OEM12C BP1 Default preferred credentials with SSH key credentials ?
Is it possible to configure Host Default Preferred Credentials to use a named credential created with SSH Key credentials ?
The drop down list only lists credentials configured with host credential types.
host target type has 2 out of the box credential set HostCredsNormal and HostCredsPriv
And both these are of type HostCreds (Username and password)
And there's code which assumes these to be of type HostCreds and process password.
Hence these are left as is.
What customers can do is, create additional credential set (emcli create_credential_set) and use HostSSHCreds type for it.
Similar Messages
-
Cdot with ssh keys for domain accounts
Has anyone on this board got ssh working with domain keys for cdot??
I use multiple keys; it is easy enough to manage them using keyring, and it means that I am able to compartmentalize them according to use case: work (which I obviously have a professional interest as well as personal in protecting) home (one for each box), and then keys for specific tasks (eg., automated backups, acess to particular services like github, mercurial etc).
This means that if one key is compromised, the others are unaffected and I can revoke the compromised key and, after cleaning up the mess as best I can, generate another and move on.
The only system I employ is to give each key a meaningful name (having multiple keys named id_{d,r}sa doesn't scale at all) and a policy of only adding the minimum necessary keys to each box's keyring; again, entering all the passphrases with any frequency helps manage this tendency.
I am also very careful about the key on my android as I see this as the most obvious risk: losing your phone is a pain; losing your phone and potentially relinquishing the key on it would be catastrophically asinine... -
Help needed with SSH key exchange
I'm trying to write an SFTP client, but I'm having problems with the Key Exchange. Verify is always bringing me back false. Here's the code, any ideas (I have my own helper class called Packet which reads in the data from the server) - the algorithm being used is ssh-rsa:
code = response.getInt();
code = response.getByte();
code = response.getByte();
if ( code != FtpClient.SSH_MSG_KEXDH_REPLY )
throw new FtpException("Invalid response code received (should be " + FtpClient.SSH_MSG_KEXDH_REPLY + ") - " + code);
this.serverKey = response.getString();
byte f[] = response.getString();
byte h[] = response.getString();
this.bf = new BigInteger(f);
if ( this.K == null )
DHPublicKeySpec spec = new DHPublicKeySpec(this.bf, new BigInteger(DiffieHellmanGroup.p), new BigInteger(DiffieHellmanGroup.g));
PublicKey pb = this.factory.generatePublic(spec);
this.agree.doPhase(pb, true);
byte secret[] = this.agree.generateSecret();
BigInteger bK = new BigInteger(secret);
this.K = bK.toByteArray();
this.K = secret;
Packet hash = new Packet();
hash.reset(0);
hash.add(this.clientVersion);
hash.add(this.serverVersion);
hash.add(this.clientMessage);
hash.add(this.serverMessage);
hash.add(this.serverKey);
hash.addMPInt(this.e);
hash.addMPInt(f);
hash.addMPInt(this.K);
byte foo[] = new byte[hash.length() - hash.current()];
foo = hash.get(hash.current());
//this.sha1.update(hash.get(), 0, hash.length());
this.sha1.update(foo, 0, foo.length);
this.H = this.sha1.digest();
int start = 0, end = 0;
end = ((this.serverKey[start++]<<24)&0xff000000)|((this.serverKey[start++]<<16)&0x00ff0000)|((this.serverKey[start++]<<8)&0x0000ff00)|((this.serverKey[start++])&0x000000ff);
String algorithm = new String(this.serverKey, start, end);
start += end;
boolean result = false;
if ( algorithm.equals("ssh-rsa") )
byte temp[], ee[], n[];
this.type = KeyExchange.RSA;
