Logging into SFTP, require help chmoding pem file - amazon-ec2

I'm very, very new to Amazon EC2, SFTP -- having only used FTP clients until now. I'm trying to log into an Amazon EC2 instance and have everything I needed except a pem file with the key pair, which I have now. However I was told to chmod and reset its permissions to 400 in order to log in correctly. The problem is I have no idea how to go about doing this. There is talk of just entering chmod 400 keyfile.pem through the command line, but is that the Windows command line on my desktop? How can I do this? Any help would be much appreciated...

Either log in using an SSH client (like PuTTY).
Using it, you can execute the command you mention (chmod 400 keyfile.pem) on a command-line.
See also SSH to Amazon EC2 instance using PuTTY in Windows.
Or you can use a GUI SFTP client (like WinSCP) to set the permissions.
See https://winscp.net/eng/docs/ui_properties
Make sure only the R checkbox in Owner row is ticked (that's an equivalent of the 400 permissions in an octal format).
(I'm the author of WinSCP)

Related

GPG Can't connect to S.gpg-agent: Connection Refused

I am attempting to set up gpg preset passphrase caching using the gpg agent so I can automate my file encryption process. In order for the gpg-agent to run and properly cache the passphrase, it seems there needs to be a S.gpg-agent socket located within the ~/.gnupg/ directory that gets generated in the root directory when I set up gpg and gpg-agent.
What I have done (and which seemed to work in the past) is I would start up everything as root and copy over the contents of the /.gnupg directory to my less privileged user and grant permissions to that socket and directory to the user. The commands I ran to start up the gpg-agent daemon and cache passphrase:
gpg-agent --homedir /home/<user>/.gnupg --daemon
/usr/libexec/gpg-preset-passphrase --preset --passphrase <passphrase> <keygrip>
gpg-agent process seems to be running just fine but I get the below error from the second line:
gpg-preset-passphrase: can't connect to `/home/<user>/.gnupg/S.gpg-agent': Connection refused
gpg-preset-passphrase: caching passphrase failed: Input/output error
I have made sure the socket exists in the directory with proper permissions and this process runs as root. It seems that this socket is still inherently tied to root even if I copy and modify permissions. So my questions are
How exactly does this socket get initialized?
Is there a way to do so manually as another user?
To add, the agent process seems to run just fine for both users but where I get a little hazy is how the gpg-preset-passphrase is using the socket and if its that or the agent that is refusing the connection to S.gpg-agent
I also assume that I don't need to explicitly start the agent but figured I would this so that I could set any values such as the homedir if needed.
It turns out the issue was unrelated to the gpg-agent and gpg-preset-passprhase.
Note: This is not a permanent solution but it did allow me to get past the issue I was facing.
After modifying the /etc/selinux/config and disabling SE Linux, I no longer experienced the permissions issue above. SE Linux is a Linux kernel security module developed by Red Hat (I am currently running this on RHEL7). It seems the next step will likely be to make sure these binaries and packages are allowed access from my user using audit2allow. Bit more information on this here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow

Uploading to EC2 problems. How do you do FTP?

