How should I write my ssh proxy command? - proxy

I'm trying to write a utility compatible with the -oProxyCommand of openssh. I wrote a utility that is a transparent socket to an ssh connection (or anything). Though it's taken some debugging I'm fairly confident it is indeed working correctly (manual IO tests, large binary file transfers all work).
OpenSSH will not work with it. I'm not sure why. Do I have to guarantee delivery of certain chunk sizes or something like that?
Here is an example trial run with debug output:
cletus:Desktop jdizzle$ ssh -v -oProxyCommand='python ./tunnel_client.py 127.0.0.1 22 2>/dev/null' 127.0.0.1
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /path/jdizzle/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: auto-mux: Trying existing master
debug1: Executing proxy command: exec python ./tunnel_client.py 127.0.0.1 22 2>/dev/null
debug1: identity file /path/jdizzle/.ssh/identity type -1
debug1: identity file /path/jdizzle/.ssh/id_rsa type -1
debug1: identity file /path/jdizzle/.ssh/id_dsa type -1
debug1: permanently_drop_suid: 501
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Received disconnect from UNKNOWN: 2: Bad packet length 1546673200.
The fact that it's decrypting a block in a strange way leads to to believe that my pipe isn't working correctly, but I've run it through all sorts of trials and it doesn't miss a beat. What am I missing?

Turns out I'm another victim of PHP magic quotes. Null bytes in my stream were being converted to '\0' behind my back! Apparently none of my tests contained a null byte.

Related

Cannot connect to ec2 instances with pem key on yosemite machines

So I am setting up two new macs (yosemite) for ssh-ing into out EC2 instances and the have the same issue.
When I copy and paste the .pem key from amazon into the .ssh/ folder, then try to ssh in with:
sudo ssh -i /users/me/.ssh/key_pair_1_8_5_2015.pem ubuntu#54.186.XXX.XX
I get the following:
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /users/colin/.ssh/key_pair_1_8_5_2015.pem
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Saving password to keychain failed
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: No more authentication methods to try.
Permission denied (publickey).
which results in a popup box asking for the
enter you password for the key pair "key_pair..."
Of course you don't have a key pair for the pem keys, and I certainly have not set one up previously, so this makes no sense. From reading around this seems to be the default error for a whole host of issue.
I know I have permissions set correctly, and I know that the users I am trying to connect to are OK.
I have set up multiple other macs in the same fashion and connected to many ec2 development servers this way.
But since both macs have identical errors, I suspect it is something to do with the client OS that is preventing this. They are freshly wiped macs that have had little previous configuration (although I did set up ssh keys as normal), so I am wondering if there is something else that needs configuring before I can proceed.
Sincere thanks for any help. It is greatly appreciated.
I've had no issues with yosemite or el capitan with EC2 keys. It's not about the OS, it's about the openssh versions.
Ensure your AMI is correct, some people have had issues with building AMIs and leaving old keys on them, rendering launch with new ones not working. Also ensure your permissions are in fact 0400 or 0600 on the private key.
Based on a hunch though I think your key is corrupt:
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
This seems more like the key was saved incorrectly.
Also: You probably shouldn't be running sudo to ssh into it.

ssh - 'connection reset by peer' - windows

I am running ssh via git bash in a windows environment. I had everything working fine but now (a few days later) when I try to connect to bitbucket I get the message: ssh-exchange_identification: read: connection reset by peer.
The full log looks like this:
$ ssh -Tvvv -p 443 git#altssh.bitbucket.org
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug2: ssh_connect: needpriv 0
debug1: Connecting to altssh.bitbucket.org [131.103.20.174] port 443.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/c/Documents and Settings/xxx/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_rsa type 1
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_rsa-cert type -1
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_dsa type -1
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_dsa-cert type -1
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_ecdsa type -1
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_ed25519 type -1
debug1: identity file /c/Documents and Settings/xxx/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
ssh_exchange_identification: read: Connection reset by peer
My issue is exactly like bibucket ssh_exchange_identification: read: Connection reset by peer except
1) I can confirm that my company is not inspecting and blocking packets over port 443 (though they are blocking port 22 which is why I am going over 443 to begin with)
2) I can confirm the issue is not with the bitbucket servers - other people on my team can get in just fine
As stated above, this was working just fine before. I did erase all my keys and started over but to no avail.
Help! I've been banging my head on this for two days now...
Updated -- added more verbose log
OK, so it was faulty logic to think that just because other members on my team had access that I wasn't being blocked. I was/am.
I encountered the same problem when submitting content to my own repository on github. At present, the change is pushed to the repository using http interface, but ssh still does not work
kex_exchange_identification: Connection closed by remote host Connection closed by 20.205.243.166 port 22 fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