end = ((this.serverKey[start++]<<24)&0xff000000)|((this.serverKey[start++]<<16)&0x00ff0000)|((this.serverKey[start++]<<8)&0x0000ff00)|((this.serverKey[start++])&0x000000ff);
temp = new byte[end];
System.arraycopy(this.serverKey, start, temp, 0, end);
start += end;
ee = temp;
end = ((this.serverKey[start++]<<24)&0xff000000)|((this.serverKey[start++]<<16)&0x00ff0000)|((this.serverKey[start++]<<8)&0x0000ff00)|((this.serverKey[start++])&0x000000ff);
temp = new byte[end];
System.arraycopy(this.serverKey, start, temp, 0, end);
start += end;
n = temp;
this.signature = Signature.getInstance("SHA1withRSA");
BigInteger bn = new BigInteger(n);
BigInteger be = new BigInteger(e);
RSAPublicKeySpec spec = new RSAPublicKeySpec(bn, be);
KeyFactory fact = KeyFactory.getInstance("RSA");
RSAPublicKey pb = (RSAPublicKey)fact.generatePublic(spec);
this.signature.initVerify(pb);
this.signature.update(this.H);
byte hcopy[] = new byte[h.length];
System.arraycopy(h, 0, hcopy, 0, h.length);
if ( h[0] == 0 && h[1] == 0 && h[2] == 0 )
start = 0;
end = 0;
end = ((h[start++]<<24)&0xff000000)|((h[start++]<<16)&0x00ff0000)|((h[start++]<<8)&0x0000ff00)|((h[start++])&0x000000ff);
start += end;
end = ((h[start++]<<24)&0xff000000)|((h[start++]<<16)&0x00ff0000)|((h[start++]<<8)&0x0000ff00)|((h[start++])&0x000000ff);
temp = new byte[end];
System.arraycopy(h, start, temp, 0, end);
hcopy = temp;
result = this.signature.verify(hcopy);
else if ( algorithm.equals("ssh-dss") )
byte temp[], q[], p[], g[];
this.type = KeyExchange.DSS;
end = ((this.serverKey[start++]<<24)&0xff000000)|((this.serverKey[start++]<<16)&0x00ff0000)|((this.serverKey[start++]<<8)&0x0000ff00)|((this.serverKey[start++])&0x000000ff);
temp = new byte[end];
System.arraycopy(this.serverKey, start, temp, 0, end);
start += end;
p = temp;
end = ((this.serverKey[start++]<<24)&0xff000000)|((this.serverKey[start++]<<16)&0x00ff0000)|((this.serverKey[start++]<<8)&0x0000ff00)|((this.serverKey[start++])&0x000000ff);
temp = new byte[end];
System.arraycopy(this.serverKey, start, temp, 0, end);
start += end;
q = temp;
end = ((this.serverKey[start++]<<24)&0xff000000)|((this.serverKey[start++]<<16)&0x00ff0000)|((this.serverKey[start++]<<8)&0x0000ff00)|((this.serverKey[start++])&0x000000ff);
temp = new byte[end];
System.arraycopy(this.serverKey, start, temp, 0, end);
start += end;
g = temp;
end = ((this.serverKey[start++]<<24)&0xff000000)|((this.serverKey[start++]<<16)&0x00ff0000)|((this.serverKey[start++]<<8)&0x0000ff00)|((this.serverKey[start++])&0x000000ff);
temp = new byte[end];
System.arraycopy(this.serverKey, start, temp, 0, end);
start += end;
this.bf = new BigInteger(temp);
this.signature = Signature.getInstance("SH1withDSA");
KeyFactory factory = KeyFactory.getInstance("DSA");
DSAPublicKeySpec spec = new DSAPublicKeySpec(this.bf, new BigInteger(p), new BigInteger(q), new BigInteger(g));
PublicKey pb = factory.generatePublic(spec);
this.signature.initVerify(pb);
this.signature.update(this.H);
result = this.signature.verify(h);
else
throw new FtpException("Unknown algorithm used for key exchange - " + algorithm);
Thanks in advanceI think I'm having the same problem. My exchange email has been working since I got the phone back in August, yesterday I had to change my password because it was expiring so I went to enter the new password into my phone and it wouldn't connect. I deleted the account and tried to set it up again and I keep getting the error "Exchange account verification failed". Nothing I do seems to work. Its very strange everything worked fine and now all of a sudden I can't get it to work.
-
DS 6.3 ssh key and password expiration warnings
I suspect this may be more of an ssh issue than a DS issue, but has anyone managed a configuration that will give users logging in with ssh keys, password expiration or reset warnings?
