Ssh keys and gnupg keys from wiki instructions...

following first the gnupg instructions and then ssh keys I've managed to get several instances of gpg-agent running.
[root@frylock ~]# ps aux | grep agent
root 2764 0.0 0.0 4208 432 ? Ss 11:15 0:00 ssh-agent
xtian 2785 0.0 0.1 3500 972 ? Ss 11:18 0:00
gpg-agent -s --enable-ssh-support --daemon
--write-env-file /home/frylock/xtian/.gnupg/gpg-agent.env
root 2958 0.0 0.0 3168 688 ? Ss 11:39 0:00
gpg-agent -s --enable-ssh-support --daemon
--write-env-file /root/.gnupg/gpg-agent.env
root 3036 0.0 0.0 4740 392 ? Ss 11:43 0:00 gpg-agent --daemon
root 3186 0.0 0.0 4740 388 ? Ss 11:53 0:00 gpg-agent --daemon
root 3299 0.0 0.0 4740 388 ? Ss 11:58 0:00 gpg-agent --daemon
root 3549 0.0 0.0 4740 392 ? Ss 12:54 0:00 gpg-agent --daemon
This I can resolve by going back over the instructions--a fifth time. But what I don't understand, why my user account owner of a running process when I'm only logged in one tty as root?
//EDIT: Clarify the login scenario
// EDIT: the code block is cutting off line
Last edited by xtian (2013-09-07 14:20:00)

xtian wrote:
cfr wrote:For example, I don't include the code in ~/.xinitrc or in /etc/profile.d precisely because I'm starting the agent somewhere else.
That's just it. I'm not starting it somewhere else. According to the wiki, its being called from .xinitrc and that's where the call is made to the script in profile.d, I think. Unless the script in /etc/profile.d is starting the script automatically?? I don't know.
Yes. The script you have in /etc/profile.d will start it automatically. I have a similar script in /etc/kde/env and that is all I use. I don't need anything in ~/.xinitrc (or kde's autostart stuff or whatever).  At least, this is true provided those scripts are sourced. What you definitely do not want is the line you currently have in ~/.xinitrc which does not check to see if an instance of gpg-agent is already running.
This is what I use:
$ cat /etc/kde/env/gpg-agent-startup.sh
#!/bin/sh
# see https://wiki.archlinux.org/index.php/SSH_Keys
GPG_AGENT=/usr/bin/gpg-agent
## Run gpg-agent only if not already running, and available
if [ -x "${GPG_AGENT}" ] ; then
# check validity of GPG_SOCKET (in case of session crash)
GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
else
GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
fi
fi
unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
fi
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
eval "$(cat "${GPG_AGENT_INFO_FILE}")"
eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
export GPG_TTY=$(tty)
else
eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
fi
fi
In any case, your script should check for the environment file and only start an instance of the agent if it doesn't exist.
I'ts not my script. I'm not up on BASH scripts. This one is from the wiki page. Isn't this script checking just that in this IF clause:
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
Yes. But the line you have in ~/.xinitrc does NOT check this. It just starts an instance of gpg-agent as a daemon.

Similar Messages

  • Software Raid and Kernel Panic (from wiki page) [SOLVED]

