Ssh keys and gnupg keys from wiki instructions...
following first the gnupg instructions and then ssh keys I've managed to get several instances of gpg-agent running.
[root@frylock ~]# ps aux | grep agent
root 2764 0.0 0.0 4208 432 ? Ss 11:15 0:00 ssh-agent
xtian 2785 0.0 0.1 3500 972 ? Ss 11:18 0:00
gpg-agent -s --enable-ssh-support --daemon
--write-env-file /home/frylock/xtian/.gnupg/gpg-agent.env
root 2958 0.0 0.0 3168 688 ? Ss 11:39 0:00
gpg-agent -s --enable-ssh-support --daemon
--write-env-file /root/.gnupg/gpg-agent.env
root 3036 0.0 0.0 4740 392 ? Ss 11:43 0:00 gpg-agent --daemon
root 3186 0.0 0.0 4740 388 ? Ss 11:53 0:00 gpg-agent --daemon
root 3299 0.0 0.0 4740 388 ? Ss 11:58 0:00 gpg-agent --daemon
root 3549 0.0 0.0 4740 392 ? Ss 12:54 0:00 gpg-agent --daemon
This I can resolve by going back over the instructions--a fifth time. But what I don't understand, why my user account owner of a running process when I'm only logged in one tty as root?
//EDIT: Clarify the login scenario
// EDIT: the code block is cutting off line
Last edited by xtian (2013-09-07 14:20:00)
xtian wrote:
cfr wrote:For example, I don't include the code in ~/.xinitrc or in /etc/profile.d precisely because I'm starting the agent somewhere else.
That's just it. I'm not starting it somewhere else. According to the wiki, its being called from .xinitrc and that's where the call is made to the script in profile.d, I think. Unless the script in /etc/profile.d is starting the script automatically?? I don't know.
Yes. The script you have in /etc/profile.d will start it automatically. I have a similar script in /etc/kde/env and that is all I use. I don't need anything in ~/.xinitrc (or kde's autostart stuff or whatever). At least, this is true provided those scripts are sourced. What you definitely do not want is the line you currently have in ~/.xinitrc which does not check to see if an instance of gpg-agent is already running.
This is what I use:
$ cat /etc/kde/env/gpg-agent-startup.sh
#!/bin/sh
# see https://wiki.archlinux.org/index.php/SSH_Keys
GPG_AGENT=/usr/bin/gpg-agent
## Run gpg-agent only if not already running, and available
if [ -x "${GPG_AGENT}" ] ; then
# check validity of GPG_SOCKET (in case of session crash)
GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
else
GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
fi
fi
unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
fi
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
eval "$(cat "${GPG_AGENT_INFO_FILE}")"
eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
export GPG_TTY=$(tty)
else
eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
fi
fi
In any case, your script should check for the environment file and only start an instance of the agent if it doesn't exist.
I'ts not my script. I'm not up on BASH scripts. This one is from the wiki page. Isn't this script checking just that in this IF clause:
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
Yes. But the line you have in ~/.xinitrc does NOT check this. It just starts an instance of gpg-agent as a daemon.
Similar Messages
-
Software Raid and Kernel Panic (from wiki page) [SOLVED]
I am trying to setup a RAID 5 array using the instructions on the wiki:
http://wiki.archlinux.org/index.php/Ins … AID_or_LVM
I get through the instructions (have actually done it several times now) and get the following error:
io scheduler deadline registered
io scheduler cfq registered
FDC 0 is a post-1991 82077
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
loop: loaded (max 8 devices)
mice: PS/2 mouse device common for all mice
NET: Registered protocol family 2
IP route cache hash table entries: 65536 (order: 6, 262144 bytes)
TCP establised hash table entries: 262144 (order: 9,3145728 bytes)
input: AT Translated Set 2 keyboard on isa0060/serio0
TCP bind hash table entries: 65536 (order: 7, 786432 bytes)
TCP: Hash tables configured (established 262144 bind 65536)
TCP reno registered
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
Disabled Privacy Extensions on device c03f6580(lo)
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Starting balanced_irq
Using IPI Shortcut mode
VFS: Cannot open root device "md0" or unknown-block(0,0)
Please append a correct "root=" boot option
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
The grub menu.lst
root (hd0,0)
kernel /vmlinuz26 root=/dev/md0 ro
I setup three partitions on IDE drives
/dev/md0 - root (8 GB / drive)
/dev/md1 - boot (100 MB / drive)
/dev/md2 - swap (1 GB / drive)
I have three drives for the area with three partitions on each:
hda1 - boot
hda2 - swap
hda3 - root
I did skip the LVM step in the wiki pages.
