from the link that you posted. Follow good security posture, and you won't need them. But if you get sloppy, it may become your real work... better than polishing a resume...
I'm writing a script that will scp some files without requiring a password from my local database to a remote database. Currently, I've set up ssh (following these directions: http://www.linuxproblem.org/art_9.html) and I'm able to use
scp /home/oracle/sendfiles/* myUsername#remoteServer:/home/oracle/receivefiles/
To send files over. However, this requires my script to have myUsername hard-coded for it to work. I'd like to be able to run
scp /home/oracle/sendfiles/* remoteServer:/home/oracle/receivefiles/
So that other users can use my script without having to specify their username. Is there a different way to set up ssh so I don't need to specify a username? Right now when I run my script without specifying my username it prompts me for oracle#remoteServer's password.
At the moment you seem to have run ssh-keygen as oracle on your local server, but added the contents of the locally-generated /home/oracle/.ssh/id_rsa.pub file to your own authorized_keys file - i.e. /home/myUsername/.ssh/authorized_keys - on the remote server.
From context I suspect you, and other users, log in to your local and remote boxes under your own accounts and then su to the oracle account. With the way you've set up the keys, any local user who can get to the oracle account on the local server now has access to your personal account on the remote server - which is not what you intended.
And although your first command specifying the remote user name works, the files on the remote end will be owned by you rather than oracle; which means the target directory /home/oracle/receivefiles/ must be at least group- and possibly world-writable. That may not be necessary, and generally isn't a good idea - opinions vary but home directories tend to be locked down as tightly as possible, particularly for sensitive accounts like that one. (You don't want someone who gains access to the server with low privs to be able to do something nasty by, say, editing Oracle's .profile or creating some new dot file which, for instance, deletes all the DB data files next time someone logs into that account...)
The contents of id_rsa.pub need to be added to /home/oracle/.ssh/authorized_keys on the remote server (and should be removed from /home/myUsername/.ssh/authorized_keys!). Once you've done that, you and anyone else that has su'd to oracle on the local server will be able to do:
scp -p /home/oracle/sendfiles/* remoteServer:/home/oracle/receivefiles/
without being prompted for a password, and the files at the remote end will be owned by oracle instead of you. (The -p flag means permissions and timestamps will be preserved too.)
I'm working on a tool that generates .rdp files and then invokes them using Microsoft RDP Client. This tool is running on Mac OS.
Everything works well, the only problem is that I can't figure out of how I can generate 'password 51:b' field properly. On Windows this can be done easily by using CryptProtectData method from Crypt32.dll library. How can I do the same on Mac.
Another option could be to use "rdp://" URL scheme, but it doesn't seem allow to pass password this way.
So the question is how can I implement auto-login on Mac if I use third-party RDP client.
As far as i know you can't. You can however create a "User Account" and a Server configuration and add both to the client. The connection will then be visible on the main window and you just need to double click it.
To do so, you need to add the password to the Keychain, use /usr/bin/security to do so from a script. It needs to be a generic-password and saved in com.microsoft.rdc.macos. Also be sure to generate an ID according to the RDP Clients scheme, like BFF77777-7777-7777-7777-777777777777.
You may also set the permissions to read that key using /usr/bin/security and set-generic-password-partition-list specifying the right teamid (UBF8T346G9) and again com.microsoft.rdc.macos. You need the admin password to do this step.
Then you can alter the RDP Clients config file, which is a .sqlite file located at /Users/$(whoami)/Library/Containers/com.microsoft.rdc.macos/Data/Library/Application Support/com.microsoft.rdc.macos/com.microsoft.rdc.application-data.sqlite. Add the user configuration in the ZCREDENTIALENTITY table and make sure the ZID matches the one added to the keychain.
To add a server configuration you need to alter the ZBOOKMARKENTITY table. Just add a configuration by hand using the UI and look at the table to get a feeling of how it needs to be setup. Basically you link your user configuration with the server configuratio by making sure that ZCREDENTIAL in ZBOOKMARKENTITY matches Z_PK in ZCREDENTIALENTITY of your user configuration.
I know the answer is a bit late, but it may give you a starting point. This will however not fully automate the process, you will still need to go to the UI and double click the connection you want to use.
I'm working on a shell script where it zips up a file then uploads it to a server i have.
So far i have it so it asks for the server password and then keeps that variable. After it does that the script zips up a folder with a bunch of files in it. Then it dose the "scp" command to send it to my server.
Now, this is where i need help... I want it to fill in the password that was provided earlier in the script when it asks for the server password. I'm sure your asking "why doesn't just put in the password when the "scp" command asks for it. The reason being is that the file i have is going to be large, and i dont want to sit around and watch it zip up. So thats why i provide the password early on.
here are the steps:
1) user provides server password which is saved as the variable "password"
2) the script zips up the file
3) the script sends the file to the server (when i run this part in the script it asks for the password. i have to put in the password variable here.)
Any ideas on how to do this? thanks so much, will,
Step 1 is flawed, for several reasons, both security-related and technical.
What you should do is to create a "null" SSH session in the background that generates a master connection (see the ControlPath and ControlMaster options in the ssh_config(5) man page). Using the same control settings for the subsequent SCP operation will use this connection without having to ask for the password. Don't forget to kill the null session once the script is done.
I'd like to write a shell script that does something like the following
while read line; do
echo $line
done<input.txt | ssh > output.txt
This is a bit pseudo codey at the moment (the original is at work), but you should be able to tell what it's doing. For simple applications this works a treat, but ssh checks the input to see whether it's stdin is a terminal.
Is there a way to fool ssh into thinking that the contents of my piped loop are a terminal rather than a pipe?
EDIT : Sorry for not adding this originally, this is intended to allow ssh to log in via the shell script (answering the password prompt)
ssh -t -t will do what you want - this tells ssh to allocate a pseudo terminal no matter whether it is actually running in one.
Update
This problem (after updating your question and various comments, it became clear you are looking for a way to conveniently get public key encryption into place) could perhaps be solved by 'thinking upside down'.
Instead of trying very hard to get your clients public key onto a server that doesn't yet authenticate the client, you can try to receive an authenticated identity (private key) from that server.
Simple terms: generate a keypair on the server instead of the client, and then find a way to get the keypair on the client. The server can put the public key in it's authorized_keys in advance, so the client can connect right away.
Chances are that
the problem of getting the key across is more easily solved (you could even use a 'group' key for access from various clients)
if a less-secure mechanism is chosen (convenience over security) at least only the security of the client is reduced, not as-much that of the server (directly).
Original answer:
Short answer: Nope. (it would be a security hole for ssh, because ssh 'trusts' the tty for password entry, and the tty only)
Long answer, you could try to subvert/creatively use a terminal emulator (look at script/scriptreplay for inspiration).
Why would you want to do it?