Is the authorized_key module of ansible, can be used to copy the ssh keys of host to a new remote user?
Ansible is completely over SSH. So you have to use ssh to setup ssh too. At minimum, you need a ssh daemon running and a user that can access the host with a password.
You can then access the host using -k (or --ask-pass, ask for SSH password), -K (or --ask-sudo-pass, ask for sudo password) and -u (or --user, connect as this user).
Let's say you have a foo user that can ssh and sudo on the remote machine, and you want to install some ssh public key to login as root, you can do this :
ansible yourhost -kKu foo -m authorized_key -a "ssh-dss AAAAB...zzz foo#foo.org"
You'l be requested to type :
foo's password on remote host
password when foo is sudoing to root
See http://docs.ansible.com/authorized_key_module.html for alternate ways to read the local ssh key (lookup).
Related
I am writing a shell scripts that requires to run commands on multiple remote host based on condition it satisfies. how can i run the commands on the remote host using its key pair and assign the output of those commands to a variable on the primary host.
I tried using
sshpass -f keypair hostname 'command' | 'commands'
but this command executed on the host itself.
Use command substitution to assign the output of a command to a variable. You also need to run the ssh command and specify the remote username.
variable=$(sshpass -f keypair ssh username#hostname 'command')
1) Add host public keys (~/.ssh/id_rsa.pub)to remote user authenticated keys (~/.ssh/authorized_keys)
You will append the content of the public key to the authorized_keys
2) If you don't have this key you may generate it
ssh-keygen -t rsa
3) after that you can
ssh <REMOTE USER NAME>#RemoteHOST <command>
As example
ssh mebada#123.44.2.12 ls
4) If you have list of commands you may scp shell file and execute it from there ( without password too ) and it will override the remote
scp /path/to/shell.file user#host:/path/to/remote
ssh user#host chmod u+x /path/to/remote/shell.file
ssh user#host /path/to/remote/shell.file
I generated an rsa_id ssh key, and used ssh-copy-id on my own account on localhost, just to test running Ansible against localhost with ssh.
I did not use a passphrase. However, when running ansible against localhost, I'm prompted with:
Enter passphrase for key '/home/username/.ssh/id_rsa.pub':
Instead of ssh "~/.ssh/somekey.pem" ubuntu#somehost, is there a way to make ssh auto check the ~/.ssh directory for keys so that I can simply do ssh "somekey.pem" ubuntu#somehost (i.e. omitting ~/.ssh)?
If you're using the same host then try updating your ~/.ssh/config file with the host info
Host dev
IdentityFile ~/.ssh/github.key
HostName dev.example.com
Port 22000
User fooey
then just type ssh dev to ssh in!
I'm performing:
# copy public key to other hosts
for host in ec2-master.eu-west-1.compute.amazonaws.com \
ec2xxx.compute.amazonaws.com \
ec2xxx.compute.amazonaws.com; \
do ssh-copy-id -i ~/.ssh/id_rsa.pub $host; \
done
So I try to copy the key I've generated on ec2-master.eu-west-1.compute.amazonaws.com to the other servers.
But I still get
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The authenticity of host 'ec2xxx.eu-west-1.compute.amazonaws.com (10.0.xx.xx)' can't be established.
ECDSA key fingerprint is 3a:63xx:a6:19:xx:23:d1:xx:06:22:xx:a0:b9:8c:xx:cf.
Are you sure you want to continue connecting (yes/no)?
So I got a permission denied. But I don't know why. What am I doing wrong?
Try changing the ssh-copy-id command to:
ssh-copy-id -i ~/.ssh/id_rsa.pub ec2-user#$host
(assuming you're using Amazon Linux -- use ubuntu as the user if you are using Ubuntu)
Update:
I think the problem may be because you are trying to copy a new key over to a host that only accepts logins using an existing key (no passwords allowed).