    I am trying to setup a RAID 5 array using the instructions on the wiki:
    http://wiki.archlinux.org/index.php/Ins … AID_or_LVM
    I get through the instructions (have actually done it several times now) and get the following error:
    io scheduler deadline registered
    io scheduler cfq registered
    FDC 0 is a post-1991 82077
    RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
    loop: loaded (max 8 devices)
    mice: PS/2 mouse device common for all mice
    NET: Registered protocol family 2
    IP route cache hash table entries: 65536 (order: 6, 262144 bytes)
    TCP establised hash table entries: 262144 (order: 9,3145728 bytes)
    input: AT Translated Set 2 keyboard on isa0060/serio0
    TCP bind hash table entries: 65536 (order: 7, 786432 bytes)
    TCP: Hash tables configured (established 262144 bind 65536)
    TCP reno registered
    TCP bic registered
    NET: Registered protocol family 1
    NET: Registered protocol family 10
    Disabled Privacy Extensions on device c03f6580(lo)
    IPv6 over IPv4 tunneling driver
    NET: Registered protocol family 17
    Starting balanced_irq
    Using IPI Shortcut mode
    VFS: Cannot open root device "md0" or unknown-block(0,0)
    Please append a correct "root=" boot option
    Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
    The grub menu.lst
    root (hd0,0)
    kernel /vmlinuz26 root=/dev/md0 ro
    I setup three partitions on IDE drives
    /dev/md0 - root (8 GB / drive)
    /dev/md1 - boot (100 MB / drive)
    /dev/md2 - swap (1 GB / drive)
    I have three drives for the area with three partitions on each:
    hda1 - boot
    hda2 - swap
    hda3 - root
    I did skip the LVM step in the wiki pages.
    fstab
    none /dev/pts devpts defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    /dev/cdrom /mnt/cd iso9660 ro,user,noauto,unhide 0 0
    /dev/cdrom /mnt/dvd udf ro,user,noauto,unhide 0 0
    /dev/fd0 /mnt/fl vfat user,noauto 0 0
    /dev/md0 / reiserfs defaults 0 0
    /dev/md2 swap swap defaults 0 0
    /dev/md1 /boot reiserfs defaults 0 0
    mkinintrd.conf
    REMOVE_IDE=
    REMOVE_SCSI=
    REMOVE_SATA=1
    REMOVE_CDROM=
    REMOVE_USB=1
    REMOVE_FW=1
    REMOVE_RAID=
    REMOVE_CRYPT=1
    REMOVE_FS=
    REMOVE_DM=
    RAID_ROOT_ARRAY="md0"
    RAID_ROOT_DEVICES="/dev/hda3 /dev/hdb3 /dev/hdc3"
    HOSTCONTROLLER_IDE=
    HOSTCONTROLLER_SCSI=
    HOSTCONTROLLER_SATA=
    HOSTCONTROLLER_USB=
    FILESYSTEMS=
    CRYPT_DEVICE=
    ADD_MODULE=
    REMOVE_MODULE=
    The system is a dual PIII using the arch ISO 7.1 release.
    Any thoughts on what is wrong with my setup?  Or something I can try.  I'm game for just about anything in my test environment to try and get it working.
    Thanks,
    Chris....

    After the basketball games where over tonight I had a thought (and a little research).  The install iso I was using was a pre-release of 0.7.1.  When I downloaded the real mccoy and did a fresh install following the instructions on the wiki, all worked flawlessly!
    Chris....

  • ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

    I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network. 
    Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either.  Any ideas what I could be missing in my configuration?  I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
    ASA Version 8.2(1)
    hostname fw
    domain-name net.com
    enable password eYKAfQL1.ZSbcTXZ encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    interface Ethernet0/0
    description Primary Outside (Internet)
    speed 10
    duplex full
    nameif outside
    security-level 0
    ip address 1.1.1.5 255.255.255.240
    ospf cost 10
    interface Ethernet0/1
    description inside
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    ospf cost 10
    interface Ethernet0/2
    description WLAN
    nameif WLAN
    security-level 100
    ip address 192.168.108.240 255.255.255.0
    ospf cost 10
    interface Ethernet0/3
    description Secondary Outside (Internet)
    speed 100
    duplex full
    nameif WAN2
    security-level 0
    ip address 2.2.2.133 255.255.255.192
    interface Management0/0
    description LAN/STATE Failover Interface
    time-range after_hours
    periodic weekdays 7:00 to 23:00
    boot system disk0:/asa821-k8.bin
    no ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup WLAN
    dns server-group DefaultDNS
    retries 3
    timeout 5
    name-server 8.8.8.8
    name-server 206.191.0.210
    name-server 4.2.2.1
    name-server 4.2.2.2
    domain-name net.com
    access-list WAN2_access_in extended permit icmp any any echo-reply
    access-list WAN2_access_in extended permit icmp any any time-exceeded
    access-list WAN2_access_in extended permit icmp any any source-quench
    access-list WAN2_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit icmp any any echo-reply
    access-list WLAN_access_in extended permit icmp any any time-exceeded
    access-list WLAN_access_in extended permit icmp any any source-quench
    access-list WLAN_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
    access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    access-list WLAN_access_in extended permit ip any any
    access-list time_based extended permit ip any any time-range after_hours
    access-list split_tunnel standard permit host 206.191.0.210
    access-list split_tunnel standard permit host 206.191.0.140
    access-list split_tunnel standard permit host 207.181.101.4
    access-list split_tunnel standard permit host 207.181.101.5
    access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    pager lines 20
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu WLAN 1500
    mtu WAN2 1500
    ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface WAN2
    failover
    failover lan unit secondary
    failover lan interface FO Management0/0
    failover key *****
    failover link FO Management0/0
    failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    icmp permit any WLAN
    icmp permit any WAN2
    asdm image disk0:/asdm-621.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (WAN2) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (WLAN) 1 192.168.108.0 255.255.255.0
    static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group WLAN_access_in in interface WLAN
    access-group WAN2_access_in in interface WAN2
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
    route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
    route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.108.0 255.255.255.0 WLAN
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.1.101 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 123
    type echo protocol ipIcmpEcho 4.2.2.2 interface outside
    num-packets 3
    timeout 1000
    frequency 3
    service resetoutside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    track 1 rtr 123 reachability
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet timeout 5
    ssh scopy enable
    ssh 2.2.2.132 255.255.255.255 outside
    ssh 69.17.141.134 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.108.0 255.255.255.0 WLAN
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd address 192.168.108.11-192.168.108.239 WLAN
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp authenticate
    ntp server 128.100.100.128
    ntp server 132.246.168.148
    ntp server 128.100.56.135
    tftp-server inside 192.168.1.100 /
    webvpn
    group-policy Wifi internal
    group-policy Wifi attributes
    wins-server none
    dns-server value 206.191.0.210 206.191.0.140
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_tunnel
    tunnel-group Wifi type remote-access
    tunnel-group Wifi general-attributes
    address-pool DHCP
    default-group-policy Wifi
    tunnel-group Wifi ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
      inspect icmp error
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 512
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
    : end
    asdm image disk0:/asdm-621.bin
    asdm location 192.168.1.245 255.255.255.255 inside
    asdm location 192.168.1.252 255.255.255.255 inside
    asdm history enable