In my setup, using compat mode in nsswitch.conf, native ldap logins work as expected for users entering their password. - That is, they are forced to change the password after an admin reset, receive "your password will expire" warnings, based on the expiration period set in DS (password policies in DS 6 mode, migrated from DS 5.2), etc.
If a user has an ssh authorized_key entry, they can login without a password, as long as their password is not expired, or been reset by an admin. They are never shown the warning messages, but are allowed to connect, and then immediately logged off, if their password has expired, passed the number of grace logins, or been reset.
The user can only login if they start from a different username and bypass the ssh key check.
Hope this makes sense.After running various debug modes, I'm beginning to believe that the Directory Server may only issue the warning messages if a password has been typed, and validated in the directory. Since no password is enered when using an ssh key, the warnings aren't triggered.
-
Public ssh key not working with launchd
I have a simple shell script that has only a couple lines:
rm /Volumes/drive/folder/*
scp -r [email protected]:/Volumes/drive/folder/
the "admin_user" account has an ssh key to be able to connect to the remote server without having to enter in a password.
if i run this script manually, as "admin_user", it works.
i need this to run via launchd at a set time every day, which i've successfully configured, with the UserName key. the script does run via launchd and it successfully deletes the files (the first line of the script).
it is failing, when run via launchd, with the second line. the files are never copied.
the log shows that the ssh key isn't working:
12/19/08 10:43:00 AM edu.example.xxxxxxxml[1386] Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
i'm not sure what i need to do differently as far as configuring the keys.
many thanks,
chrishere is the verbose log... i am not an ssh or sshd_config expert so any guidance is appreciated!:
{quote}
admin_user12/23/08 10:34:00 AM edu.example.deptxxxml[26285] Agent pid 26287
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] Enter passphrase for /Users/adminuser/.ssh/idrsa:
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] Executing: program /usr/bin/ssh host testserver.example.edu, user admin_user, command scp -v -r -f /Volumes/drive/inc/data/dept/
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Reading configuration data /etc/ssh_config
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Connecting to testserver.example.edu [1xx.xx.117.3] port 22.
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Connection established.
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: identity file /Users/admin_user/.ssh/identity type -1
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: identity file /Users/adminuser/.ssh/idrsa type 1
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: identity file /Users/adminuser/.ssh/iddsa type -1
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: match: OpenSSH_4.7 pat OpenSSH*
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Enabling compatibility mode for protocol 2.0
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Local version string SSH-2.0-OpenSSH_5.1
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSGKEXINIT sent
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSGKEXINIT received
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: kex: server->client aes128-cbc hmac-md5 none
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: kex: client->server aes128-cbc hmac-md5 none
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: expecting SSH2MSG_KEX_DH_GEXGROUP
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSG_KEX_DH_GEXINIT sent
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: expecting SSH2MSG_KEX_DH_GEXREPLY
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Host 'testserver.example.edu' is known and matches the RSA host key.
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Found key in /Users/adminuser/.ssh/knownhosts:1
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: sshrsaverify: signature correct
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSGNEWKEYS sent
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: expecting SSH2MSGNEWKEYS
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSGNEWKEYS received
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSG_SERVICEREQUEST sent
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: SSH2MSG_SERVICEACCEPT received
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Next authentication method: gssapi-keyex
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: No valid Key exchange context
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Next authentication method: gssapi-with-mic
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Unspecified GSS failure. Minor code may provide more information
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] No credentials cache found
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Unspecified GSS failure. Minor code may provide more information
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] No credentials cache found
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Unspecified GSS failure. Minor code may provide more information
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Next authentication method: publickey
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Trying private key: /Users/admin_user/.ssh/identity
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Offering public key: /Users/adminuser/.ssh/idrsa
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: Server accepts key: pkalg ssh-rsa blen 277
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: PEMreadPrivateKey failed
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: read PEM private key done: type <unknown>
12/23/08 10:34:00 AM edu.example.deptxxxml[26285] debug1: read_passphrase: can't open /dev/tty: Device not configured
{quote} -
Hi there,
I am looking for step by step instrcutions on how to configure SFTP Codeplex adapter for both receive and send ports.
Out business partner with whom we push/poll the files from wants us to use SSH encryption/decryption etc.