fstab
none /dev/pts devpts defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/cdrom /mnt/cd iso9660 ro,user,noauto,unhide 0 0
/dev/cdrom /mnt/dvd udf ro,user,noauto,unhide 0 0
/dev/fd0 /mnt/fl vfat user,noauto 0 0
/dev/md0 / reiserfs defaults 0 0
/dev/md2 swap swap defaults 0 0
/dev/md1 /boot reiserfs defaults 0 0
mkinintrd.conf
REMOVE_IDE=
REMOVE_SCSI=
REMOVE_SATA=1
REMOVE_CDROM=
REMOVE_USB=1
REMOVE_FW=1
REMOVE_RAID=
REMOVE_CRYPT=1
REMOVE_FS=
REMOVE_DM=
RAID_ROOT_ARRAY="md0"
RAID_ROOT_DEVICES="/dev/hda3 /dev/hdb3 /dev/hdc3"
HOSTCONTROLLER_IDE=
HOSTCONTROLLER_SCSI=
HOSTCONTROLLER_SATA=
HOSTCONTROLLER_USB=
FILESYSTEMS=
CRYPT_DEVICE=
ADD_MODULE=
REMOVE_MODULE=
The system is a dual PIII using the arch ISO 7.1 release.
Any thoughts on what is wrong with my setup? Or something I can try. I'm game for just about anything in my test environment to try and get it working.
Thanks,
Chris....After the basketball games where over tonight I had a thought (and a little research). The install iso I was using was a pre-release of 0.7.1. When I downloaded the real mccoy and did a fresh install following the instructions on the wiki, all worked flawlessly!
Chris.... -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
Setup advice for rsync, ssh keys and launchd - all for remote webserver backup
Hi There,
This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
rsync
I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
launchd
While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
I'm guessing I need to:
Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
Create a launchd Property List File that will run the script at certain times
Somehow register the Property List File with launchd so it runs
Or maybe I should just use Automator and iCal?
I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
Any help or suggestions would be much appreciated.
Cheers
BenHi There,
This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
rsync
I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
launchd
While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
I'm guessing I need to:
Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
Create a launchd Property List File that will run the script at certain times
Somehow register the Property List File with launchd so it runs
Or maybe I should just use Automator and iCal?
I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
Any help or suggestions would be much appreciated.
Cheers
Ben -
[SOLVED] a problem with gpg-agent and ssh keys
I'm baffled by a strangle problem:
My setup is as follows: I use gpg-agent with --enable-ssh-support, so that my ssh keys are handled by it. All was fine (when I ssh'ed to another machine, a pinentry window popped up, asked for a password, and if I entered the correct one, gpg-agent would decrypt its copy of my private ssh key and use it for identification). But: I needed to change my ssh key, and so I generated a new one. Next, I ssh-add'ed it to gpg-agent (one password to decrypt the private key, then twice another password for gpg-agent). I uploaded the public key to a server. The setup should be complete.
The problem is that when I ssh to a machine, a pinentry window comes up, but it does not accept my password (the one that I entered twice when ssh-add'ing the key). I tried adding with various different passwords (always deleting ~/.gnupg/private-keys-v1.d/*, since 'ssh-add -d ~/.ssh/id_rsa.pub' would not work for some reason - it would not make gpg-agent forget the key), different pinentry programs ( -qt4, -gtk-2, -curses), and still the same problems. Pinentry itself seems to work fine, since if I enter two different things when it asks for a new passphrase for the key, it detects that there's a problem.
So, can anyone help? What could I try (please don't post just to say that I could/should use ssh-agent, or keychain, or anything else. I have used various things, and I like this setup the most. It worked before, and I would like to find out why it stopped working and how to get it back to speed.)