    Hi,
    I can't see any problems right away in the configuration.
    I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
    packet-tracer input outside tcp 1.1.1.1 12345 22
    packet-tracer input outside icmp 1.1.1.1 8 0
    Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
    Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
    Also, have you made sure that there is no old translations active on the ASA?
    You can use this command to view those
    show xlate local 192.168.1.100
    You can clear the xlates with
    clear xlate local 192.168.1.100
    - Jouni

  • Setup advice for rsync, ssh keys and launchd - all for remote webserver backup

    Hi There,
    This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
    rsync
    I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
    sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
    I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
    Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
    launchd
    While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
    http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
    http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
    http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
    I'm guessing I need to:
    Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
    Create a launchd Property List File that will run the script at certain times
    Somehow register the Property List File with launchd so it runs
    Or maybe I should just use Automator and iCal?
    I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
    Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
    Any help or suggestions would be much appreciated.
    Cheers
    Ben

    Hi There,
    This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
    rsync
    I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
    sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
    I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
    Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
    launchd
    While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
    http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
    http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
    http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
    I'm guessing I need to:
    Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
    Create a launchd Property List File that will run the script at certain times
    Somehow register the Property List File with launchd so it runs
    Or maybe I should just use Automator and iCal?
    I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
    Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
    Any help or suggestions would be much appreciated.
    Cheers
    Ben

  • [SOLVED] a problem with gpg-agent and ssh keys

    I'm baffled by a strangle problem:
    My setup is as follows: I use gpg-agent with --enable-ssh-support, so that my ssh keys are handled by it. All was fine (when I ssh'ed to another machine, a pinentry window popped up, asked for a password, and if I entered the correct one, gpg-agent would decrypt its copy of my private ssh key and use it for identification). But: I needed to change my ssh key, and so I generated a new one. Next, I ssh-add'ed it to gpg-agent (one password to decrypt the private key, then twice another password for gpg-agent). I uploaded the public key to a server. The setup should be complete.
    The problem is that when I ssh to a machine, a pinentry window comes up, but it does not accept my password (the one that I entered twice when ssh-add'ing the key). I tried adding with various different passwords (always deleting ~/.gnupg/private-keys-v1.d/*, since 'ssh-add -d ~/.ssh/id_rsa.pub' would not work for some reason - it would not make gpg-agent forget the key), different pinentry programs ( -qt4, -gtk-2, -curses), and still the same problems. Pinentry itself seems to work fine, since if I enter two different things when it asks for a new passphrase for the key, it detects that there's a problem.
    So, can anyone help? What could I try (please don't post just to say that I could/should use ssh-agent, or keychain, or anything else. I have used various things, and I like this setup the most. It worked before, and I would like to find out why it stopped working and how to get it back to speed.)
    Thanks.
    Last edited by bender02 (2010-02-15 09:52:54)

    Thats a known bug with the new gpg version.
    http://lists.gnupg.org/pipermail/gnupg- … 38045.html
    You could use an older version of gpg or use a development version.