Just wondering if the following functionality is supported in Codeplex SFTP adatper without having to write any code.
Appreciate if there is manaul to do this for SFTP. BTW I do have all the our public and private keys and business partners Public key for configuring.
For Send port: 1. we would need to encrypt the file with our business partners public key
2. sign the file with our private key.
3. Send the file through to SSH client which eventually transfers to Remote server.
Receive port: 1. Connect to SSH Server with SSH-2 key and receive the file
2. Verify the file's digital signature agaisnt the Business partners PGP public key
3. Decrypt the file using our PGP Public key
Thanks in advanceYes it is supported.
You can find its documentation in this link
You can find section X.509 Certificate Identity Keys
You can set public and private key in property SSH Identity thumbprint of send and receive port
I prefer to test it using client tool like
FileZilla or WinSCP then test it using sftp adapter
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer -
SCP, SSH and SFTP in CMD / File-Explorer and SSH key management with Windows Credential Manger
Please add SSH, SFTP and SCP in CMD and File Explorer.
Also, allow us to copy to FTP in File Explorer.
Would be nice to have the SSH credentials managed by Windows Credentials Manager.Even with the RHEL firewall completely disabled, it has the same upper limit. SCP between the Solaris systems, with ipfilter running on both systems and both systems on completely different networks, is not a problem. Between Solaris and RHEL, same network but different subnet, RHEL with no firewall running (only while troubleshooting this, don't panic), still a problem. Using PuTTY SFTP from/to any of the systems is fine, even though on different networks. The mtu on the RHEL was the same as the Solaris systems (1500) - changing values on the RHEL increased the upper limit but still hit a ceiling. Only have one RHEL system so I can't see whether RHEL-RHEL transfers are affected, only those between Solaris, PuTTY on Windows, and the one RHEL system.
-
[SOLVED] a problem with gpg-agent and ssh keys
I'm baffled by a strangle problem:
My setup is as follows: I use gpg-agent with --enable-ssh-support, so that my ssh keys are handled by it. All was fine (when I ssh'ed to another machine, a pinentry window popped up, asked for a password, and if I entered the correct one, gpg-agent would decrypt its copy of my private ssh key and use it for identification). But: I needed to change my ssh key, and so I generated a new one. Next, I ssh-add'ed it to gpg-agent (one password to decrypt the private key, then twice another password for gpg-agent). I uploaded the public key to a server. The setup should be complete.
The problem is that when I ssh to a machine, a pinentry window comes up, but it does not accept my password (the one that I entered twice when ssh-add'ing the key). I tried adding with various different passwords (always deleting ~/.gnupg/private-keys-v1.d/*, since 'ssh-add -d ~/.ssh/id_rsa.pub' would not work for some reason - it would not make gpg-agent forget the key), different pinentry programs ( -qt4, -gtk-2, -curses), and still the same problems. Pinentry itself seems to work fine, since if I enter two different things when it asks for a new passphrase for the key, it detects that there's a problem.
So, can anyone help? What could I try (please don't post just to say that I could/should use ssh-agent, or keychain, or anything else. I have used various things, and I like this setup the most. It worked before, and I would like to find out why it stopped working and how to get it back to speed.)
Thanks.
Last edited by bender02 (2010-02-15 09:52:54)Thats a known bug with the new gpg version.
http://lists.gnupg.org/pipermail/gnupg- … 38045.html
You could use an older version of gpg or use a development version. -
How to unlock ssh keys with lxde
I'm running a minimal setup with lxde. What manages ssh keys under lxde? I want to have my user's key unlocked when logged in so I can ssh and scp at will.
Thanks!I have faced the same issue (with a WM like fluxbox/openbox, not LXDE).. There is no specific program that manages ssh keys in LXDE.
From my research, there are 3 possible solutions -
1) You can start the gnome-keyring (or is that seahorse) in LXDE (or any WM). This can manage your ssh keys
2) You can generate a new ssh key with empty passphrase.. That way, you will not be asked for passphrase everytime.. This is what I use.. Very simple to configure and use.. Note: The private key will be stored unencrypted on the disk if the passphrase is empty. It may be a security concern
3) Use "ssh-agent" and "ssh-add" command to remember the passphrase after you type it once..
