I want to use GitHub with two different SSH keys to access two different accounts. This is no problem and I can set it up easily by aliasing the hostname in my configuration. The problem comes when this configuration is combined with my SSH multiplexing configuration. I cannot seem to override my default ControlPath with a host-specific declaration.
Maybe this is just the way it works? Maybe it is a bug? Am I doing something wrong?
I'm on Mac 10.7 by the way.
Here is my config:
Host *
ControlMaster auto
ControlPath ~/.ssh/connections/ssh-%r#%h:%p
Host github.com-X
TCPKeepAlive yes
ServerAliveInterval 60
ControlPersist 1h
Hostname github.com
User git
IdentityFile ~/.ssh/id_rsa_X
IdentitiesOnly yes
ControlPath ~/.ssh/connections/ssh-%r#%h-X:%p
Host github.com
TCPKeepAlive yes
ServerAliveInterval 60
ControlPersist 1h
I have tinkered around a little bit, but it seems that I always get the ControlPath as specified in the Host * declaration.
ssh -T git#github.com-X
Logs me in as the correct user using id_rsa_X, but it creates the domain socket here:
~/.ssh/connections/ssh-git#github.com:22
Rather than:
~/.ssh/connections/ssh-git#github.com-X:22
So later when I try to issue an SSH command using id_rsa, I get the id_rsa_X user because of connection multiplexing. In other words:
ssh -T git#github.com
Gives me a hello message for the user whose key is id_rsa_X.
You can see that it reads all the settings and then tries to use the wrong ControlPath.
$ ssh -vT git#github.com-X
OpenSSH_5.6p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /Users/<username>/.ssh/config
debug1: Applying options for *
debug1: Applying options for github.com-X
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/<username>/.ssh/connections/ssh-git#github.com:22" does not exist
<snip>
Any ideas?
I got a great answer to this question on ServerFault from user gipset.
You need to move the less specific options further down in ~/.ssh/config. The Host * options are applied first and they are not overwritten by later, clashing, options, even if they are more specific. New options that were not specified in Host * will however be applied and I think that is what you saw in your log.
Source: http://linux.die.net/man/5/ssh_config
ssh(1) obtains configuration data from the following sources in the following order:
command-line options
user's configuration file (~/.ssh/config)
system-wide configuration file (/etc/ssh/ssh_config)
For each parameter, the first obtained value will be used. The configuration files contain sections separated by ''Host'' specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line.
Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.
Related
Since I reinstalled my ArchLinux distro I get an error when I want to use OpenVPN. Here is the full output:
quentin#QuentinDesktop ~/Documents> openvpn --config ulille-vpn.ovpn
2022-01-04 21:52:15 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-01-04 21:52:15 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Options error: --up script fails with '/etc/openvpn/update-systemd-resolved': No such file or directory (errno=2)
Options error: Please correct this error.
Use --help for more information.
Here is the truncated ulille-vpn.ovpn file content (I just truncated the CA certificates):
ignore-unknown-option comp-lzo compress
dev tun
persist-tun
persist-key
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
proto udp
remote vpn-etudiant.univ-lille.fr 443
verify-x509-name "vpn-etudiant.univ-lille.fr" name
auth SHA256
auth-user-pass
comp-lzo
compress lzo
#route-nopull
verb 3
pull-filter ignore "dhcp-option DOMAIN"
dhcp-option DOMAIN univ-lille.fr
dhcp-option DOMAIN univ-lille1.fr
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre
Note that I didn't write this one myself, it is given by my university to access its local network.
I already tried to install the openvpn-update-systemd-resolved AUR package and enable it on systemd but it changed nothing.
How can I fix it ?
Okay, after a quick looking at the configuration file (what I did not think before asking this question), I commented the last 4 lines of the chunk I posted, and it works !
I am sorry for asking this question, I though the config file my university distributes was valid but it looks like it is Fedora/Debian specific, which is kind of weird because it works perfectly fine without these four lines.
I hope this short lifespan topic can help someone else in a similar case ! :^)
I had the very same problem and it was also the config file trying to run up /etc/openvpn/update-systemd-resolved. Seems to be a distro problem as I'm also running arch.
In order to check that all the servers across a fleet aren't supporting deprecated algorithms, I'm (programmatically) doing this:
telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.0p1 Ubuntu-6build1
SSH-2.0-Censor-SSH2
4&m����&F �V��curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1Arsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519lchacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.comlchacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com�umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1�umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1none,zlib#openssh.comnone,zlib#openssh.comSSH-2.0-Censor-SSH2
Connection closed by foreign host.
