I am trying to build a bash script that connects to other servers to do some basic monitoring like checking disk space and have this information emailed. I still need all these servers require a password for general entry/access by users but for this particular monitoring script I don't want to be asked a password (general ssh key only)
How do I can configure a particular user (lets call it monitor) connect to a server with the following command but not ask for the password (as it will be for a cron so needs to be automated)
// ssh to web1 server and get diskspace
cmd=$(ssh web1 df -h | grep -E "xvda1|xvde1" | awk '{print $5};' | sort -r | head -1)
lets say the servers have 3 users 'monitor', 'bob' & 'paul'
When it hits this part of the script the ssh web1 forces me to enter a password - is it possible to setup a particular user (in this case the monitor user) to be able authenticate & login using ssh some-ip without asking for the password but still have it ask for the passwords when either bob or paul try to login?
Yes, it is quite simple: just create an SSH key for monitor user only (ssh-keygen), and then copy it's private key to other servers (ssh-copy-id SERVER-IP-OR-NAME).
Just check PubkeyAuthentication is enabled on the server, but it is enabled by default...
This way user monitor will be logged without asking password, and other users will be required of their password.
It is possible, you have to copy your RSA key to the server and enable the RSA authentication.
You can generate the key using ssh-keygen and following the instructions, then copy it to the server using ssh-copy-id and enabling the PubkeyAuthentication on the server. Be sure to restart the sshd.service!
Resource: openSSH docs
Related
I am using CentOS 7 in my personal laptop. I have created Public/Private keys ( SSH key pair) for that user. I can see the two keys also in the path /home/user/.ssh/. After creating the key pairs I have coped the public key to the file " .ssh/authorized_keys " and disabled the root access for the user in the file " .ssh/sshd_config" after that I restarted the ssh services. So I wanted to know how I can restrict others accessing my server based on keys ( even if he has password he should not be able to login without key). I am not sure how to use those keys which I created.
Once your are sure that you can login with your keypair, you can add this line to your sshd config on the server :
PasswordAuthentication no
and restart your sshd service
It will prevent any password authentication. You will only connect using your private key.
When I ssh to my Datapower node like so: ssh user#192.168.0.1 I receive this response:
ssh user#192.168.0.1
(unknown)
Unauthorized access prohibited.
login:
I then enter in the same username, and am also prompted for a password. I type in my credentials and it works! Why didn't it just read my username the first time?
This is hampering my ability to automate a few basic tasks with shell scripts such as fetching logs for processing.
I agree with #Ken and #Stefan that a XML Management is a more appropriate tool for long term automations, howerver, sometimes we need something quick or temporary (or both) ... and for that a CLI automation is easier and faster to develop.
An easy way to push commands to CLI from a shell script is directing the input and output, like this quick sample:
#!/bin/ksh
DPHOST=datapower.device.company.com
DP_USER_ID="myuser"
DP_PASSWORD="mypasword"
TMPFILE=/tmp/tempfile.dp
OUTFILE=/tmp/outfile.dp
TS=`date +%Y%m%d%H%M%S`
cat << EOF > $TMPFILE
DP_USER_ID
DP_PASSWORD
default
echo show cpu
show cpu
echo show memory
show memory
EOF
ssh -T $DPHOST < $TMPFILE > $OUTFILE.$TS
rm $TMPFILE
Note that if you do not have any application domains defined, you may suppress the "default" after the password
And of course, for security reasons you may request the user and password at run time, rather then have it saved on a plain text file, but that is up to you ... the relevant piece here is that you can redirect the file with the commands to an regular ssh session
If you prefer, something like cat $TMPFILE | ssh -T $DPHOST > $OUTFILE.$TS would also works.
That is because DataPower really isn't a SSH server only using the protocol.
What I do in my scripts is that I do the connection, wait for the response and then send the username as the second command and password as third:
ssh [datapower ip]
(unknown)
Unauthorized access prohibited.
login:
your-username
password:
your-password
'#xi52:
DataPower ignores the passed-in username.
Will using the XML Management interface meet your needs? I probably have some scripts laying around.