You can use the snippet below:
$ eval `ssh-agent`
$ ssh-add [optional ssh private file if not ~/.ssh/id_rsa]
<enter passphrase>
More detailed configuration here - http://www.mtu.net/~engstrom/ssh-agent.php
Once you have done a ssh-add, the next time you can just start ssh-agent in the background. You can spawn an ssh-agent process when starting your X session. -
Problems with SSH: Connection Refused
Greetings fellow Arch users,
I have hit a bit of a snag that I could really use some extra help getting around. I've tried everything I can think of (and everything that Google thought might work) and I have my back rather against a wall, so I thought I'd come here to see if anyone can offer some advice.
To make a long story short, I am a college student and am attempting to set up an ssh server on a desktop at my house so I can access it remotely from the college. I have the computer set up and the server running, however I am having difficulty making connections to it from my laptop. I know that the server is running, because I can log into it both from the server itself (sshing into local host) and from my laptop when I use the internal IP address.
The server is on a static IP address within the network(192.168.0.75), and my router is configured to forward TCP port 1500 to it (I'm using 1500 as the port for my ssh server). However, when I attempt to log into the ssh server using my network's external IP address, the connection is refused. I used nmap to scan my network and found that, even though the proper ports are forwarded to the proper place as far as my Router's configuration interface is concerned, port 1500 is not listed as one of the open TCP ports. I also, to test it, temporarily disabled the firewalls on both the server and the client. That didn't help. The command that I am running is:
ssh -p 1500 douglas@[external ip address
As I am really not sure what is causing this problem, I don't know what information to provide. So here is everything that my inexperienced mind sees as likely being important. If you need anything more, let me know and I will do my best to provide it.
Here is the sshd_config file from my server.
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 1500
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
The ouptut of ip addr when run on the server:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:21:9b:3a:be:94 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.75/24 brd 192.168.255.0 scope global enp8s0
valid_lft forever preferred_lft forever
inet6 fe80::221:9bff:fe3a:be94/64 scope link
valid_lft forever preferred_lft forever
Here is the output from running nmap on the network:
Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-28 21:05 EDT
Initiating Ping Scan at 21:05
Scanning address [2 ports]
Completed Ping Scan at 21:05, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:05
Completed Parallel DNS resolution of 1 host. at 21:05, 0.05s elapsed
Initiating Connect Scan at 21:05
Scanning pa-addresss.dhcp.embarqhsd.net (address) [1000 ports]
Discovered open port 80/tcp on address
Discovered open port 443/tcp on address
Discovered open port 23/tcp on address
Discovered open port 21/tcp on address
Completed Connect Scan at 21:05, 4.08s elapsed (1000 total ports)
Nmap scan report for pa-address.dhcp.embarqhsd.net (address)
Host is up (0.036s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
443/tcp open https
8080/tcp filtered http-proxy
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds
Here is the ssh_config client-side:
# $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
Output of ssh -v during connection attempt:
OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/douglas/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [address] port 1500.
debug1: connect to address address port 1500: Connection refused
ssh: connect to host address port 1500: Connection refused
Thank you guys ahead of time. Getting this server operational is hardly critical, it is just a side project of mine, but I would really like to see it working.
Douglas Bahr Rumbaugh
Last edited by douglasr (2013-09-29 02:58:56)Okay, so I finally have the opportunity to try and log in from a remote network. And. . . it doesn't work. Which is just my luck because I now need to wait an entire week, at least, before I can touch the server again. Anyway, running ssh with the maximum verbosity I get this output:
douglas ~ $ ssh -vvv -p 2000 address
OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/douglas/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [address] port 2000.
debug1: connect to address address port 2000: Connection timed out
ssh: connect to host address port 2000: Connection timed out
It takes a minute or two for the command to finish with the connection timeout, as one would expect. And yes, I am reasonably sure that the address that I am using is my home network's external IP. It is dynamic, but I checked it before I left which was just over an hour ago. I guess that it may have changed. I'll know that for sure in the morning, when my server sends me an automatic email with the network's current address. In the meantime I am operating under the assumption that the address I am using is correct. What else could be the problem? -
X11 Forwarding with SSH not working [SOLVED]
I'm trying to follow the X11 forwarding guide on the wiki but to no avail.