  • DS 6.3 ssh key and password expiration warnings

    I suspect this may be more of an ssh issue than a DS issue, but has anyone managed a configuration that will give users logging in with ssh keys, password expiration or reset warnings?
    In my setup, using compat mode in nsswitch.conf, native ldap logins work as expected for users entering their password. - That is, they are forced to change the password after an admin reset, receive "your password will expire" warnings, based on the expiration period set in DS (password policies in DS 6 mode, migrated from DS 5.2), etc.
    If a user has an ssh authorized_key entry, they can login without a password, as long as their password is not expired, or been reset by an admin. They are never shown the warning messages, but are allowed to connect, and then immediately logged off, if their password has expired, passed the number of grace logins, or been reset.
    The user can only login if they start from a different username and bypass the ssh key check.
    Hope this makes sense.

    After running various debug modes, I'm beginning to believe that the Directory Server may only issue the warning messages if a password has been typed, and validated in the directory. Since no password is enered when using an ssh key, the warnings aren't triggered.

  • Key-based SSH Authentication and AFP Home Directories

    I'm setting up some users with AFP home directories (hosted on an Xserve, with a couple of G5 towers as Open Directory clients). When logging in on the console on a G5 tower, the home directories work fine. The users can SSH into the Xserve using SSH key authentication. However, the users can not SSH into the G5 towers using SSH key authentication, and are instead asked for passwords - presumably because the AFP home directory is mounted with guest access (and thus the keys are unreadable) before the password is entered.
    Is there a known workaround for this? A different way of setting up the home directory mounting? I don't particularly want to go the mobile home directory route, because (among other things), as far as I know, mobile home directories only sync when a user logs into the GUI. If that's not the case (that is, if they will sync when a user logs into the machine with SSH), then I guess that would be a reasonable solution.
    Thanks in advance for any suggestions!

    That was just speculation on my part; I'm not sure exactly what's happening. I do know that until the user authenticates, the entire automount is mounted with guest access... and that the user can't authenticate until the key file can be read. It may be the case that I was just encountering some transient failure or the like, however.

  • I have multiple iPhoto libraries and when I selecting which library to view (hold down 'option' key and launch iPhoto from the dock) it automatically closes another open apps window eg. Chome, Word. 1 app closes every time I launch iPhoto this way.

    I have multiple iPhoto libraries on my Macbook Air 10.7.5 and when I am selecting which library to view (hold down 'option' key and launch iPhoto from the dock) it automatically closes another open application window eg. Chome, Word. 1 app closes every time I launch iPhoto this way.

    If you're pushing Option at the exact moment you're clicking the Dock icon, it's supposed to do that. Wait until just after clicking it.
    (112342)

  • How can i remove a key and its value from properties file

    hi all,
    i want remove a particular key and associated value from the
    properties file. is their any standard way of doing?
    thanks inadvance
    daya

    hi,
    thanks
    i am able to remove the key,
    one more question how can avoid storing date and time
    in properties file.
    thanks
    daya

  • LR 1.3.1 strange behaviour: L key adds keywords and removes pictures from collection

    After updating to LR 1.3.1 yesterday I found a very strange behaviour that I cannot explain: While in the Library module and looking at a picture from a collection (in loupe mode) I cycle through the different light modes using the L key. Then suddenly (after several hits of the L key) a keyword is added (not always the same keyword) and at the same time an unknown number of pictures is removed from the collection. The keyword is not added to the picture I was currently viewing, but to another one from the same collection. This has not happened before and I have no idea what is going on. I can restore the collection by relaunching an older catalog but of course this does not solve the problem. Can anybody help?
    (PC, Win XP prof SP 2, 4 Gig RAM)