Thanks.
Last edited by bender02 (2010-02-15 09:52:54)Thats a known bug with the new gpg version.
http://lists.gnupg.org/pipermail/gnupg- … 38045.html
You could use an older version of gpg or use a development version. -
DS 6.3 ssh key and password expiration warnings
I suspect this may be more of an ssh issue than a DS issue, but has anyone managed a configuration that will give users logging in with ssh keys, password expiration or reset warnings?
In my setup, using compat mode in nsswitch.conf, native ldap logins work as expected for users entering their password. - That is, they are forced to change the password after an admin reset, receive "your password will expire" warnings, based on the expiration period set in DS (password policies in DS 6 mode, migrated from DS 5.2), etc.
If a user has an ssh authorized_key entry, they can login without a password, as long as their password is not expired, or been reset by an admin. They are never shown the warning messages, but are allowed to connect, and then immediately logged off, if their password has expired, passed the number of grace logins, or been reset.
The user can only login if they start from a different username and bypass the ssh key check.
Hope this makes sense.After running various debug modes, I'm beginning to believe that the Directory Server may only issue the warning messages if a password has been typed, and validated in the directory. Since no password is enered when using an ssh key, the warnings aren't triggered.
-
Key-based SSH Authentication and AFP Home Directories
I'm setting up some users with AFP home directories (hosted on an Xserve, with a couple of G5 towers as Open Directory clients). When logging in on the console on a G5 tower, the home directories work fine. The users can SSH into the Xserve using SSH key authentication. However, the users can not SSH into the G5 towers using SSH key authentication, and are instead asked for passwords - presumably because the AFP home directory is mounted with guest access (and thus the keys are unreadable) before the password is entered.
Is there a known workaround for this? A different way of setting up the home directory mounting? I don't particularly want to go the mobile home directory route, because (among other things), as far as I know, mobile home directories only sync when a user logs into the GUI. If that's not the case (that is, if they will sync when a user logs into the machine with SSH), then I guess that would be a reasonable solution.
Thanks in advance for any suggestions!That was just speculation on my part; I'm not sure exactly what's happening. I do know that until the user authenticates, the entire automount is mounted with guest access... and that the user can't authenticate until the key file can be read. It may be the case that I was just encountering some transient failure or the like, however.
-
I have multiple iPhoto libraries on my Macbook Air 10.7.5 and when I am selecting which library to view (hold down 'option' key and launch iPhoto from the dock) it automatically closes another open application window eg. Chome, Word. 1 app closes every time I launch iPhoto this way.
If you're pushing Option at the exact moment you're clicking the Dock icon, it's supposed to do that. Wait until just after clicking it.
(112342) -
How can i remove a key and its value from properties file
hi all,
i want remove a particular key and associated value from the
properties file. is their any standard way of doing?
thanks inadvance
dayahi,
thanks
i am able to remove the key,
one more question how can avoid storing date and time
in properties file.
thanks
daya -
After updating to LR 1.3.1 yesterday I found a very strange behaviour that I cannot explain: While in the Library module and looking at a picture from a collection (in loupe mode) I cycle through the different light modes using the L key. Then suddenly (after several hits of the L key) a keyword is added (not always the same keyword) and at the same time an unknown number of pictures is removed from the collection. The keyword is not added to the picture I was currently viewing, but to another one from the same collection. This has not happened before and I have no idea what is going on. I can restore the collection by relaunching an older catalog but of course this does not solve the problem. Can anybody help?
(PC, Win XP prof SP 2, 4 Gig RAM)It is possible that instead of hitting the l key, or perhaps within the same sequence of hits your are in fact accidentally hitting the k key.
K is the shortcut for "Add shortcut keyword"
Of course you would have had to set that particular keyword at some point and it does not explain the different keywords being assigned.
Unless the alt key was involved somehow and you were rating the images with 1-9 numbers. That would account for different keywords being assigned and would seem arbitrary.
To check: look at one or two of the images that you may have rated using a number key and then look at the keyword set the keyword came from. Press the alt key and a number from 1-9 will appear next to the keyword. If they match then thats the answer.
If you weren't rating the images this way then.....??
Perhaps there is a fault with the keyboard itself rather than the program.