ssh_exchange_identification: read: Connection reset by peer on MAC

I don't understand why but I can't connect to my school server from my network at home. I'm using login as always like ssh name#host.com but it still don't work.
Here is debug report with -v
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 102: Applying options for *
debug1: Connecting to merlin.fit.vutbr.cz [147.229.176.19] port 22.
debug1: Connection established.
debug1: identity file /Users/martinpristas/.ssh/id_rsa type -1
debug1: identity file /Users/martinpristas/.ssh/id_rsa-cert type -1
debug1: identity file /Users/martinpristas/.ssh/id_dsa type -1
debug1: identity file /Users/martinpristas/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
ssh_exchange_identification: read: Connection reset by peer
Is here any options like network settings or mac settings to fix it ?
Thank you !
Something is killing the TCP connection after it's established while SSH is trying to log in. I get the same error for that particular host from here, so it's probably a firewall closer to the server than closer to you.
If you don't have control over that firewall, there is nothing you can do.
I experienced the same error connecting to the server. What I did was to change my internet service provider and everything was fine.

Permission denied (publickey) - Cant push or pull with Git

Git was working fine with pushing to Bitbucket, until recently where there haven't been much changes, except for a change in DNS server settings.
The error:
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I used keygen to create a new key, add the key with Git Bash (key was added and accepted) and then manually add the key to Bitbucket SSH. However, it's still yielding the same error.
Not sure what went wrong, does anyone have the same experience and able to help?
Other bits of info or attempts to troubleshoot
git remote -v, one push, one pull item listed
ssh -T git#bitbucket.org - error: Permission denied (publickey).
ssh-add -l - error: Could not open a connection to your authentication agent.
ssh -vT git#github.com - error below
ssh -Tv git#bitbucket.org OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Connecting to bitbucket.org [131.103.20.167] port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: identity file /.ssh/id_ed25519 type -1
debug1: identity file /.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 97:8c /* rest of numbers */
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Trying private key: /.ssh/id_ecdsa
debug1: Trying private key: /.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
- ssh-agent -s, error:
SSH_AUTH_SOCK=/tmp/ssh-2KEE1p8SGXPg/agent.1900; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2712; export SSH_AGENT_PID;
echo Agent pid 2712;
The message "Could not open a connection to your authentication" implies that no agent is running (or at least not reachable).
ssh-agent bash # start a new agent
ssh-add # add your key
ssh-add -L # verify that your key is the same as on the server
ssh git#bitbucket.org # should work now
git clone git#bitbucket.org:xyz # (or something like this) should work, too
You need to run ssh-agent command and then export the variables that are displayed when you run it. To do that you can do something like this :
eval `/usr/bin/ssh-agent`
The output of the ssh-agent command is a valid shell script which when executed (a.k.a evaled) will set the right env variables required for the communication between ssh-agent program and other programs that use it.
Just make sure you kill your existing ssh-agent process before you run this command.
After that use the usual ssh-add commands to list and add keys and then your ssh should work just fine.
I know this answer may not be the best of answers but I managed to get it working with the following steps. (Disclaimer: I still dont know what went wrong)
Kill all ssh-agent process by kill PIDnumber one by one within Git Bash. Somehow I had a list full of agent processes running. I saw this list of PID when I tried to uninstall Git from my system.
Uninstall Git from the computer
Remove all SSH keys from Bitbucket repo - (manually remove by browsing to BB website)
Reinstall Git and in Git bash, ssh -T git#bitbucket.org + entered passphrase so user is login and confirmed
Added existing rsa_pub keys (i just dragged rsa_pub file to sublime text, copied the key and pasted it back to bitbucket in the same repo)
pull then push from nodejs's command line utility
This worked for me:
after you generate a new SSH key (ssh-keygen -t rsa)
and add it to the bitbucket site (cat ~/.ssh/bitbucket.pub ...)
if you still not able to connect then do this:
eval ssh-agent -s
ssh-add bitbucket                         
try again now again 