    It is possible that instead of hitting the l key, or perhaps within the same sequence of hits your are in fact accidentally hitting the k key.
    K is the shortcut for "Add shortcut keyword"
    Of course you would have had to set that particular keyword at some point and it does not explain the different keywords being assigned.
    Unless the alt key was involved somehow and you were rating the images with 1-9 numbers. That would account for different keywords being assigned and would seem arbitrary.
    To check: look at one or two of the images that you may have rated using a number key and then look at the keyword set the keyword came from. Press the alt key and a number from 1-9 will appear next to the keyword. If they match then thats the answer.
    If you weren't rating the images this way then.....??
    Perhaps there is a fault with the keyboard itself rather than the program.
    David

  • Using keys to search and retrieve values from HashMap

    I've been fiddling around with this problem for a while and can't seem to find any working solution. What I have is a method that I want to return all values from a HashMap, but instead of using the regular keys for a HashMap (0, 1, 2, 3), my keys are different numbers such as 51414, 62513, etc.
    public Car[] getAllCars() {
              Map<Integer, Car> myCars = system.getCars(); //getCars() returns HashMap of Car objects from another class
              Car[] c = new Car[myCars.size()];
              if(myCars.size()!=0) // ensure map is populated
                   for(int i=0; i<myCars.size(); i++)
                        myCars.get(i);
              return c;    
         }So what's happening at the moment is it loops through myCars and gets some values, but only those ones at the keys of 0-15 (the size of the Map). What I need is to get the Keys from myCars and use them to return all Car objects. The HashMap API has something called KeySet() which I think could help me, but I can't get that working.
    Any ideas?

    DiscoInferno wrote:
    Short of an SSCCE I think this might more accurately describe what I'm after.
    public Car[] getAllCars() {
              Map<Integer, Car> myCars = system.getCars();  //getCars() returns HashMap of Car objects from another class
              Car[] c = new Car[myCars.size()];
              Set<Integer> s = holds.keySet();
              Iterator keyIter = s.iterator();
              if(myCars.size()!=0)
                   while (keyIter.hasNext()) {
                        Object key = keyIter.next();
                        Car cc = myCars.get(key);
                        System.out.println(myCars.get(key));
              return null;
         }What that does is gets the Car object that matches the specified key. What I need is for it to be returnable as an array of Car objects. I don't want it to print, but the output that is printed is basically what I want to be returned to an array.First, I'm not sure how you managed to find keySet() and not find values().
    Second, okay, so you know how to get each value. Do you not know how to set a value in an array? Do you not know how to return a value from a method? Google can help you find tutorials for those. Otherwise, I have no idea what difficulty you're having.

  • Writing and retrieving RSA keys from a file

    Hello all,
    I'm trying to write a generated RSAPublicKey and RSAPrivateKey to a file, and then, later retrieve them.
    I thought I could use ObjectInput/OutputStream to do that, but when I do so I get the exception java.io.NotSerializableException: java.io.ObjectOutputStream
    (I'm surprised, because RSAPublic/PrivateKey are serializable, aren't they ?).
    If this is not the way to do it, I do not know how (no key constructor reading from byte [] ...).
    Can somebody please help me ?
    Thanks,
    Axelle.

    Hi,
    Can we generate public and private keys from fingerprint?
    where can i find a piece of code to view how it is.
    Thanks,
    Ganesh

  • SCP, SSH and SFTP in CMD / File-Explorer and SSH key management with Windows Credential Manger

    Please add SSH, SFTP and SCP in CMD and File Explorer.
    Also, allow us to copy to FTP in File Explorer.
    Would be nice to have the SSH credentials managed by Windows Credentials Manager.

    Even with the RHEL firewall completely disabled, it has the same upper limit. SCP between the Solaris systems, with ipfilter running on both systems and both systems on completely different networks, is not a problem. Between Solaris and RHEL, same network but different subnet, RHEL with no firewall running (only while troubleshooting this, don't panic), still a problem. Using PuTTY SFTP from/to any of the systems is fine, even though on different networks. The mtu on the RHEL was the same as the Solaris systems (1500) - changing values on the RHEL increased the upper limit but still hit a ceiling. Only have one RHEL system so I can't see whether RHEL-RHEL transfers are affected, only those between Solaris, PuTTY on Windows, and the one RHEL system.