David -
Using keys to search and retrieve values from HashMap
I've been fiddling around with this problem for a while and can't seem to find any working solution. What I have is a method that I want to return all values from a HashMap, but instead of using the regular keys for a HashMap (0, 1, 2, 3), my keys are different numbers such as 51414, 62513, etc.
public Car[] getAllCars() {
Map<Integer, Car> myCars = system.getCars(); //getCars() returns HashMap of Car objects from another class
Car[] c = new Car[myCars.size()];
if(myCars.size()!=0) // ensure map is populated
for(int i=0; i<myCars.size(); i++)
myCars.get(i);
return c;
}So what's happening at the moment is it loops through myCars and gets some values, but only those ones at the keys of 0-15 (the size of the Map). What I need is to get the Keys from myCars and use them to return all Car objects. The HashMap API has something called KeySet() which I think could help me, but I can't get that working.
Any ideas?DiscoInferno wrote:
Short of an SSCCE I think this might more accurately describe what I'm after.
public Car[] getAllCars() {
Map<Integer, Car> myCars = system.getCars(); //getCars() returns HashMap of Car objects from another class
Car[] c = new Car[myCars.size()];
Set<Integer> s = holds.keySet();
Iterator keyIter = s.iterator();
if(myCars.size()!=0)
while (keyIter.hasNext()) {
Object key = keyIter.next();
Car cc = myCars.get(key);
System.out.println(myCars.get(key));
return null;
}What that does is gets the Car object that matches the specified key. What I need is for it to be returnable as an array of Car objects. I don't want it to print, but the output that is printed is basically what I want to be returned to an array.First, I'm not sure how you managed to find keySet() and not find values().
Second, okay, so you know how to get each value. Do you not know how to set a value in an array? Do you not know how to return a value from a method? Google can help you find tutorials for those. Otherwise, I have no idea what difficulty you're having. -
Writing and retrieving RSA keys from a file
Hello all,
I'm trying to write a generated RSAPublicKey and RSAPrivateKey to a file, and then, later retrieve them.
I thought I could use ObjectInput/OutputStream to do that, but when I do so I get the exception java.io.NotSerializableException: java.io.ObjectOutputStream
(I'm surprised, because RSAPublic/PrivateKey are serializable, aren't they ?).
If this is not the way to do it, I do not know how (no key constructor reading from byte [] ...).
Can somebody please help me ?
Thanks,
Axelle.Hi,
Can we generate public and private keys from fingerprint?
where can i find a piece of code to view how it is.
Thanks,
Ganesh -
Please add SSH, SFTP and SCP in CMD and File Explorer.
Also, allow us to copy to FTP in File Explorer.
Would be nice to have the SSH credentials managed by Windows Credentials Manager.Even with the RHEL firewall completely disabled, it has the same upper limit. SCP between the Solaris systems, with ipfilter running on both systems and both systems on completely different networks, is not a problem. Between Solaris and RHEL, same network but different subnet, RHEL with no firewall running (only while troubleshooting this, don't panic), still a problem. Using PuTTY SFTP from/to any of the systems is fine, even though on different networks. The mtu on the RHEL was the same as the Solaris systems (1500) - changing values on the RHEL increased the upper limit but still hit a ceiling. Only have one RHEL system so I can't see whether RHEL-RHEL transfers are affected, only those between Solaris, PuTTY on Windows, and the one RHEL system.
-
[SOLVED]ssh key persists across logins - xfce/ssh-agent/pgp-agent
Hi,
I am a new Arch user. I must say, that I am very happy with my installation so far. Thanks for providing a sensible Linux distribution.
I am coming from Ubuntu 12.04 LTS with xfce as desktop. Ubuntu 12.04 has xfce 4.8.2. Now I am running lightdm and xfce 4.10 which I consider a very useful desktop environment. Now, there is one bug I ran into and I didn't see it documented anywhere :
After logging out or even rebooting, my ssh-key was still cached/stored by gpg-agent.
Now, well. Can't be that hard, can it?
% ssh-add -D
SSH_AGENT_FAILURE
Failed to remove all identities.
Great! Now that really bugged me: I am unable to remove my ssh-key, even across reboots!