I have setup a new EC2 instance on AWS and I'm trying to get FTP working to upload my application. I have installed VSFTPD as standard, so I haven't changed anything in the config file (/etc/vsftpd/vsftpd.conf).
I have not set my port 21 in the security group, because I'm doing it through SSH. I log into my EC2 through termal like so
sudo ssh -L 21:localhost:21 -vi my-key-pair ec2-user#ec2-instance
I open up filezilla and log into local host. Everything goes fine until it comes to listing the directory structure. I can log in and right and everything seems fine as you can see below:
Status: Resolving address of localhost
Status: Connecting to [::1]:21...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to EC2 FTP service.
Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS ******
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: EPSV
Response: 229 Entering Extended Passive Mode (|||37302|).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
Is there something which I'm missing in my config file. A setting which needs to be set or turned off. I thought it was great that it connected but when it timed out you could picture my face. It meant time to start trawling the net try and find the answer! Now with no luck.
I'm using the standard Amazon AMI 64 bit. I have a traditional lamp setup.
Can anyone steer me in the right direction? I have read a lot about getting this working but they are all incomplete, as if they got bored half way through typing up how to do it.
I would love to hear how you guys do it as well. If it makes life easier. How do you upload your apps to a EC2 instance? (Steps please - it saves a lot of time plus it is a great resource for others.)
I figured it out, after the direction help by Antti Haapala.
You don't even need VSFTP setup on the instance created. All you have to do is make sure the settings are right in FileZilla.
This is what I did (I'm on a mac so it should be similar on windows):
Open up file zilla and go to preferences.
Under preferences click sftp and add a new key. This is your key pair for your ec2 instance. You will have to convert it to the format FileZilla uses. It will give you a prompt for the conversion
Click okay and go back to site manager
In site manager enter in your EC2 public address, this can also be your elastic IP
Make sure the protocol is set to SFTP
Put in the user name of ec2-user
Remove everything from the password field - make it blank
All done! Now connect.
That's it you can now traverse your EC2 system. There is a catch. Because you are logged in as ec2-user and not root you will not be able to modify anything. To get around this, change the group ownership of the directory where your application will lie (/var/www/html) or what ever. I would change it so it is on a EBS volume. ;) Also make sure this group has read write and execute permissions. The group for the ec2-user is ec2-user. Leave everyone else as nothing. So the command you use while logged in via ssh
sudo chgrp ec2-user file/folder
sudo chmod 770 file/folder
Hope this helps someone.
FTP is a very troublesome protocol because it requires a secondary pipe for the actual data transfer and does not definitely work well when piped. With ssh you should use SFTP which has nothing to do with FTP but is a completely different protocol.
Read also on Wikipedia
Adding the key to www is a recipe for disaster! Any minor issue with your app will become a security nightmare.
As an alternative to ftp, consider using rsync or a more "mature" deploy strategy based on capistrano for instance. There are plenty of tools for that around.
Antti Haapala's tips are the only way to work around with EC2 SFTP. It works just fine! Just note that you need to create the /var/www/.ssh/ folder and copy the authorized_keys file there.
After that you'll need to change authorized_keys ownership to www-data so ssh connection can recognize it. Amazon should let people know that. I looked for this in there forums, FAQ, etc. No clue at all... Cheers once more to stackoverflow, the way to go haha!

Using WinSCP to access a remote SFTP server

I am using SFTP client(WinSCP) to get into a remote server and retrieve some files. I could not get to the SFTP server when I use WinSCP in a Windows-7 machine; but it works good when I try it from an XP machine. Can anyone think of what might be wrong. Any help appreciated!
I am also including the error screenshot, if that helps
Can anyone please help!
This could be some problem with your firewall. Check it if you are blocking WinSCP.
Quoting WinSCP documentation on the error message Server unexpectedly closed network connection:
If you get this error message while connecting to your server, it is
most usually caused by the server not being able to run some process
necessary to support your session. Always try to connect with another
SSH (SFTP) client to find, if it is server or client related problem.
Possibilities are:
Shell.
Your account may not be allowed to start a shell at all. With some servers (like OpenSSH or Sun SSH), you may need to be allowed to
start a shell, even if using SFTP protocol.
Also some servers refuse to start a shell if your password has expired or your account was terminated.
Some shells do not work with non-interactive sessions. The same it true for some configurations (or profiles used) for otherwise
working shells. This commonly exhibits with SCP protocol with
associated error message "Error skipping startup message. Your shell
is probably incompatible with the application (BASH is recommended)."
Try to force bash shell explicitly on SCP/Shell page of Advanced Site
Settings dialog. Using SFTP protocol instead of SCP is another option.
OpenSSH server may fail to start shell when chroot is configured, but not possible (e.g. due to group writeable permissions
to chroot directory).
Some environments require specific permissions (e.g. 755) to files like .profile or .bashrc.
SFTP server.
Your account may not be able to start SFTP server binary (e.g. /bin/sftp-server) or the binary is not present on your server.
Your SSH server may also lack the SFTP subsystem.
SSH server:
Your SSH server, particularly OpenSSH, may not be able to access the server key files, due to an incorrect permissions.