  • [SOLVED]ssh key persists across logins - xfce/ssh-agent/pgp-agent

    Hi,
    I am a new Arch user. I must say, that I am very happy with my installation so far. Thanks for providing a sensible Linux distribution.
    I am coming from Ubuntu 12.04 LTS with xfce as desktop. Ubuntu 12.04 has xfce 4.8.2. Now I am running lightdm and xfce 4.10 which I consider a very useful desktop environment. Now, there is one bug I ran into and I didn't see it documented anywhere :
    After logging out or even rebooting, my ssh-key was still cached/stored by gpg-agent.
    Now, well. Can't be that hard, can it?
    % ssh-add -D
    SSH_AGENT_FAILURE
    Failed to remove all identities.
    Great! Now that really bugged me: I am unable to remove my ssh-key, even across reboots!
    It took me a while to realize, that gpg-agent is now capable of handling ssh-keys.
    I was unable to find any startup configuration for gpg-agent in /etc/profile[.d], systemd, .xinitrc, ...
    Disabling xfce-session gpg-agent autostart
    After even more searching, I found xfce to be the culprit:
    http://docs.xfce.org/xfce/xfce4-session/advanced
    Apparently xfce4-session starts gpg-agent
    To disable it:
    % xfconf-query -c xfce4-session -p /startup/ssh-agent/enabled -n -t bool -s false
    Kind'a obvious, right?
    Key recovery
    To get rid of the ssh-key dangling around unencrypted (?) on your harddisk, have a look at
    $HOME/.gnupg/private-keys-v1.d
    Looks like gpg-agent is storing ssh keys here. I simply deleted the directory.
    BE CAREFUL: I don't know if the directory is only used for cached ssh keys. You might have other valid keys you don't want to delete there. Maybe someone else can shed some light on this.
    Now I have my good old ssh-agent back, started automatically as described in the wiki
    https://wiki.archlinux.org/index.php/SSH_Keys#ssh-agent
    Last edited by georgnix (2014-03-06 12:13:56)

    Thanks for reminding
    Btw, my problem/issue with gpg2's (inexistent, yet there-in-the-man-pages) "--with-keygrip" option still persists - though I am not sure if this is the place to mention about it.

  • SSH Key login not working when added to gpg-agent

    Hello,
    As I use gnupg, I run the gpg-agent. I run it with systemd --user and it works flawlessly. As I already run gpg-agent, I figured I might as well just add my ssh keys to it as well. Therefore I start gpg-agent with --enable-ssh-support. I use my SSH keys a lot and never had any problems with connecting to anything with a simple ssh .... or pushing things to git etc.
    As the SOCKS_AUTH_SSH envvar needs to be set for ssh-add to work, I added this line to my .bashrc
    export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
    Now, adding my SSH Keys with a simple ssh-add seems to work fine (no errors etc).
    However, when I try to connect to a server now, the following happens:
    ssh -vT [email protected]
    OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Connecting to XXXXXXXXX port XXXXX.
    debug1: Connection established.
    debug1: identity file /home/XXXXX/.ssh/id_rsa type 1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/XXXXX/.ssh/id_rsa-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.8
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8
    debug1: match: OpenSSH_6.8 pat OpenSSH* compat 0x04000000
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr [email protected] none
    debug1: kex: client->server aes128-ctr [email protected] none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Mw5MTDp91yExgStdoMPMwi2yZdoG9MruOm+6XiC5Vks
    debug1: Host '[XXXXXXX]:XXX' is known and matches the ECDSA host key.
    debug1: Found key in /home/XXXX/.ssh/known_hosts:1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /home/XXXXX/.ssh/id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 279
    debug1: No more authentication methods to try.
    Permission denied (publickey).
    Which is very strange as id_rsa is my (ecrypted) private key. I am also prompted to enter the corresponding password when issuing ssh-add.
    What could the problem be in this case? Thanks a lot!!
    Last edited by replax (2015-05-18 19:06:58)

    replax wrote:Well, there is something listed in .gnupg/sshcontrol , I am not sure if it is connected to my own key though. I tried ssh-add -l and it will list my one key, although it is different from the one in sshcontrol. I suspect that that is an issue of presentation though, as ssh-add spews out the SHA256 of my key..
    How could I go about verifying that they key is indeed correct? Shouldn't it be added automatically by ssh-add?
    Thanks a lot!!
    Yes it should be added automatically. I suppose you could try it in a new user just to start fresh and see if it works, at least then you'll have either verified that your steps were correct or incorrect.

Maybe you are looking for