Fought with ansible for a while. It wants python module called "six" to be installed on ALL of my remote nodes/vms...
Anyone know what I am doing wrong?
This smells like mismatched ansible version to me. Ubuntu repos especially are very behind - maybe try finding a PPA to install ansible from. Or maybe install it from pip.
Yep definitely something between versions here… I actually don’t install anything on nodes and have a Debian prep script that runs everything needed, so any blank/base install just werks.
Will sanitize and post here shortly!
Rock Solid Web Hosting, VPS & VDS with a Refreshing Approach - Xeon Scalable, DDoS protection and Enterprise Hardware! HostBilby Inc.
Currently have my laptop and phone (juice ssh) with keys to most vms
Realized it hard way a few days ago... if I wanted to transfer files from one vm to another it is next to impossible as all are key based auth and none have keys to login to other
Curious what is the way to go about...
Have a decent bunch of idlers so having n idlers keys on m machines seems too much?
@localhost said:
Currently have my laptop and phone (juice ssh) with keys to most vms
Realized it hard way a few days ago... if I wanted to transfer files from one vm to another it is next to impossible as all are key based auth and none have keys to login to other
Curious what is the way to go about...
Have a decent bunch of idlers so having n idlers keys on m machines seems too much?
Maybe have a secondary layer of auth/keys for stuff between nodes? Then as part of setup, deploy the key used for inter node work?
@localhost said:
Currently have my laptop and phone (juice ssh) with keys to most vms
Realized it hard way a few days ago... if I wanted to transfer files from one vm to another it is next to impossible as all are key based auth and none have keys to login to other
Curious what is the way to go about...
Have a decent bunch of idlers so having n idlers keys on m machines seems too much?
Maybe have a secondary layer of auth/keys for stuff between nodes? Then as part of setup, deploy the key used for inter node work?
Or Ansible, since noone has mentioned it yet…
Yeah.
Secondary keys is needed. But wanna keep overhead of number of keys limited.
How to securely set same key on all nodes?
I started tinkering with ansible and got my laptop and phone keys added to authorized keys. So there's that. But actual private key sharing over the wire seems trippy?
@localhost said:
Curious what is the way to go about...
python3 -m HTTPServer
Thats one way I was thinking too.
Curious if having one key across all makes sense or to do the painful way for x keys on y servers
No, it's never a good thing to share ssh keys.
I usually go with 3 ways.
If I want to automate file transfers, I usually create a low level user on the remote server and setup a ssh key between the 2 servers (like from my main server to my backup server).
If I only need to transfer a lot of files, I use SCP to download it to my desktop and reupload it back.
Fought with ansible for a while. It wants python module called "six" to be installed on ALL of my remote nodes/vms...
Anyone know what I am doing wrong?
This smells like mismatched ansible version to me. Ubuntu repos especially are very behind - maybe try finding a PPA to install ansible from. Or maybe install it from pip.
I installed it from ubuntu's repo, when that didn't work, I reinstalled it from python3 pip, but that didn't help either. I guess it's time to either try a proper PPA or install centos 8 and try from there. Thanks for the recommendations!
Fought with ansible for a while. It wants python module called "six" to be installed on ALL of my remote nodes/vms...
Anyone know what I am doing wrong?
This smells like mismatched ansible version to me. Ubuntu repos especially are very behind - maybe try finding a PPA to install ansible from. Or maybe install it from pip.
Yep definitely something between versions here… I actually don’t install anything on nodes and have a Debian prep script that runs everything needed, so any blank/base install just werks.
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
@localhost said:
Curious what is the way to go about...
python3 -m HTTPServer
Thats one way I was thinking too.
Curious if having one key across all makes sense or to do the painful way for x keys on y servers
No, it's never a good thing to share ssh keys.
I usually go with 3 ways.
If I want to automate file transfers, I usually create a low level user on the remote server and setup a ssh key between the 2 servers (like from my main server to my backup server).
If I only need to transfer a lot of files, I use SCP to download it to my desktop and reupload it back.
Interesting
Well file transfer is definitely not automated.
And its not just transfer. I may need to quickly ssh into another box right from there... I know I can connect organically from my laptop. But since inam already on server 1 so if I need to check something in server 2 it should be easy, right?
Thanks for the quick http file server. Will bookmark it
@nullnothere said:
I've not been following this fully, but a few quick hints:
Assume that your SSH connections are white listed (i.e. A->B, A->C and B<->C is allowed)
You have an ssh key for logins to connect from A->B and A->C
You want to transfer some file(s) from B->C
Use ssh-agent forwarding to provide access to your key ("resident" on A) to B (or C) thereby allowing B->C (or C->B) connections via this agent.