Which is supposed to be a list of supported algorithms for the various phases of setting up a connection. (kex, host key, etc). Every time I run, I get a different piece of odd data at the start - always a different length.
There's an nmap plugin - ssh2-enum-algos - which returns the data in it's complete form, but I don't want to run nmap; I have a go program which opens the port, and sends the query, but it gets the same as telnet. What am I missing, and how do I fix it?
For comparison, here's the top few lines from the output of nmap script:
$ nmap --script ssh2-enum-algos super
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-27 22:15 GMT
Nmap scan report for super (192.168.50.1)
Host is up (0.0051s latency).
rDNS record for 192.168.50.1: supermaster
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (12)
| curve25519-sha256
| curve25519-sha256#libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
Opening a tcp connection to port 22, (in golang, with net.Dial) then accepting and sending connection strings leaves us able to Read() from the Reader for the connection. Thence the data is in a standard format described by the RFC. From this, I can list the algorithms supported in each phase of an ssh connection. This is very useful for measuring what is being offered, rather than what the appears to be configured (it's easy to configure sshd to use a different config file).
It's a useful thing to be able to do from a security POV.
Tested on every version of ssh I can find from 1.x on a very old solaris or AIX box, to RHEL 8.1.
In some cases you can specify an algorithm to use, and if you specify one that is not supported the server will reply with a list of supported algorithms.
For example, to check for supported key exchange algorithms you can use:
ssh 127.0.0.1 -oKexAlgorithms=diffie-hellman-group1-sha1
diffie-hellman-group1-sha1 is insecure and should be missing from most modern servers. The server will probably respond with something like:
Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Exit 255
Typing: "ssh -Q cipher | cipher-auth | mac | kex | key"
will give you a list of the algorithms supported by your client
Typing: "man ssh"
will let you see what options you can specify with the -o argument, including Cipher, MACs, and KexAlgorithms
I am trying to execute following code multiple times from one machine/ip
#!/bin/bash
for i in `seq 1 10`;
do
ssh 11.156.112.111 pwd
done
# I know that the script is useless, it's just for demonstration.
I can't execute the script in more than two terminal at the same time, when I try to run the script in the third terminal, it freezes and I can't login but I can login from another machine/ip.
my configs
# .ssh/config
Host *
ServerAliveInterval 10
ServerAliveCountMax 10
# sshd_config
UsePAM no
MaxSessions 100
MaxStartups 100
Here is the output of verbose mode, it freezes on the last line:
OpenSSH_7.2p2, OpenSSL 1.0.2f 28 Jan 2016
debug1: Reading configuration data /home/neelix/.ssh/config
debug1: /home/neelix/.ssh/config line 1: Applying options for *
debug1: /home/neelix/.ssh/config line 11: Applying options for 11.156.112.111
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "11.156.112.111" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 11.156.112.111 [11.156.112.111] port 22.
debug1: Connection established.
debug1: identity file /home/neelix/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/neelix/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
After many support tickets with my hosting provider, I found out that they had IDS(Intrusion Detection System) and it detected me as someone who is doing a brute force attack on port 22 and changing my port fixed the problem.
For future readers the comments above are quite helpful to narrow down the problem, specially answers to this question. I hope it saves someone else a couple of days!
How do I configure rsyslog to write raw IP addresses instead of DNS names in log files for remote hosts?
In Debian, open /etc/defaults/rsyslog and modify:
RSYSLOGD_OPTIONS="-x -Q"
and then:
# service rsyslog restart
See man rsyslogd(8) for other possible options. This doesn't disable DNS names for all remote hosts, only some of them.
I use
fromhost-ip
instead of
hostname or source
fromhost-ip reference the host that send the packet to this rsyslog. It meant that if you have any relay intermediate system, the last one is the IP that you see. If you don't use relay this is a valid solution.
You need to create a new template and apply it on /etc/rsyslog.conf. You should create like these on:
$template myFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
$ActionFileDefaultTemplate myFormat
I have private DNS servers and I want to write them to resolv.conf with resolvconf on Debian on AWS/EC2.
There is a problem in the order of nameserver entries.
In my resolv.conf, EC2's default nameserver is always written at first line like so:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.16.0.23
nameserver 10.0.1.185
nameserver 10.100.0.130
search ap-northeast-1.compute.internal
172.16.0.23 is EC2's default nameserver and others are mine.
How to remove EC2 entry? Or, how to move EC2 entry to third?