I couldn't get this to work with ssh-copy-id, but you can do it with a standard ssh command:
cat ~/.ssh/id_rsa.pub | ssh -i AWS_key.pem centos#$host "cat - >> ~/.ssh/authorized_keys"
Where AWS_key.pem is the private part of the key pair that AWS attached to your instance when you launched it.
SSH is trying to tell you that authentication into your hosts has failed and what authentication methods were tried.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
This is what the (publickey,gssapi-keyex,gssapi-with-mic) portion of the log output is telling you.
It is telling you it attempted to authenticate against publickey, gssapi-keyex, and gssapi-with-mic authentication methods.
Typically you or AWS provide an ssh keypair to be used prelaunch setup.
The sshd config is also set to authenticate using the keypairs (public + private key = Public Key Encryption hence publickey mentioned in the ssh log).
Therefore, your command
ssh-copy-id -i ~/.ssh/id_rsa.pub $host;
is wrong for a few reasons.
You don't specify a specific user to login against unless the username of your local host matches your remote machine (for AWS the user could be ec2-user, centos, ubuntu, etc
Even if the usernames were to match correctly, since AWS effectively (I am not familiar with GSSAPI) only enables ssh keypair authentication, you would only be able to login with the private key chosen or generated at EC2 instance creation.
If there were some alternative authentication mechanism configured on the host i.e. user:password then you would be able to run a modified version of the command.
REMOTE_USER=ec2-user
...
do ssh-copy-id -i ~/.ssh/id_rsa.pub $REMOTE_USER#$host
However, you would be prompted for a user/password each time.
Note The above command assumes you have enabled a user/pass authentication mechanism (Could be temporarily). However, for just 3 hosts I might just manually install the keypair at this point.
The language from the "Copy the key to a server" from sshd.com seems to imply that password-based authentication is enabled initially on the hosts.
"Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server. Once the key has been authorized for SSH, it grants access to the server without a password."
I use this script and it works for me:
Сan you try this
for host in ${hosts[*]}
do
echo $host
ssh-keyscan $host | tee -a ~/.ssh/known_hosts
sshpass -p 'mypass' ssh-copy-id myuser#$host
done
I have an sftp connection to a server in Unix.
Without password, I use the syntax to connect and execute command
sftp -b $user#$server_name
Can anyone suggest me how can I write a shell script to connect a remote server non interactively using a password
Try with this below option,
lftp -u $user,$pass sftp://$host << --EOF--
cd $directory
put $srcfile
quit
--EOF--
You could use ~/.ssh/config file.
#
# ~/.ssh/config
#
Host servername
Hostname 127.127.127.127
Port 22
User root
#EOF: config
Then simply connect with "ssh servername" and if you don't want to use password you can use SSH key. Here is good tutorial on how to do that > http://www.cyberciti.biz/tips/linux-multiple-ssh-key-based-authentication.html
If you just want to pass user/server from terminal, you can do this.
#!/bin/bash
sftp -b "$1"#"$2"
then use it like this './sftp.sh user server'
use SCP like this;
scp -P 22 user#server:/dir/file.tgz ~/Desktop/
use SFTP like this;
sftp user#server:/dir/file.tgz ~/Desktop/file.tgz
You can also try this;
sftp user#host <<EOF
get /dir/file.tgz
rm /dir/file.tgz
EOF
The best way to do this would be to create a key pair on the client, and add the key to the target user's ~/.ssh/authorized_keys.
To create a key pair, run ssh-keygen and when it asks for a password, just hit return to indicate "no password". Then either run ssh-copy-id $user#$server_name or manually create a ~/.ssh/authorized_keys on the server and copy the contents of the ~/.ssh/id_rsa.pub from the client into it (ssh-copy-id isn't available on all machines, so on some you'll have to do it manually).
Now you should be able to run ssh or scp without a password, as it should use your key instead. If it doesn't work, make sure that the permissions on your ~/.ssh/ directory and contents are correct on both machines; the directory should be 0700 (drwx------) and the files should be 600 (-rw-------). Also check that key authentication is enabled on both the client and the server.