Could not create directory /var/teamsserver

I've installed os x server (Mavericks) on my mac and would like to add bot. For some reasons my remote repo is located on other external server and I have access to it by username and password on specified port. I've added remote repo to os x server like this:
ssh://1.2.3.4:PORT/path/to/repo.git
...filled username and password.
Then I've added bot in Xcode but when I hit integrate it fails with logs:
Cloning into 'ssh_myusername_1_2_3_4_PORT_path_to_repo_git'...
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading
configuration data /etc/ssh_config debug1: /etc/ssh_config line 20:
Applying options for * debug1: Connecting to 1.2.3.4 [1.2.3.4] port PORT.
debug1: Connection established.
Could not create directory '/var/teamsserver/.ssh'.
debug1: identity file /var/teamsserver/.ssh/id_rsa type -1
debug1: identity file /var/teamsserver/.ssh/id_rsa-cert type -1
debug1: identity file /var/teamsserver/.ssh/id_dsa type -1
debug1: identity file /var/teamsserver/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1
debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b6:b8:0e:e4:25:63:6d:64:a3:d6:6d:7f:46:85:72:0d
debug1: checking without port identifier No RSA host key is known for [1.2.3.4]:PORT
and you have requested strict checking. Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository
exists.
SSH Known Hosts file path is located at
/Library/Server/Xcode/Config/ssh_known_hosts
SSH strict host checking
is enabled (you can disable this by editing the
SSHStrictHostKeyChecking key in
/Library/Server/Xcode/Config/xcsbuildd.plist
Untrusted HTTPS
certificates is disabled (you can enable this by editing the
TrustSelfSignedSSLCertificates key in
/Library/Server/Xcode/Config/xcsbuildd.plist
I assume that there is a problem with permissions but in my /var there are some directories with different permissions and of course there is no teams server folder...
So I don't know how to setup proper permissions (without changing permissions of other subdirectories of /var...). I can try manually make directory "teams server" but don't know with what permissions... ? Do you have any ideas?
EDIT: For test purpose I've created teamsserver directory with 777 but that doesn't solve my problem. Logs looks the same as previous butjust WITHOUT line:
Could not create directory '/var/teamsserver/.ssh'.
Any ideas?
Thanks
I experienced a similar issue with scheme action build scripts when attempting to run git commands against a github repo protected by ssh key pairs.
Bots run builds using a _teamsserver system account. As you've discovered, these accounts don't have home directories by default. To setup builds to access and modify their home directory, I had success with the following (your mileage may vary):
sudo mkdir /var/teamsserver
sudo chown -R _teamsserver:_teamsserver /var/teamsserver/
sudo chmod -R 770 /var/teamsserver/
HTH
Ok, I took some time but I've a solution... Two solutions actually. Ashamed to admit but read and understand logs is enough to solve the problem (again :P).
FIRST ANSWER:
My server host key was added to .ssh/known_hosts BEFORE installing os x server. Server does't use that path of known hosts. As log says server uses:
SSH Known Hosts file path is located at
/Library/Server/Xcode/Config/ssh_known_hosts
and that file was empty in my case. So to solve the problem it is enough to copy known_hosts to ssh_known_hosts:
sudo cp ~/.ssh/known_hosts /Library/Server/Xcode/Config/ssh_known_hosts
It's that simple.
SECOND ANSWER:
Acording to log again
SSH strict host checking is enabled (you can disable this by editing
the SSHStrictHostKeyChecking key in /Library/Server/Xcode/Config/xcsbuildd.plist
Change SSHStrictHostKeyChecking to false.
It's done again.
If you've tried the above and still are getting a permission denied error, you probably don't have the right permissions to that file/directory.
Who are you running as? $id
$ls -al the directory that the server is trying to read the id_rsa from (Probably similar to this path: Library/Server/Xcode/Data/BotRuns/BotRun-a28db5fc-1932-47a0-a528-f52c75e421e2.b‌​undle/credentials/65885363-194e-454b-a3ce-56dcaaf5d3c9/id_rsa)
change ownership of that file ^^ ($sudo chown {#id} {#path})
I did 3 things to allow me to get past this, although I'm not sure which of them solved the problem:
Change all git repositories in my project to use the HTTPS rather than SSH (git) version of the url
Disabled SSHStrictHostKeyChecking as per the instructions from the source control log from the bot.
Enabled TrustSelfSignedSSLCertificates as per the same instructions from the log.
Also check out https://discussions.apple.com/thread/5586872 in case this is a problem for you.
I will back some of these items off and test when I have more time.

Resources