Here I have an interface file:
% ls -l /etc/resolvconf/run/interface/
-rw-r--r-- 1 root root 62 Jun 7 23:35 eth0
It seems that the file eth0 is automatically generated by dhcp so can't remove it permanently.
% cat /etc/resolvconf/run/interface/eth0
search ap-northeast-1.compute.internal
nameserver 172.16.0.23
My private DNS entry is here:
% cat /etc/resolvconf/resolv.conf.d/base
nameserver 10.0.1.185
nameserver 10.100.0.130
Please help.
I think I just solved a very similar problem. I was bothered by Amazon EC2's crappy internal DNS servers so I wanted to run a local caching dnsmasq daemon and use that in /etc/resolv.conf. At first I just did echo nameserver 127.0.0.1 > /etc/resolv.conf but then I realized that my change would eventually be overwritten by the DHCP client after a reboot or DHCP lease refresh.
What I've now done instead is to edit /etc/dhcp3/dhclient.conf and uncomment the line prepend domain-name-servers 127.0.0.1;. You should be able to use the prepend directive in a very similar way.
Update: These instructions are based on Ubuntu Linux but I imagine the general concept applies on other systems as well, even other DHCP clients must have similar configuration options.
I'm approaching this problem from the other direction (wanting the internal nameservers), much of what I've learned may be of interest.
There are several options to control name resolution in the VPC management console.
VPC -> DHCP option sets -> Create dhcp option set
You can specify your own name servers there.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html
Be sure to attach this dhcp option set to your VPC to get it to take effect.
Alternatively (I found this out by mistake) local dns servers are not set if the following settings are disabled in VPC settings:
DnsHostnames
and
DnsSupport
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html
Settings can also be overridden locally (which you'll notice if you move instances between vpcs). /etc/dhcp/dhclient.conf
The following line might be of interest:
prepend domain-name-servers
Changes, of course, take effect on dhclient start.
How do I assign a static DNS server to a private Amazon EC2 instance running Ubuntu, RHEL, or Amazon Linux?
Short Description
Default behavior for an EC2 instance associated with a virtual private cloud (VPC) is to request a DNS server address at startup using the Dynamic Host Configuration Protocol (DHCP). The VPC responds to DHCP requests with the address of an internal DNS server. The DNS server addresses returned in the DHCP response are written to the local /etc/resolv.conf file and are used for DNS name resolution requests. Any manual modifications to the resolv.conf file are overwritten when the instance is restarted.
Resolution
To configure an EC2 instance running Linux to use static DNS server entries, use a text editor such as vim to edit the file /etc/dhcp/dhclient.conf and add the following line to the end of the file:
supersede domain-name-servers xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
Ubuntu - dhclient.conf - DHCP client configuration file
The supersede statement
supersede [ option declaration ] ;
If for some option the client should always use a locally-configured value or values
rather than whatever is supplied by the server, these values can be defined in the
supersede statement.
The prepend statement
prepend [ option declaration ] ;
If for some set of options the client should use a value you supply, and then use the
values supplied by the server, if any, these values can be defined in the prepend
statement. The prepend statement can only be used for options which allow more than one
value to be given. This restriction is not enforced - if you ignore it, the behaviour
will be unpredictable.
The append statement
append [ option declaration ] ;
If for some set of options the client should first use the values supplied by the server,
if any, and then use values you supply, these values can be defined in the append
statement. The append statement can only be used for options which allow more than one
value to be given. This restriction is not enforced - if you ignore it, the behaviour
will be unpredictable.
In here someone come with solution that basically replaces the file on boot using rc.local
https://forums.aws.amazon.com/thread.jspa?threadID=74497
Edit /etc/sysconfig/network-scripts/ifcfg-eth0 to say PEERDNS=no
Create a file called /etc/resolv.backup with what you want
Add the following 2 lines to /etc/rc.local:
rm -f /etc/resolv.conf cp /etc/resolv.backup /etc/resolv.conf
This is what we are doing for our servers in the environment.
interface "eth0"
{
prepend domain-name-servers 10.x.x.x;
supersede host-name "{Hostname}";
append domain-search "domain";
supersede domain-name "DOMAIN";
}
Hope this helps.
The following worked in a Debian stretch on AWS EC2.
Just create /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate:
#!/bin/sh
make_resolv_conf(){
:
}
Then you can modify /etc/resolv.conf and it will persist your changes across restarts.
Setup in crontab as
#reboot cp -r /home/.../resolv.conf /etc/resolv.conf