I'm using Putty and Xming from a Windows machine to SSH into the ArchLinux machine over my home network.
When I log in through SSH with X11 forwarding enabled, my display variable is set to "localhost:10.0". Running xclock gives me the following error: "Error: Can't open display: localhost:10.0".
I'm pretty sure Xming isn't the problem, since if I manually change the DISPLAY variable to "[my windows machine IP]:0.0", I can run xclock and see it appear.
From what I can see, it should be working.
Complete sshd_config below:
# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none
# no default banner path
Banner /etc/issue
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Last edited by gixr (2013-01-11 22:37:35)It's easy.
Start Xming.
Configure SSH (here's my confg):
# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Putty setting: http://i.ztjuh.tk/20130111075624803.png
Click on Open and run your program
Last edited by Ztjuh (2013-01-11 08:01:00) -
Hi All,
I have a small doubt regarding Sender sFTP Adapter. This is what we have done to connect with one of Vendor
1. Basis created a SSH key in NWA for Vendor and sent to them.
2. They linked the SSH key with user name and asked me to use the same.
3. We got the firewalls openepd b/w PI and Vendor
4. I provided the same detail in sFTP adapter, but I am not able to connect,
I am getting below error:
Error: Cannot connect to SFTP server. Host=########, port=22, username=#####. Private key store=########, private key alias=piPKCS12. Timeout=300000 msecs. Absolute home directory=.: KeyStoreException in Method: getPrivateKey( KeyStore, String, String ). The requested keystore type is not available in the default provider package or any of the other provider packages that were searched. (Software version: 3.0.14.2)
Please provide your inputs.
Regards,
Sachin DhingraHi,
The first thing you have to do is use the same userid and the pwd and try to connect to the vendor system from your application layer and see if this is connecting or not. If there is a problem in connection then there are few steps that you have to follow. Below are the steps you need to follow:
1. Open the port from your Vendor side as well as open the port from your XI system(there might be two ports)
2. Generate the key of your vendor system and one you started login to the system then it will ask to instal the key , so acept it.
the IS people can help you out over here.
3. Try to push the one dummy file in that location manually using the command in application layer.
4. check the authorization in the target directory and try to provide the proper authorization,, 777 is used for full authorization.
5. use the same useid and the pwd and then try from your xi system processign a dummy file.
hope this helps.
cheers,
jay -
BizTalk Server 2013 SFTP Adapter with private key - Did not poll any files
Hello,
We have a requirement to connect SFTP secure site with the private key and polling files. Initially I have
tested BizTalk Server 2013 SFTP Adapter receiver Port using Bitvise SSH SFTP Server tool and it was working perfectly in our local network environment( with public private key authentication).
However when we connected to Client SFTP server with private key authentication, It successfully connected to SFTP Server but
did not poll any files from SFTP Site. I added only one file to SFTP Server ( 145 kb file) for testing purpose.
However BizTalk Server 2013 SFTP Send Adapter is working well with the same configuration.
I could not find any errors in Event viewer also. I can download\upload file using WinSCP tool .
So I downloaded nSoftware SFTP Adapter trial version and deployed on server. nSoftware SFTP adapter is also working find
without any issues for Client SFTP Site.
This is the configuration on SFTP Receive Adapter
This is how SFTP Server download folder permission configured. I have got this details using WinSCP tool.
<o:p></o:p>
Appreciate your help on this.<o:p></o:p>
Thanks<o:p></o:p>
PrabathD<o:p></o:p>BizTalk Adapter for SFTP is where the polling logic is implemented. It is not part of the SFTP Client logic. any SFTP Client is for User Interaction and you do what you want/when you want.
The BizTalk Receive however is for purposes of automation and the adapter polls the receive location using the credentials every polling interval to check for the files matching the filter. When it find a file, it will read and publish to message box or
submit to pipeline for processing. Your setting the polling interval to 0 (ZERO) might actually be disabling the polling.
Set your poll interval to a non-zero value and check the behavior.
