read_passphrase: can't open /dev/tty: No such device or address

[durangod]

Hi i am trying to connect from WHM to my remote backup server to test the connection.

This is the first time i have tried to connect, its a new backup server. I can ping the server no problem but it wont connect. I did remove my ip for display here.

My backup server only has centOS 6 on it, nothing else.

root [/]# ssh -l whmback -v 00.00.00.00 /home/whmback/backup
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 00.00.00.00 [00.00.00.00] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
root [/]# _

Thanks

 

[cPanelMichael]

Hello,

It looks like the remote server is expecting key authentication and is unable to determine the key you are using to connect. Try defining the specific key file you have setup. EX:

ssh -i /path/to/key.file root@$IP

Thank you.

 

[durangod]

hi and thanks, i never set up a key file, i was never told i had to do that to connect. Do you have a link to docs that i can see how to make one and install it?

ps.. remember that my backup server only has centOS 6 on it, no web service, its just OS thats all.

thanks

 

[cPanelMichael]

Hi,

Sure, start at the "Use ssh keys" section on the following post:

[Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)

Thanks!

 

[durangod]

Thanks, so i created the key pair on my Cpanel server and then i logged into my backup server and did the following:


i signed on as root on backup server
i created the .ssh dir
then i created the authorized_keys file
then i pasted the public key in the file and saved it
then i changed the owner of the file from root to my special user just for backup connection named whmback
then i changed the group of the file from root to my special group just for backups called backup
then i gave the .ssh folder permission of 0700
then i gave the file authorized_keys permission of 0600


This was the creation part

[root@s111581 ~]# cd /.ssh
-bash: cd: /.ssh: No such file or directory
[root@s111581 ~]# mkdir .ssh
[root@s111581 ~]# cd .ssh
[root@s111581 .ssh]# vi authorized_keys
[root@s111581 .ssh]# ls -a
.  ..  authorized_keys
[root@s111581 .ssh]# ls -l
-rw-r--r-- 1 root root 381 Feb  1 06:29 authorized_keys

owner and group change
[root@s111581 .ssh]# chown whmback authorized_keys
[root@s111581 .ssh]# ls -l
total 4
-rw-r--r-- 1 whmback root 381 Feb  1 06:29 authorized_keys
[root@s111581 .ssh]# chgrp backup authorized_keys
[root@s111581 .ssh]# ls -l
-rw-r--r-- 1 whmback backup 381 Feb  1 06:29 authorized_keys

permissions change
[root@s111581 ~]# ls -l .ssh
total 4
-rw-r--r-- 1 whmback backup 381 Feb  1 06:29 authorized_keys
[root@s111581 ~]# chmod -R 0700 .ssh
[root@s111581 ~]# ls -l .ssh
total 4
-rwx------ 1 whmback backup 381 Feb  1 06:29 authorized_keys
[root@s111581 ~]# ls -l .ssh/authorized_keys
-rwx------ 1 whmback backup 381 Feb  1 06:29 .ssh/authorized_keys
[root@s111581 ~]# chmod -R 0600 .ssh/authorized_keys
[root@s111581 ~]# ls -l .ssh/authorized_keys
-rw------- 1 whmback backup 381 Feb  1 06:29 .ssh/authorized_keys
[root@s111581 ~]#

when i run this it comes back as not ok
i did remove my ip from the command before posting here.

root [/]# ssh -q -o "BatchMode=yes" BACKUP_SERVER_IP_HERE "echo 2>&1" && echo $host SSH_OK || echo $host SSH_NOK
SSH_NOK
root [/]# _

does that look right?

now how do i test it so i can see (actually see it on the screen) if it connects?

 

[durangod]

i tried to run a test using the xfter tool also in WHM

This was the attempt at using the new username of whmback

The remote basic credential check failed due to an error (The system failed to escalate privileges to root on “BACK_SERVER_IP” with “sudo” or “su” because of an error: Failed to escalate to root) and response: Connecting to BACK_SERVER_IP:22 as whmback...using method key_path passphrase...Connecting to BACK_SERVER_IP:22 as whmback...using method password...Connection Success

Waiting for login prompt ....Done waiting for login prompt.
Normalizing user level shell...
Done normalizing shell.
Attempting to obtain root using method "sudo w/wheel pass"
Sending password for sudo w/wheel pass...
sudo w/wheel pass already failed, sending empty strings until it dies....
Failed because the user was not in the sudoers file
Resetting Terminal....Done.
Attempting to obtain root using method "su w/wheel pass"
Sending password for su w/wheel pass...
su w/wheel pass failed (su: incorrect password)...
Resetting Terminal....Done.
Failed to obtain root.

