I have a server, and three people access that server as user test with their SSH keys, their public keys is saved in authorized_keys file.
Is there a way to map a user to a ssh key.
For example if user with public key A1 log in to the server, then i can match the A1 key to a person name in a config file or a small table(created by me) and get the name of the active users.
How can i check what are the ssh keys used to log in to server, and are currently active, is there a way to do this ?
Form the manpage we can read that you can set environment variables in the authorized_keys file for every key. For this to work you need to set
PermitUserEnvironment yes
in /etc/ssh/sshd_config and restart your ssh server.
Then add an environment="name=value" in front of the ssh public key in the authorized_keys file, like this for example:
environment="sshuser=user1" ssh-rsa AAAA...
If you then log in to the server you can access the env variable:
$ ssh server
$ echo $sshuser
user1
Hope it helps!
Related
So i have a mail server say "mailer.com". Postfix handles mail for mailer.com also for "virtual.com" (postfix virtual domain).
So, when i create the DKIM key pair:
opendkim-genkey -s mail -d example.com
Which domain do i use here? mailer.com or virtual.com?
Then i put the public key in TXT record on the virtual.com domain?
FYI I used this guide:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
You need to create keys for each domain you want to sign messages for and put appropriate DNS records in each domain DNS zone.
I am attempting to use a certificate with JMeter and can see that it appears to be loaded fine from the logs.
INFO o.a.j.u.SSLManager: JmeterKeyStore Location: certificate.jks type jks
INFO o.a.j.u.SSLManager: KeyStore created OK
INFO o.a.j.u.SSLManager: Total of 1 aliases loaded OK from keystore
Yet, when I send the Http Request, the results from the server just keep stating 'Client Certificate Not Provided'.
Below are the parameters I've used on the command line.
-D javax.net.ssl.keyStoreType=jks
-D javax.net.ssl.keyStore=certificate.jks
-D javax.net.ssl.keyStorePassword=password123
All the examples I can find simply state that if I configure the Jmeter element 'KeyStore Configuration' with the alias, it should send the certificate with the requests. It does not seem to be doing so. For the record, I have also tried to use the p12 cert and set the type to pkcs12 with the same results.
What am I missing?
In fact given you have only one certificate you don't need the Keystore Configuration at all, just remove it from the test plan and your setup should start working normally
Most probably your Keystore Configuration is not correct, for instance the "variable name holding certificate alias" is not set or doesn't match the record in the keystore
Check its value using Debug Sampler and make sure that certificate with this alias exists in the keystore. You can see a working sample in How to Use Multiple Certificates When Load Testing Secure Websites article
I am trying to build a bash script that connects to other servers to do some basic monitoring like checking disk space and have this information emailed. I still need all these servers require a password for general entry/access by users but for this particular monitoring script I don't want to be asked a password (general ssh key only)
How do I can configure a particular user (lets call it monitor) connect to a server with the following command but not ask for the password (as it will be for a cron so needs to be automated)
// ssh to web1 server and get diskspace
cmd=$(ssh web1 df -h | grep -E "xvda1|xvde1" | awk '{print $5};' | sort -r | head -1)
lets say the servers have 3 users 'monitor', 'bob' & 'paul'
When it hits this part of the script the ssh web1 forces me to enter a password - is it possible to setup a particular user (in this case the monitor user) to be able authenticate & login using ssh some-ip without asking for the password but still have it ask for the passwords when either bob or paul try to login?
Yes, it is quite simple: just create an SSH key for monitor user only (ssh-keygen), and then copy it's private key to other servers (ssh-copy-id SERVER-IP-OR-NAME).
Just check PubkeyAuthentication is enabled on the server, but it is enabled by default...
This way user monitor will be logged without asking password, and other users will be required of their password.
It is possible, you have to copy your RSA key to the server and enable the RSA authentication.
You can generate the key using ssh-keygen and following the instructions, then copy it to the server using ssh-copy-id and enabling the PubkeyAuthentication on the server. Be sure to restart the sshd.service!
Resource: openSSH docs
I am using CentOS 7 in my personal laptop. I have created Public/Private keys ( SSH key pair) for that user. I can see the two keys also in the path /home/user/.ssh/. After creating the key pairs I have coped the public key to the file " .ssh/authorized_keys " and disabled the root access for the user in the file " .ssh/sshd_config" after that I restarted the ssh services. So I wanted to know how I can restrict others accessing my server based on keys ( even if he has password he should not be able to login without key). I am not sure how to use those keys which I created.
Once your are sure that you can login with your keypair, you can add this line to your sshd config on the server :
PasswordAuthentication no
and restart your sshd service
It will prevent any password authentication. You will only connect using your private key.
When I ssh to my Datapower node like so: ssh user#192.168.0.1 I receive this response:
ssh user#192.168.0.1
(unknown)
Unauthorized access prohibited.
login:
I then enter in the same username, and am also prompted for a password. I type in my credentials and it works! Why didn't it just read my username the first time?
This is hampering my ability to automate a few basic tasks with shell scripts such as fetching logs for processing.
I agree with #Ken and #Stefan that a XML Management is a more appropriate tool for long term automations, howerver, sometimes we need something quick or temporary (or both) ... and for that a CLI automation is easier and faster to develop.
An easy way to push commands to CLI from a shell script is directing the input and output, like this quick sample:
#!/bin/ksh
DPHOST=datapower.device.company.com
DP_USER_ID="myuser"
DP_PASSWORD="mypasword"
TMPFILE=/tmp/tempfile.dp
OUTFILE=/tmp/outfile.dp
TS=`date +%Y%m%d%H%M%S`
cat << EOF > $TMPFILE
DP_USER_ID
DP_PASSWORD
default
echo show cpu
show cpu
echo show memory
show memory
EOF
ssh -T $DPHOST < $TMPFILE > $OUTFILE.$TS
rm $TMPFILE
Note that if you do not have any application domains defined, you may suppress the "default" after the password
And of course, for security reasons you may request the user and password at run time, rather then have it saved on a plain text file, but that is up to you ... the relevant piece here is that you can redirect the file with the commands to an regular ssh session
If you prefer, something like cat $TMPFILE | ssh -T $DPHOST > $OUTFILE.$TS would also works.
That is because DataPower really isn't a SSH server only using the protocol.
What I do in my scripts is that I do the connection, wait for the response and then send the username as the second command and password as third:
ssh [datapower ip]
(unknown)
Unauthorized access prohibited.
login:
your-username
password:
your-password
'#xi52:
DataPower ignores the passed-in username.
Will using the XML Management interface meet your needs? I probably have some scripts laying around.
Ken