ssh – Dan Langille's Other Diary

Apr 17 2025

Using ~/.ssh/authorized keys to decide what the incoming connection can do

Leave a Comment / ssh / By Dan Langille / April 17, 2025

~/.ssh/authorized_keys allows you to specify the command run by the incoming ssh connection. I was searching for a previous blog post to give you some background. I failed. I backup my Bacula database and my Bacula configuration via rsync. These backups go to more than one host. The following are lines from ~rsyncer/.ssh/authorized-keys on my dbclone host – which gathers database backups from various hosts. The above appears on two lines to make […]

Using ~/.ssh/authorized keys to decide what the incoming connection can do Read More »

Apr 5 2025

invalid user dan or illegal user dan? Why different messages?

Leave a Comment / FreeBSD, Open Source, ssh / By Dan Langille / April 5, 2025

Last night, I wanted to update several hosts which were running sysutils/samdruckerclientshell. I ran csshX host1 host2 host3 … hostn. I didn’t get connected to all the host, so I closed out those screens and tried againg, adding -l dvl to the command. I got connected. Updated the packages, and went on with other tasks. What happened? On the laptop I was using, I was logged in as the user dan, so the

invalid user dan or illegal user dan? Why different messages? Read More »

Mar 14 2020

ssh with 2FA

Leave a Comment / General, Security, ssh / By Dan Langille / March 14, 2020

2FA has its critics: It’s so unreliable! Phones are so easily hijacked It’s not a lot of added security etc Some of these make assumptions not necessarily in evidence. In this post: FreeBSD 12.1 pam_google_authenticator-1.08 Most of the 2FA I use is time-based one-off passwords (TOTP), as opposed to text messages. These are often 6-digit numbers which change every 30 seconds. These are hard to guess and cannot be intercepted as they reside

ssh with 2FA Read More »

Jan 29 2018

Connecting to old devices via ssh

1 Comment / ssh / By Dan Langille / January 29, 2018

I have several old devices. Upgrading them is either impossible, they are unsupported, or I can’t be bothered upgrading the. Access is only via a dedicated VLAN within my home network. When stuck, I posted to Twitter and that led me to OpenSSH Legacy Options. This page describes what to do when OpenSSH refuses to connect with an implementation that only supports legacy algorithms. Here’s what I just tried: $ ssh pdu1 Unable

Connecting to old devices via ssh Read More »

Aug 20 2017

subversion via ssh passphrase-less key

Leave a Comment / Security, ssh, subversion / By Dan Langille / August 20, 2017

In general, passphrase-less ssh keys are a security nightmare. It is similar to leaving the key to your front door in the lock. Anyone stumbling across it has access to your house. Similarly, if someone gets your ssh key, and there is no passphrase on it, they can use that key for anything which grants access to that key. Side note: How can you tell if a given ssh key has a passphrase?

subversion via ssh passphrase-less key Read More »

Jan 17 2017

ansible: Timeout waiting for privilege escalation prompt

Leave a Comment / ansible, ssh / By Dan Langille / January 17, 2017

I was doing some work in a remote location with a laggy connection to home. I was running ansible and kept encountering these errors: fatal: [pg01]: FAILED! => {“failed”: true, “msg”: “Timeout (12s) waiting for privilege escalation prompt: “} Rerunning the script would encounter the same error in a different part of the script. After an error-free run I concluded it was my dodgy connection; ansible was waiting for a reply from my

ansible: Timeout waiting for privilege escalation prompt Read More »

Nov 22 2016

OSX was caching my ssh passphrases – easy fix

Leave a Comment / OSX, ssh / By Dan Langille / November 22, 2016

I have used ssh-agent for a long time. I enter my passphrase once, then let ssh-agent handle my ssh sessions. Last night, I noticed I ssh’d to a box and did not enter my passphrase. I got logged in. I had just rebooted my laptop so I was very concerned about this. It look at while, but eventually, I discovered the cause. OSX was caching the passphrase. More interestingly, it was not using

OSX was caching my ssh passphrases – easy fix Read More »

Sep 3 2014

When ssh and ansible play poorly together

5 Comments / ansible, Jails, Open Source, ssh / By Dan Langille / September 3, 2014

Last night, this worked fine. This morning, it fails: # ansible-playbook jail-mailjail.yml PLAY [mailjails] ************************************************************** GATHERING FACTS *************************************************************** failed: [mailjail.example.org] => {“failed”: true, “parsed”: false} invalid output was: Sorry, try again. Sorry, try again. Sorry, try again. sudo: 3 incorrect password attempts TASK: [pkg | install pkg] ***************************************************** FATAL: no hosts matched or all hosts have already failed — aborting PLAY RECAP ******************************************************************** to retry, use: –limit @/root/jail-mailjail.retry mailjail.example.org : ok=0 changed=0 unreachable=0

When ssh and ansible play poorly together Read More »

Jun 12 2013

Authentication tried for dan with correct key but not from a permitted host

2 Comments / FreeBSD, Open Source, ssh / By Dan Langille / June 12, 2013

I kept seeing these messages: Jun 12 04:09:18 nyi sshd[94523]: Authentication tried for dan with correct key but not from a permitted host (host=dbclone.example.org, ip=10.6.0.9). Jun 12 04:09:18 nyi sshd[94523]: Authentication tried for dan with correct key but not from a permitted host (host=dbclone.example.org, ip=10.6.0.9). I’ve been seeing them for a long time. How long? Three years. I didn’t think it was that long. But back in July 2010 I mentioned it. After

Authentication tried for dan with correct key but not from a permitted host Read More »

Jun 11 2013

sshd: error: key_read: uudecode failed

1 Comment / Open Source, ssh / By Dan Langille / June 11, 2013

I started seeing this error: Jun 10 19:12:38 nyi sshd[92208]: error: key_read: uudecode AAAAB3NzaC1yc2EAAAABJQAAAIBdX/USEtxnO91Vpujney8gwkq2sRrcU9R6nKAoGv1eNMWrMD9a93kZMjR4fFMAH87g+zyHBftxCsyE0wJX2A0UFgIQsiuOOINkTJMyk\n failed I couldn’t figure it out. Then I searched ~/.ssh/authorized_keys for that string. I found it in there. But the line was incomplete. It looked like I’d deleted the last part of the line. It should end with something like this: … onsnJNGeljjf9i8U3aorbSZj3jiEuTYMoTi9XK2dvGh5bbEQggw47jQg= dan@bigtimes.example.org Solution: I deleted that line. Then I copy/pasted the public key back into the file

sshd: error: key_read: uudecode failed Read More »