And this was the attempt at using root user

The remote basic credential check failed due to an error (The password that you provided is not correct, or the SSH key is not permitted access: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).) and response: Connecting to BACK_SERVER_IP:22 as root...using method passphrase key_path...

yep i tried with ssh key from xfer tool and got the same message

The remote server does not appear to be running a supported version of cPanel. Please ensure you have selected the correct Remote Server Type. Account transfers from cPanel 11.18 servers or earlier are no longer supported.

so maybe that means its connecting which is good because it sees that the other server is not cpanel.

But i need to get a scp connection going asap.

 

[cPanelMichael]

i signed on as root on backup server

then i changed the owner of the file from root to my special user just for backup connection named whmback
then i changed the group of the file from root to my special group just for backups called backup

Hello,

The user and group ownership of the /root/.ssh directory and the /root/.ssh/authorized_keys file should be set to root, since that's the user you are logging in as via SSH. Try that, and then try accessing SSH from the cPanel server as the "root" user with the authorized public key to verify that works first. If so, then you can proceed with removing the key from root's authorized_keys file and set it up separately for an individual user.

Thank you.

 

[durangod]

Thanks so much.... do you think if i did a ticket they could help me get this going. I have gone a week without backups now and i dont want to have to try to download a huge backup file just to have a backup for the weekend. I really dont understand why this is so hard to do, i log into the server easily with username and pass, why cant the computer do the same thing?

I really need to connect from the reseller whm not the root whm. But ill try to get it going using the root whm first then ill try the reseller whm.

I just tried this too

root [/]# ssh serveriphere '[ -w .ssh/authorized_keys ]'
Host key verification failed.
root [/]# _

Then i tried the xfter tool from whm again, just using root and pw and got this

The remote server does not appear to be running a supported version of cPanel. Please ensure you have selected the correct Remote Server Type. Account transfers from cPanel 11.18 servers or earlier are no longer supported.

So i guess the xfter tool does not support another server unless its running cpanel as well. I dont know any other way to test this... shucks.

yep i just tried using the xfter tool with ssh key too and got the same message.

The remote server does not appear to be running a supported version of cPanel. Please ensure you have selected the correct Remote Server Type. Account transfers from cPanel 11.18 servers or earlier are no longer supported.

So maybe that means its connecting since it seems its not a cpanel server. But i need to get this going because the end game is to get a scp connection up asap.

 

[durangod]

Can anyone recommend maybe some linux software that i can install on the backup server to make this easier?

 

[rpvw]

You can get the proftpd (probably from the epel repo) and then you can use the cPanel FTP backup settings.

For more security, use a firewall to limit the connectivity to the ftpd to your production server etc

 

[durangod]

Just as a helpfull tip to anyone reading this, if you have connections issues. First step is to find a sample of the command and go directly to a putty connection and try it. That way you get exactly what the issue is and dont have to mess with any middleman software.

So after i got my server zapped and a fresh OS and starting over again. I went directly to a putty to putty connection, meaning i had both boxes open, sending and receiving side.

Then i tried the command and it told me it could not resolve the hostname (i used the name provided by my server company)
Then i used the ip instead and it gave me this which was the problem and why whmeasybackup could not send the file. Im sure whmeasybackup has something inside it to handle this, ill have to ask them to be sure, they are good people.

This is the sending side

The authenticity of host '00.00.00.00 (00.00.00.00)' can't be established.
RSA key fingerprint is c0:0c:00b:00:00c:00:ff:00d:f00:00f:ba:00:0000:00:f00:00d.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '00.00.00.00' (RSA) to the list of known hosts.
[username@hostname ~]$ cd public_html
[username@hostname public_html]$ scp samplefile.txt   [email protected]:/backup
[email protected]'s password:
samplefile.txt                                0000%   002     0.00KB/s   00:00
[username@hostname public_html]$

So the problem was there was a question before the login question which was hanging up the software. It also appears that somewhere i missed a step and i should have added the backup server to the known hosts list somehow. I guess thats what the rsa key does that was talked about earlier in this past, but i didnt know that exactly, and it was not on the server this time.


But i dont know what this means here.

The authenticity of host '00.00.00.00 (00.00.00.00)' can't be established.
RSA key fingerprint is c0:0c:00b:00:00c:00:ff:00d:f00:00f:ba:00:0000:00:f00:00d.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '00.00.00.00' (RSA) to the list of known hosts.

does it mean that even though my cpanel machine is calling the other machine it still has to recognize it before it will send the file?

If so then cPanelMichael was on the right track

Also this is first time i have ever logged into my reseller whm via putty, so when i did it gave me this.

Attempting to create directory /home/username/perl5

is that normal?