SSH to EC2 linux instance from Windows

I'm setting up a "data analysis on the cloud" class and most of the students will probably be using Windows.
The students will have to set up EC2 Ubuntu instances and connect to them.
What is the easiest way to set up SSH for Windows XP-7?
I've tried PuTTY but Puttygen can only convert the public key to putty format if I manually add newlines in a text editor. This is too involved for the class of 80.
I've tried OpenSSH but I can't seem to find the correct permissions for the public key file. On Mac OS/Linux it's just chmod 600.
Is there a decent SSH client that supports Amazon's key format that I can set up easily?
The .pem file Amazon Web Services gives you is supported by the openssh client implementations, but for a Windows-based client that works directly with the .pem file without converting it with puttygen.exe, look into Bitvise Tunnelier.
If anybody's looking for windows 10 solution.
In Windows 10, you can use powershell.
Use below command.
ssh -i \..\location-to-pem-file.pem ubuntu#X.X.XXX.XXX
If ssh is not supported in your windows 10 machine, follow this url for installation.
I used it and suggested the same.
Another possible solution is to use PuTTY but follow Amazon's guide for doing so. I found some other guide's that weren't as clear in the steps but I was able to get PuTTYgen to work correctly when I used their guide.
Install PuTTY.
Follow Amazon's guide for converting your PEM file to the PuTTY PPK format.
Connect to your server!
As for newlines, maybe you need to run unix2dos or some other program that will fix that for you?
Step1: Download the keypair
The download will create a .pem file on your local system. It contains a private key that you can use to connect to the EC2 instance via SSH
Step 2: Launch your linux instance
Copy the public ip address for the future use to connect the linux instance
Step 3: Download puttyGen from https://the.earth.li/~sgtatham/putty/latest/w32/puttygen.exe
Step 4: Execute the PuttyGen exe and load the private key(the pem file you have downloaded while launching the instance)
Step 5: Save the private key, it will give the .ppk file which will be used to connect the linux instance
Step 6: Download and install the Putty software, open the putty, and paste the public ip address which you copied from the linux instance
Step 7: Now load the .PPK file which we have saved
Step 8: Choose yes from the alert window
Step 9: Login as ec-user
I borrowed the method giving in this video. https://youtu.be/P1erVo5X3Bs
Open power shell and run below commands. You can open power shell at any location by print powershell in the nevigation bar and press enter.
enter image description here
1.reset premission:
icals.exe key.pem /reset
2.check the current user id
whoami
3.add permision to specific user id
icacls.exe key.pem /grant:r "YOUR USER ID GIVEN BY WHOAMI"
4.remove permission of other user
icacls.exe .\ec2.pem /inheritance:r
Now it should work.
If anybody's looking for windows 10 solution.
icacls.exe .\Desktop\xxxx.pem /reset
icacls.exe .\Desktop\xxxx.pem /grant:r "$($env:USERNAME):(r)"
icacls.exe .\Desktop\xxxx.pem /inheritance:r
ssh -i .\Desktop\xxxx.pem ec2-user#54.229.xxx.x

Git Setup on Windows

So on my friends local Windows machine we are trying to setup GIT.
Basically, we've been following this guide which has been great. The problem we are facing is as follows:
All works until we get to Using Gitosis
When we use the command
git clone
git#INSERT_IP_HERE:gitosis-admin.git
We keep getting
Initialized empty Git repository in
/home/Thomas/gitosis-admin/.git
Connection closed by IP_HERE fatal:
The remote end hung up unexpectedly
When we try simply
ssh git#IP_HERE
We get "Connection closed by IP_HERE"
If we login as
runas /user:git C:/cygwin/cygwin.bat
And run > ssh git#IP_HERE
We at least get asked for a password then
Last Login: Connection to IP_HERE
closed.
Would anyone be able to help ?
The error does indeed indicate that authentication is failing.
Firstly, open gitosis.conf on the server and check that you are a member of the group containing gitosis-admin repository. It should show something like.
[gitosis]
[group gitosis-admin]
writable = gitosis-admin
members = user1 user2
The member name must match with a public key in /keydir before access can be made.
Secondly, you do not say how you are connecting from the Windows machines. If you are using Git under Cygwin, make sure you are correctly loading the private key. If you are using MsysGit with Putty, be sure to load the private key before connecting as well.
There is a small gotcha if PuttyGen is used to generate key pairs, and that is the default format is different from OpenSSH which you are probably using. Copy and paste from the top window, or alternatively edit the multiline public key file to read like this.
ssh-rsa AAAABB...KEYBODY...ONLkQ== user1
Lastly, make sure port 22 is open in any firewalls if that is indeed the port you are using.
A more comprehensive description of how to set up a Git server with Gitosis on Windows, can be found at here
I recommend the use of MsysGit from windows, as it gives better integration into the Windows environment. TortoiseGit and GitExtensions both use MsysGit as the backend, and provide nice Gui's and explorer shell extensions. GitExtensions full installer will provide the windows user with everything they need.
Did you get past runnig the gitosis-init < /tmp/id_rsa.pub command?
That error indicates to me that the public key isn't set up properly. The command above initializes gitosis with the first key.

Resources