Regards. -
Prime Infrastructure 2.0 "Wrong CLI Credentials" error with known good credentials
In the device work center sometimes devices show up with "wrong CLI credentials". Even when I change to known good SSH credentials and click the update & sync button the error does not go away.
Has anyone else had this issue? Does anyone know a workaround?
It seems absurd that you would not be able to edit the SSH credentials of devices.ok, tried all that was said here. Nothing worked ... I do have banners, but no # sign ... removed them anyways ... then thinking about the banners might be causing issues for what PI expects ... (i do have my prompts changed to mask the platform) ... so i defaulted back to regular prompts ... WORKED !!!!
So here is what works for me ... no banners, no custom prompts AND device added through the 'classic theme'.
I presume the expectation is that the device begins with minimal config ... the rest is pushed through the config templates deployment. But have the developers thought of existing devices ? is it IOS version related (target device) or simply a bug.
BTW, PI v2.1
Edit --- needing to clarify, for some models (namely UC520) ... removed banner, custom prompts and i could add it comfortably through the Lifecycle interface.
Others (3550), could be inserted easily with banners and custom prompts ... rather inconsistent, though at least , i have working recipes.
Thanks for the help all :) -
GPG-AGENT "ignoring" pinentry program? wrong pinentry app for ssh-keys
Hi!
I am using gpg-agent to handle my gpg keys and wanted it to handle my ssh keys too, since it is running anyway.
it works perfectly fine with gpg keys, my pinentry program is pinentry-qt4 , upon request that window pops up for me to enter my passphrase.
as window manager i use awesome wm.
however, when i try to use my ssh key, e.g. for github, no pinentry program pops up and in xterm it looks like:
[me@mybox dotfiles]$ git push origin master
it seems that is is waiting for my passphrase input but it isnt asking for it. neither does it accept it.
when i quit my WM, i see that it executed the pinentry program directly in my tty1, to which i do not have access while running my WM.
my gpg-agent.conf:
me@mybox ~/.gnupg> cat gpg-agent.conf
default-cache-ttl 300
max-cache-ttl 7200
pinentry-program /usr/bin/pinentry-qt4
how do i get gpg-agent to respect my pinentry choice for my ssh keys as well?
thanks for your time !I use this
$ cat /etc/kde/env/gpg-agent-startup.sh
#!/bin/sh
# see https://wiki.archlinux.org/index.php/SSH_Keys
GPG_AGENT=/usr/bin/gpg-agent
## Run gpg-agent only if not already running, and available
if [ -x "${GPG_AGENT}" ] ; then
# check validity of GPG_SOCKET (in case of session crash)
GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
else
GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
fi
fi
unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
fi
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
eval "$(cat "${GPG_AGENT_INFO_FILE}")"
eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
export GPG_TTY=$(tty)
else
eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
fi
fi
I think I could probably use the /etc/profile.d location but when I first set it up, kde was already running gpg-agent so I adapted its file. Later, I uninstalled the thing which does that in kde and just kept my own customised version.
Are you sure that your xinitrc isn't starting a second gpg-agent?
Maybe you are looking for
-
How do I stop Flex from transferring underscore prefixed folders to the bin?
I started using Flex Builder 3 only recently. There is a behavior I want to change. Flex apparently looks for folders that have underscore in front of their names (e.g. _docs_, and _demos_) inside the libraries on the project path, and transfers them
-
Hi all, at work we are facing with following problem. We are trying to set composite sensors on an exposed service. For a specific requirement the wsdl exposed has a message with three parts like below: +<wsdl:message name="requestMessage">+ +<wsdl:p
-
MIRO document Number range buffering problem
Dear all, My MIRO document number is not following the sequence. if my first 5 numbers come in a sequence, then the next 5 numbers are not coming in between. Instead, the next 5 numbers are coming. It might be due to number range buffering problem. H
-
CS3 software updates - how to check
Hi all. Could someone please tell me how I go about checking for software updates with CS3? For instance its easy for Mac OSX, you just click on 'software update' in system preferences, but I'm not sure how to do it in CS3? Any help would be most wel
-
Recently we have purchased Solaris 9_x86 and installed it on the new server machine with IntelPro100 NIC. Unfortunately, our fresh installed sol cannot make any network connection. I have browsed several days for corresponding driver or patches, but