Thanks

 

[durangod]

So even though i can connect putty to putty i cant connect whm to sch to the backup server it tells me

Host key verification failed.
lost connection

so i remade the .ssh dir (left the permissions alone to test) on the backup server
i remade the authorized_keys file and put it in the .ssh dir on the backup server

and still stil get Host key verification failed

where does the id_rsa.pub go on the remote server, or if it exists how do i find it so i can edit it?

my .ssh dir is in ~ .ssh not / .ssh does that make a dif?

in ect/ssh/sshd_config i uncommented the line for authorized_keys location and still the same.... why cant it find my key?

 

[durangod]

here is where i am now... i did a verbose output so i can see exactly why its failing and here is the output, but i dont understand it, it does look like its connecting but its failing.

# scp -P 58 -i /root/.ssh/authorized_keys -v samplefile.txt [email protected]:/backup
Executing: program /usr/bin/ssh host 00.00.00.00, user username, command scp -v -t /backup
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 00.00.00.00 [00.00.00.00] port 58.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/authorized_keys type 1
debug1: identity file /root/.ssh/authorized_keys-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
lost connection

and its not this (this is the backup server) this looks fine

[root@server ~]# ls -la /dev/tty
crw-rw-rw- 1 root tty 5, 0 Feb 4 18:19 /dev/tty

and then i thought that maybe it was because i was using another user besides root so that user was not part of tty group. However, i get the same error with root.

and here are my tty permisions on the backup server.

# find /dev/pts -ls
1 0 drwxr-xr-x 2 root root 0 Feb 2 18:30 /dev/pts
3 0 crw--w---- 1 root tty Feb 5 06:42 /dev/pts/0
2 0 c--------- 1 root root Feb 2 18:30 /dev/pts/ptmx

so why is it failing?

UPDATE: i found this on google groups.. the OP had the same verbose output as i did almost word for word. This was the reply that someone gave.

Processes that have controlling terminals are given a "shortcut" to
their terminal device via the /dev/tty device.

If a process /does not/ have a controlling terminal (such as the
situation with most daemon processes), then /dev/tty (for that
process) does not connect to anything, and an attempt to open it will
result in the "no such device" error.

You imply that your failing sftp is running via a daemon process. If
so, then it /wont/ have a /dev/tty, and sftp's attempt to open that
device will fail. Commands run from the commandline have the
commandline's terminal device as the controlling terminal, and thus /
those processes/ can access /dev/tty. This explains why your daemon-
spawned sftp fails while your manually-spawned sftp succeeds.

Find a way to tell your daemon-spawned sftp to /not/ open /dev/tty.
This should fix your problem.

however i have no clue how to tell it now to open dev tty

 

[durangod]

AHHHHHH HAAAAAAA.... so when i did the key i used a passphrase, and the connection is asking me for that key passphrase and since i am not sitting at a terminal to enter the passprase (dev/tty) then it fails....

Im gonna try to do a key without a passphrase first and then no key at all and see what happens...

 

[durangod]

Lesson learned: read_passphrase is as clear as the server can get, its not reading a passphrase. Any time you see that imagine a terminal in front of you and its asking you for something to enter (passphrase in this case)

I solved it..... i dont need rsa key just pw authent is fine... so i took away the ssh key and set rsaauthent to no on the ssh_config file and bam works.

The main issue is that i didnt understand that i was not comparing apples to apples in my testing. When i use the code on putty i am sitting right there and can enter data, when the software is doing this it has to be told what to do.

So when i went into cpanel to test this, of course it is going to need ssh key because its not terminal based and it has no php code to enter key passphrases.

The software howerver (whmeasybackup) has code inside it to answer those questions when the server asked it. So the bottom line is that testing outside of a script via commandline you have to remember that they are two diff processes with dif needs to work. That is where i got confused.

i have logged in as the user, entered the password (which the php script will do for me) and it xfered the test file perfectly.

now all i need to do is limit the permissions for the special user so they cant go around into other stuff and done...

Thanks everyone for your patience and help on this..... i tried to warn you all i was not good at this at all.. LMAO

 

[durangod]

I wonder why noone suggested i use the new backup config section of WHM to do this, it does exactly what i want to do lol

 

[rpvw]

I wonder why noone suggested i use the new backup config section of WHM to do this,

You can get the proftpd (probably from the epel repo) and then you can use the cPanel FTP backup settings.

 

[durangod]

i was going to use rsync but it says that rsync can mess up sql backup files. So i just set up the backup config normal and used the sftp and the validate button to validate the connection, easy peasy, thank you Cpanel! , it validated fine. So i removed my whmeasybackup script all together and we will see by tomorrow what happens. If there are backup files on my other server then we are good to go, i just need to shrink the privy for that user to only that dir and it should be secure.

Thanks