Ken
I have tried enabling http authentication to a SOAPInput node in my message flow, however it does not seem to take effect. I don't have to pass any credentials and I still get a reply. These are the steps I have taken:
1.) created a security profile with the following commands:
## Set up the security id
mqsisetdbparms DEV_ESB30_AP01 -n basicSecurityId -u user1 -p testPass1
## Set up the security profile
mqsicreateconfigurableservice DEV_ESB30_AP01 -c SecurityProfiles -o orsSecurityProfile -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,basicSecurityId"
2.) I set the security profile in the BAR to basicSecurityId
Am I missing something?
Did I define the security profile correctly?
This security profile authenticates correctly when used in a SOAPRequest node, but completely ignored in a SOAPInput node. Thanks for any help you can give.
You need to tell broker how to authenticate by setting and authentication provider in the security profile (ie/ LDAP, WS-TRUST).
The security profile you have posted just tells broker to put the ID in the properties folder, not actually to do anything with it.
Note that is it not currently possible to do both WS-Security and Basic Auth at the same time so if you have a policyset configured basic auth will not work.
I have a server, and three people access that server as user test with their SSH keys, their public keys is saved in authorized_keys file.
Is there a way to map a user to a ssh key.
For example if user with public key A1 log in to the server, then i can match the A1 key to a person name in a config file or a small table(created by me) and get the name of the active users.
How can i check what are the ssh keys used to log in to server, and are currently active, is there a way to do this ?
Form the manpage we can read that you can set environment variables in the authorized_keys file for every key. For this to work you need to set
PermitUserEnvironment yes
in /etc/ssh/sshd_config and restart your ssh server.
Then add an environment="name=value" in front of the ssh public key in the authorized_keys file, like this for example:
environment="sshuser=user1" ssh-rsa AAAA...
If you then log in to the server you can access the env variable:
$ ssh server
$ echo $sshuser
user1
Hope it helps!
I have installed the openldap version 2.4.23 on windows xp and using the apache DS as a client.I can authenticate users on a client server I set up for testing.
My next step is to turn on a password policy. This is where things have gotten a bit hazy for me and I'm hoping someone can help me out.
i added a password policy also by using the followin command
ldapadd -x -c -f -D "cn=Manager,dc=maxcrc,dc=com" -w secret
but after addition of password policies how do i make them in effect.
The openldap documentation says the password policy module should be configured with the DN of the default policy.
i added the following lines in slapd.conf file
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=passwordDefault,ou=policies,dc=maxcrc,dc=com"
but somehow it is not getting loaded , i have already spent more a lot of time on this, but i am not getting the proper guide for the same.
Can anyone shed some light on this in plain, layman's terms?
Thanks in advance.
My ldif file is as follows.
dn: cn=passwordDefault,ou=policies,dc=localdomain,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 1
pwdMaxAge: 90
pwdMinLength: 6
pwdInHistory: 4
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 3
pwdMustChange: TRUE
pwdSafeModify: TRUE
after adding this policy and restarting the server i tried changing the password of existing as well as newly added users.
The server allows me to change the password to a string with length less than 6
whereas i have mentioned pwdMinLength: 6 in ldif.
as well as i tried changing the password more than once , but it allows me to change the password to recently used password, whereas the pwdInHistory: 4 in ldif.
The password policy doesn't work if you use the rootDN to execute the updates. You must use an existing admin account, or the user's own account.
It is not clear how you are setting the password when testing, but I would check if you are passing the password in the correct format, meaning that the server needs to receive the password in cleartext. Some clients would hash the value before sending the value to the OpenLDAP server, in which case it would be impossible for the OpenLDAP server to determine the length of password. The communication can and should be encrypted, but it shouldn't be pre-hashed. Hashing can be handled by the server:
pwdCheckQuality
If the value is 1 and the supplied password is in cleartext then a user supplied function (defined using the pwdCheckModule - if defined - will be called to check the password quality. If this function is not available then the password will be accepted (assuming it passes all the other tests defined by the various pwdPolicy attributes).
reference: http://www.zytrax.com/books/ldap/ch6/ppolicy.html
the rootdn bypass password policy, so do not use rootdn in your
ldappasswd command.
https://www.openldap.org/lists/openldap-technical/201102/msg00262.html
You can basically put any password (not empty thou) if setting passwords using ldappasswd and binding with rootdn.
It's a bit tricky situation since you cannot change the password with "passwd" command either for the user. In this case the password policy would kick in.
If you know the rootdn password, you can bypass everything.