It took me a while to realize, that gpg-agent is now capable of handling ssh-keys.
I was unable to find any startup configuration for gpg-agent in /etc/profile[.d], systemd, .xinitrc, ...
Disabling xfce-session gpg-agent autostart
After even more searching, I found xfce to be the culprit:
http://docs.xfce.org/xfce/xfce4-session/advanced
Apparently xfce4-session starts gpg-agent
To disable it:
% xfconf-query -c xfce4-session -p /startup/ssh-agent/enabled -n -t bool -s false
Kind'a obvious, right?
Key recovery
To get rid of the ssh-key dangling around unencrypted (?) on your harddisk, have a look at
$HOME/.gnupg/private-keys-v1.d
Looks like gpg-agent is storing ssh keys here. I simply deleted the directory.
BE CAREFUL: I don't know if the directory is only used for cached ssh keys. You might have other valid keys you don't want to delete there. Maybe someone else can shed some light on this.
Now I have my good old ssh-agent back, started automatically as described in the wiki
https://wiki.archlinux.org/index.php/SSH_Keys#ssh-agent
Last edited by georgnix (2014-03-06 12:13:56)Thanks for reminding
Btw, my problem/issue with gpg2's (inexistent, yet there-in-the-man-pages) "--with-keygrip" option still persists - though I am not sure if this is the place to mention about it. -
SSH Key login not working when added to gpg-agent
Hello,
As I use gnupg, I run the gpg-agent. I run it with systemd --user and it works flawlessly. As I already run gpg-agent, I figured I might as well just add my ssh keys to it as well. Therefore I start gpg-agent with --enable-ssh-support. I use my SSH keys a lot and never had any problems with connecting to anything with a simple ssh .... or pushing things to git etc.
As the SOCKS_AUTH_SSH envvar needs to be set for ssh-add to work, I added this line to my .bashrc
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
Now, adding my SSH Keys with a simple ssh-add seems to work fine (no errors etc).
However, when I try to connect to a server now, the following happens:
ssh -vT [email protected]
OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to XXXXXXXXX port XXXXX.
debug1: Connection established.
debug1: identity file /home/XXXXX/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/XXXXX/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8
debug1: match: OpenSSH_6.8 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Mw5MTDp91yExgStdoMPMwi2yZdoG9MruOm+6XiC5Vks
debug1: Host '[XXXXXXX]:XXX' is known and matches the ECDSA host key.
debug1: Found key in /home/XXXX/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/XXXXX/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: No more authentication methods to try.
Permission denied (publickey).
Which is very strange as id_rsa is my (ecrypted) private key. I am also prompted to enter the corresponding password when issuing ssh-add.
What could the problem be in this case? Thanks a lot!!
Last edited by replax (2015-05-18 19:06:58)replax wrote:Well, there is something listed in .gnupg/sshcontrol , I am not sure if it is connected to my own key though. I tried ssh-add -l and it will list my one key, although it is different from the one in sshcontrol. I suspect that that is an issue of presentation though, as ssh-add spews out the SHA256 of my key..
How could I go about verifying that they key is indeed correct? Shouldn't it be added automatically by ssh-add?
Thanks a lot!!
Yes it should be added automatically. I suppose you could try it in a new user just to start fresh and see if it works, at least then you'll have either verified that your steps were correct or incorrect.
Maybe you are looking for
-
When I try syncing music from my library to my ipod, I get the message that it lost connection. My ipod is plugged in to the computer though. Does anyone know how to fix this?
-
HT1657 Can you rent more than one movie at the same time?
Can you rent more than one movie at the same time on itunes?
-
I Deleting "photo library" pics?
Don't see a trash can/delete icon when I select pictures. Need to make space on phone for system updates....anypne know how to rid the phone of these pictures?
-
WMS Problem with 2 step picking
Hello Expert, In WMS I activate the 2 step picking. I have created a group of delivery and make a trasfer order with the total quantity of the deliveries. I create the trasfer order on 2 picking phase and I trasfer the material on storage type 200 wi
-
hi, I just come to know is it possible to create withholding tax entire configuration in 2 steps if yes please send me the steps to mail id [email protected] Regards, Sankar