I have a script that interact with an external host with rsync/ssh.
SSH prompts me to confirm the authenticity of the host like this:
The authenticity of host 'xxxxxxxxxxxxxxxxxx' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Are you sure you want to continue connecting (yes/no)?
Since every EC2 instance is a new host, I have to confirm this every time, but I want an automatic script without any user input. What is the best solution?
I know I can add -O StrictHostKeyChecking=no , but that would make external host insecure.
EDIT ! : is it possible to use my PEM file to authenticate in other servers ? I mean, mayb installing something in the external server and connect in the same way I do with instances and the PEM file
Thank you
You could try to use expect:
Expect is a Unix automation and
testing tool, written by Don Libes as
an extension to the Tcl scripting
language, for interactive applications
such as telnet, ftp, passwd, fsck,
rlogin, tip, ssh, and others. It uses
Unix pseudo terminals to wrap up
subprocesses transparently, allowing
the automation of arbitrary
applications that are accessed over a
terminal.
Although you might have some challenge to make it work in those cases where you connect to the same IP for a non-first time and ssh will not ask.
I think this article verify-ssh-keys-on-ec2-instances might have the information you need, or at least a starting point to scripting something.
Related
I want to connect to a remote host machine on both Linux and Windows without SSH, using an Ansible playbook. Is there any way to do that?
As per the documentation it is possible to extend Ansible with a connection plugin such as SNMP or message bus. You can get a list of possible connection plugins with the command below.
ansible-doc -t connection -l
For Windows, usually WinRM is used. SSH does also work on Windows and takes less effort to set up securely in my opinion.
When using WinRM you have a few options, the one that you should use depends on the type of environment. Depending on what option you use, it can take some effort to set up properly.
Basic Authentication (generally insecure, not recommended);
Certificate Authentication (similar to SSH keys);
NTLM (older protocol that supports domain users);
Kerberos (generally recommended when running in a domain environment).
CredSSP (supports stuff like credential delegation)
Generally I would recommend SSH for Linux, it's easy to set up and secure. Your question does not specify why you can not use SSH, so I can't advise on that.
I have tried to set a reverse SSH tunnel access from a Windows client so i can RDP into his system without its firewall/NAT bugging me, but the problem I have is that when the user does a reverse SSH tunnel (doing -R option in ssh) to my linux system from windows, its basically like he is doing a SSH to me and can do commands and do whatever, but i only want this SSH connection to serve as a tunnel, so user can't do anything and tunnel being used only for doing RDP and bypassing the firewall
so how can i restrict the connected user from doing anything, and forcing this connection to only be used for the reverse RDP? because as of right now when he connects, he can type any command and has the current access
and no i dont want to solve this by hide the CMD, i want to stop all the access from user.
as of right he is doing ssh -R ... in his cmd, and again, i don't want to solve this by just hiding the window, so don't want to add the -fN option either.
also i want to solution to be without any need to install a third-party software on the client, so i have to use the windows 10's build in features
I have a client who is remote. I need to debug some weird problem that none of my other clients are having. Before I try and set up a conference with this client, I would like to know if there is some way of remotely debugging our application.
I see that there are remote debugging tools available for Visual Studio, but from what I've read, I need to be on the same subnet. As the person is remote, this is not a possibility. Also, as I'd like to keep our connection secure, I would need to connect up some sort of encrypted tunnel (this is where I'm a little fuzzy as my networking skills are mostly theoretical).
As I understand it, an encrypted tunnel is a bridge to another (different) subnet. This is to ensure that those computers on the other side won't interfere with the local subnet computers.
So, because the client's computer is on a different subnet, I think that this is not possible. Or is it? Should there not be a way of making the client's computer show up as a virtual computer on my subnet, by forwarding packets from one subnet to another? I would think that this is theoretically possible, but I'm not exactly sure how I would go about this.
Also, at the moment, my current way that we connect to clients is through GoToMeeting, but I don't think that it supports tunneling. If not, then I may need some way of generating a tunnel, so I was also thinking of maybe using some SSH programme like PuTTY.
As I have said before, my knowledge of networking is quite theoretical, so if the tools that I am suggesting are not the correct ones, please correct me. (I'm a programmer, damm it! Not a network engineer!)
Both computers are Windows boxes. Windows 10 (client) and Windows 8.1 (development).
If you can connect to an ssh server in the remote network, you can (subject to configuration on the server) create a tunnel such that you connect to a socket on your local pic and the connection appears from the server to an endpoint on the remote network.
You'll want to investigate the -L command of OpenSSH, which combined with the PuTTY docs, should help explain what's required.
By default, the endpoint would be a port on the ssh server, but it could be a port on a different host that the remote server can connect to.
I'm not familiar with the current state of Windows SSH servers, but even if there isn't a system server to hand, you should be able to have on run 'on demand' - if you run it on a non-privileged port and by the user you want to connect in as, it shouldn't even need Admin privileges.
I'm not familiar with GoToMeeting, but the one thing with SSH tunnelling it that IT depts should be familiar with SSH. If trying that, focus on getting a working connection in, then setting up the tunnel, then connecting through it as separate steps.
Once you have an SSH connection, then it doesn't need to do something itself, and you can then investigate connecting while specifying the port forwarding, but will will need to get the basic connection working correctly first.
I have FTP server on Amazon EC2 which I can access by giving this URL: ftp.websitename.com:4522
after that username and password to accessing the files from this location.
Now I want to convert into secure FTP like if I will give sftp.websitename.com:4522 then it will ask me for username and password and allow me to login into the application.
First of all is this possible?