Since B->C (or vice-versa) is possible via agent forwarding, you can now directly rsync/scp files from B->C (or vice-versa).
man ssh-agent and ssh-add for options/security etc. RTFM.
Profit?
I think ssh-agent forwarding may work. Thanks
ssh bastion host?
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
@nullnothere said:
I've not been following this fully, but a few quick hints:
Assume that your SSH connections are white listed (i.e. A->B, A->C and B<->C is allowed)
You have an ssh key for logins to connect from A->B and A->C
You want to transfer some file(s) from B->C
Use ssh-agent forwarding to provide access to your key ("resident" on A) to B (or C) thereby allowing B->C (or C->B) connections via this agent.
Since B->C (or vice-versa) is possible via agent forwarding, you can now directly rsync/scp files from B->C (or vice-versa).
man ssh-agent and ssh-add for options/security etc. RTFM.
The ssh agent forwarding option is -A.
So the commands would look like this:
user@laptop:~$ ssh -A server-1
user@server-1:~$ scp my-files/ server-2:
Only do this if you trust server-1. It essentially shares access to all ssh keys on your laptop. As the man ssh says:
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. A safer alternative may be to use a jump host (see -J).
Comments
Yep definitely something between versions here… I actually don’t install anything on nodes and have a Debian prep script that runs everything needed, so any blank/base install just werks.
Will sanitize and post here shortly!
Rock Solid Web Hosting, VPS & VDS with a Refreshing Approach - Xeon Scalable, DDoS protection and Enterprise Hardware! HostBilby Inc.
Currently have my laptop and phone (juice ssh) with keys to most vms
Realized it hard way a few days ago... if I wanted to transfer files from one vm to another it is next to impossible as all are key based auth and none have keys to login to other
Curious what is the way to go about...
Have a decent bunch of idlers so having n idlers keys on m machines seems too much?
Maybe have a secondary layer of auth/keys for stuff between nodes? Then as part of setup, deploy the key used for inter node work?
Or Ansible, since noone has mentioned it yet…
Rock Solid Web Hosting, VPS & VDS with a Refreshing Approach - Xeon Scalable, DDoS protection and Enterprise Hardware! HostBilby Inc.
Yeah.
Secondary keys is needed. But wanna keep overhead of number of keys limited.
How to securely set same key on all nodes?
I started tinkering with ansible and got my laptop and phone keys added to authorized keys. So there's that. But actual private key sharing over the wire seems trippy?
python3 -m HTTPServer
My pronouns are like/subscribe.
Thats one way I was thinking too.
Curious if having one key across all makes sense or to do the painful way for x keys on y servers
2 keys total, one main one and a backup. If you are the only admin there is no sense making it difficult to manage or prone to human error.
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop? | In my cave if you need me ping me.
No, it's never a good thing to share ssh keys.
I usually go with 3 ways.
If I want to automate file transfers, I usually create a low level user on the remote server and setup a ssh key between the 2 servers (like from my main server to my backup server).
If I only need to transfer a lot of files, I use SCP to download it to my desktop and reupload it back.
If it's just 1 or 2 files, I use: https://github.com/somik123/python3_http_upload_progress
I installed it from ubuntu's repo, when that didn't work, I reinstalled it from python3 pip, but that didn't help either. I guess it's time to either try a proper PPA or install centos 8 and try from there. Thanks for the recommendations!
Thanks! Looking forward to it!
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
Interesting
Well file transfer is definitely not automated.
And its not just transfer. I may need to quickly ssh into another box right from there... I know I can connect organically from my laptop. But since inam already on server 1 so if I need to check something in server 2 it should be easy, right?
Thanks for the quick http file server. Will bookmark it
I've not been following this fully, but a few quick hints:
Profit?
I think ssh-agent forwarding may work. Thanks
ssh bastion host?
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
That too...
Any recommendations?
DIY solution without any software bloats or extra security risks?
https://smallstep.com/blog/diy-ssh-bastion-host/
Or you can go with one of the more popular software solutions:
https://goteleport.com/blog/ssh-bastion-host/
Or go with a proper zero trust network with bastionXP:
https://www.bastionxp.com/docs/guide/
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
The ssh agent forwarding option is
-A.So the commands would look like this:
Only do this if you trust
server-1. It essentially shares access to all ssh keys on your laptop. As theman sshsays:Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. A safer alternative may be to use a jump host (see -J).