I tried below instructions for installing vsftd1 vsftd2 but didn't help me.
after doing the changes into this two link I tried to login through WinSCP and selected file protocol as SFTP and typed ftp.websitename.com, in port number 4522 and given username and password but didn't allowed me to log in.
edit 1 :
i have my amazon ec2 instance in centos 64bit.
someone else set-up the ftp connection and now i am taking forward from that point,i will get all the details and will try to modify my question in more specific way.
You didn't specify, what OS are you running. But from a reference to vsftpd, I assume some *nix flavor. You didn't specify, what FTP server you have running, and how did you set it up. Your question is pretty vague. But I'll try to give some hints.
The vsftpd is an FTP server only. It does not support the SFTP. It supports the FTPS (FTP over TLS) though. Do not get confused by its name. While the vsftpd stands for "very secure FTP daemon", it just means, it aims to implement FTP securely, not that it implements the SFTP".
Note that virtually all *nix servers come with an SSH/SFTP server built-in (OpenSSH). It runs on port 22.
For instructions how to connect to the EC2 SFTP server with WinSCP, see (my) guide:
Connecting Securely to Amazon EC2 Server with SFTP.
Also make sure you understand the difference between the SFTP and the FTPS.
I've got an instance using this AMI - ami-b7a29cc3
http://thecloudmarket.com/image/ami-b7a29cc3--bitnami-wordpress-3-3-1-1-multisite-linux-ubuntu-10-04-ebs#/details
Which is a Wordpress Multisite Bitnami Image.
It's installed and booted up fine, I've setup the security groups SSH, HTTP, HTTPs.
But weirdly enough connecting via SSH is not working, despite the front end working fine.
I've tried the following users and commands to no avail, ubuntu, root and bitnami.
I keep getting something weird like this happen though when I run the command.
D-Hewards-MacBook-Pro:Downloads dheward$ ssh -i macbookpro.pem bitnami#176.34.127.170
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
9f:85:89:8a:7a:9d:db:e0:15:e4:11:d0:e0:4b:74:a9.
Please contact your system administrator.
Add correct host key in /Users/dheward/.ssh/known_hosts to get rid of this message.
Offending key in /Users/dheward/.ssh/known_hosts:17
RSA host key for 176.34.127.170 has changed and you have requested strict checking.
Host key verification failed.
D-Hewards-MacBook-Pro:Downloads dheward$
This is likely (i.e. you need to judge this yourself after reading and understanding my explanation, because otherwise your security would indeed be at risk!) just normal behavior of SSH coupled with reuse of the meanwhile scarce IP addresses by Amazon EC2 (see IPv4 address exhaustion):
Background
The server side of your SSH connection needs to identify itself by the mentioned fingerprint for the RSA key, which is subsequently checked by your client side SSH tooling to ensure you are not falling victim of a Man-in-the-middle attack.
Regular SSH Process
you connect to a new SSH server for the first time
the new server presents its RSA key identity to your SSH client
your SSH client asks you to confirm this servers identity and will import the RSA key in turn for future security checks (into /Users/dheward/.ssh/known_hosts in your case)
ideally you'd have received this RSA key on a secure channel to properly assess its validity, however, most people simply don't do that in nowadays ever changing cloud environments, see Eric Hammond's Poll: Verifying ssh Fingerprint on EC2 Instances
Eric's post mentions options to deal with this in principle already, i.e. For optimal security, you are supposed to request the instance console output and find the ssh host key fingerprint in the log to verify that it is the same as the fingerprint presented to you by the ssh command.
Furthermore, Eric discussed this topic in great detail in ssh host key paranoia.
Scott Moser has distilled a great summary how to actually Verify SSH Keys on EC2 Instances and provides instructions on how to update your known_hosts file in turn as well.
on every subsequent connect to the same SSH server, your SSH client will compare the stored RSA key with the one provided by the SSH server and will present a big fat warning regarding potential nastiness if it changes, because it usually shouldn't indeed (I'll skip the rare exceptions for now)
this means, if it suddenly changed (especially for a host you had been connecting to already without such a warning), you should indeed back out immediately and assess the situation first, i.e. if you don't know a reason for the change, your connection security is at risk
Cause (i.e. Your Experience)
You might have gone through steps 1-4 once for another SSH server on EC2, which happened to have the very same IP address from their pool (i.e. 176.34.127.170); while not encountered every day, this is all but unlikely over time given the limited number of IPv4 addresses available in general and the respective pool available for Amazon in particular.
Now, since you are connecting to an entirely different server then the one for which the RSA key had been stored in the first place (every started EC2 instance has a respectively unique identity), your SSH client cries foul and presents the properly escalated warning you are seeing.
Furthermore, it seems to disallow SSH access entirely in this situation, since you [or your system administrator] have requested strict checking. (Most desktop SSH clients seem to ask for confirmation just like on first commit in this case by default).
Solution
Make damn sure my explanation of your experience actually applies to your situation!
Follow the instructions given in the warning message already:
The fingerprint for the RSA key sent by the remote host is
9f:85:89:8a:7a:9d:db:e0:15:e4:11:d0:e0:4b:74:a9. Please contact your
system administrator. Add correct host key in
/Users/dheward/.ssh/known_hosts to get rid of this message. Offending
key in /Users/dheward/.ssh/known_hosts:17 RSA host key for
176.34.127.170 has changed and you have requested strict checking. [emphasis mine]
I.e. the SSH RSA key cache maintained in /Users/dheward/.ssh/known_hosts currently has an entry No. 17 for IP address 176.34.127.170 with a different RSA key then the one presented by the server with IP address 176.34.127.170 you are currently trying to connect to - this must be adjusted, if you are sure there is no man-in-the-middle-attack in place in fact (which is unlikely, given that this is a new host you just commissioned, though as mentioned in 3) above, you might want to ensure this by following Scott Moser's instructions how to actually Verify SSH Keys on EC2 Instances).
Good luck!